Wouldn’t it be great if there weren’t hackers, lost devices were always returned intact, and employees followed the rules? Unfortunately, that is not the case. Every day we are running into a growing list of HIPAA Violations, and I thought this would be a great opportunity to talk about 10 of the most common violations and provide tips for avoiding them. We are going to start-off with the first five; without further ado…
1. Lost or Stolen Devices
We frequently hear about stolen electronic gadgets, and while this is unfortunate, people compound the problem by not encrypting and password protecting these devices. While encryption is technically not required by HIPAA, we consider it your "Get Out of Jail Free" card. (Technically, encryption is considered addressable under HIPAA. Though, I've yet to see an instance where a system shouldn't be encrypted.)
According the Federal Register:
……encryption and destruction [are] the two methods for rendering Protected Health Information unusable, unreadable, or indecipherable to unauthorized individuals—or ‘‘secured’’—and thus, exempt from the breach notification obligations.
A recent example of a stolen device is a theft from Concentra Health Services. In April of 2014, they reported to OCR an unencrypted computer had been stolen from one of their facilities. This incident resulted in an OCR audit of the company's security policies for electronic devices. OCR found insufficient encryption throughout the company on a variety of electronic devices, and ultimately levied a $1.7 million dollar fine against Concentra Health Services.
“Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s Deputy Director of Health Information Privacy on the Concentra Health Services Investigation. “Our message to these organizations is simple: encryption is your best defense against these incidents.”
Data from the “The Wall of Shame,” a database of breaches kept by OCR, shows that hacking makes up 23% of HIPAA breaches. It doesn't always have to be an elaborate scheme. Hackers are often looking for the path of least resistance and can be done many ways. Some popular methods are by exploiting a user profile with a weak password, using malware, or a software exploit like the much-publicized HeartBleed bug that was discovered last year.
There are a few easy ways to make sure your systems are less vulnerable to hacking.
- Update all passwords. Cracking weak passwords is one of the easiest ways to hack a system. Make sure you are using different passwords for all sites. This is where a password management program can come in handy. Just make sure that your master password is very difficult, and change that regularly.
- Turn on software firewalls in your operating system. For your company, a hardware firewall appliance is also a good way to restrict traffic on your network.
- Install malware-scanning software. There are many great choices out there that regularly update to look for viruses, Trojan Horses and other programs that may compromise your systems.
- Routinely update your software. You should have a regular schedule to check for updates for systems and programs. This will go a long way to patching vulnerabilities on your devices.
3. Employee dishonesty
In the past few years we’ve seen everything from owners to volunteers stealing PHI and using it for nefarious reasons, or simply accessing it out of curiosity. Whatever the reason, accessing files that you are not allowed to see is wrong and is worthy of disciplinary action. Using or selling PHI for personal gain is illegal, and you are subject to fines and prison time.
A recent example of employee curiosity was in Nebraska 2014. It was determined in a routine audit that two employees inappropriately accessed an Ebola patient’s record. They were immediately fired for this access.
In 2012, the owner of a Long Island Medical Supply company was found guilty of $10.7 million dollars of Medicare fraud and HIPAA Violations. She was sentenced to 12 years in prison and fined $1.3 million dollars.
4. Improper disposal
Did you know your photocopier could be the cause of the next HIPAA violation? Many photocopiers default to save copies on their hard drive, and if you return that copier to the leasing company without properly wiping the drive, you have a HIPAA violation on your hands. This happened to Affinity Health Plan, Inc., and they were stuck with a $1.2 million dollar fine from HHS.
Any information, whether digital or paper, needs to be shredded or destroyed so that others cannot access it. As I like to say, put a nail in it. I recommend putting a nail right through the middle of that old hard drive or thumb drive to ensure it cannot be recovered, and be sure to wipe all data from phones and mobile devices before releasing them from your business.
5. Third-Party Disclosure
Improper Disclosure of PHI to third parties finishes out part one of our Top 10 HIPAA Violations. Most businesses have Business Associates and Business Associate Subcontractors. These third party entities are responsible for protecting PHI and, with the Common Agency Provision in the HIPAA Omnibus Ruling, you are now responsible for your Business Associates’ HIPAA Compliance. Ask to see their Compliance Plans before you allow them to sign those required Business Associate Agreements. If you don’t have a Business Associate Agreement in place before you disclose information, you have a Breach on your hands.
Make sure to come back next week and see the next 5 in our list of the top 10 HIPAA violations!