The evolving threat of HIPAA risks are a challenge for many healthcare providers.
To reduce the risk of breaches and security threats, HIPAA’s Security Rule specifies 5 Technical Safeguards to protect electronic patient health information and the systems that access it. While some of the safeguards are assessed for internal use, most of the standards are required for HIPAA compliance.
It’s best to avoid potential risks and implement the following procedures:
1. Access Control
Access Control helps healthcare providers create procedures for how their practice accesses their patient management software and records.
What You Can Do:
- Assign a unique employee login and password to identify and track user activity
- Develop procedures for protecting data during an emergency like a power outage or natural disaster
- Set up an automatic log off at workstations to prevent unauthorized users from accessing the machine
- Encrypt and decrypt data to prevent access to data by unauthorized users & programs
When implementing access control procedures, everyone must follow or risk a violation. For example, UnityPoint Health-Allen neglected to follow their access control procedures. An unauthorized employee gained access to personal patient information through the hospital’s electronic health record system. As a result, the hospital had to notify 1,620 patients of the incident, causing downtime and losing patient trust.
2. Audit Controls
Monitoring activity in systems which use electronically protected health information (ePHI) is required by HIPAA. Additionally, practices need a policy for regularly reviewing audit records to ensure activity (logins/log offs, file accesses, etc.) on those electronic systems is appropriate.
What You Can Do:
- Install a system to monitor ePHI
- Regularly review audit records
- Adjust policies as needed
Recently, Memorial Healthcare System (MHS) had to pay $5.5 million for their HIPAA violations because employees had improperly disclosed 114,143 patients’ personal information to a third party physician.
MHS failed to regularly review records of information system activity on applications which maintain electronically protected health information by workforce users and users at affiliated physician practices.
3. Integrity
Practices must use reasonable measures to authenticate electronic patient information to ensure it is not destroyed or altered in an unauthorized manner.
In a 2016 settlement, St. Joseph Health paid $2,140,500 million for HIPAA violations after installing a new server and accidentally giving the public access to their patient health records.
The company failed to evaluate and assess the risk of a new server, potentially altering the integrity of more than 31,800 individuals.
What You Can Do:
- Identify security measures to confirm the status of ePHI
- Use software with automatic data integrity testing capabilities
- Update policies when significant changes occur (new location, new software)
4. Authentication
HIPAA requires that a person who wants to access the data must be the person they say they are. Often practices use a two-step verification process to ensure only authorized users can gain access.
However, a 2015 study conducted by the Office for the National Information Technology, showed only 49% of hospitals are employing two-step HIPAA authentication.
What You Can Do:
- Require a two-step authentication process
- Implement specialized e-signature software
- Use phone/voice authorization
5. Transmission Security
Practices need to protect unauthorized access to data transmitted electronically.
First, by ensuring the data is not improperly modified without detection, and second, to encrypt protected health information whenever deemed appropriate.
Horizon Blue Cross Blue Shield of New Jersey recently had to pay $1.1 million in fines for failing to encrypt their data, resulting in 690,000 plan members affected.
What You Can Do:
- Use security measures and encryption to ensure ePHI is not modified without detection
- Assign appropriate authentication to employees and business associates
- Assess personal devices and email
- Track authenticated users through audit controls
Can You Afford the Cost of a Security Breach?
HIPAA is a complex process to manage. If you’re not utilizing HIPAA’s technical safeguards, then you may be putting your practice and patients at risk.
To help healthcare providers better understand HIPAA and the potential risks, we’ve created a free HIPAA Simplified Webinar Series.
If you’re concerned about your current technology and data practices, contact us to learn more about solutions for HIPAA compliance.
