Here at Compass, we have seen a huge upswing in the number of HIPAA / HITECH risk assessments we have been conducting over the last year. Covered entities (Doctors, Hospitals, Pharmacies) and health plans are obviously storing PHI (protected health information) and ePHI (electronic protected health information) on behalf of patients, however, there has been a huge upswing of assessments around “Business Associates”. According to the Health and Human Services website, a business associate is defined as, “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity”. Because of the outsourcing of everything from IT support to call center management, many companies now encounter both PHI and ePHI as part of their jobs, and clients are asking they go through a HIPAA Risk assessment.
During these assessments, we look at how the organization stores, processes, accesses, and uses data. We sit and go over steps and best practices of what to do to be HIPAA compliant. However, there are several areas that we see gaps in consistently. The following are five areas to avoid (or correct if you recognize them in your company) if you are looking to be HIPAA compliant:
- Information within email – This is probably the biggest one we come across, and the most troubling. In many cases this isn’t patient contact, but reports and communication between providers and staff. Emails are almost always insecure, and easy to compromise. Remember most emails are backed up, which means you will be storing this information wherever your backups are stored. A good rule is never to use emails to communicate PHI. If you must, files should be encrypted and properly protected.
- Voicemails and call recordings – Very similar to emails, but almost always overlooked. Call recordings and voicemails with PHI in them subject to the same laws and regulations as database files and servers. Protecting these files with encryption and proper access controls is crucial to prevent a breach. Even better is to avoid recording PHI altogether if possible.
- Contingency and Breach Plans – HIPAA has guidelines on how and who to notify in the event of a security breach or incident. One of the first items we ask for is an incident response plan, and it is one of the things most organizations lack on paper. Creating a simple plan of what to do in the event of a security event (such as a virus or ransomware) or breach can save hours and expedite fixing the issue and resuming normal operations.
- Printouts and working documents – I was in an office where part of the duties were to take PHI from one source and enter it into another system. To do this staff would print out the information to use as a working document. Because there could be a lag time between entries, they were stored under a desk where anyone would be able to grab them. Remember that physical documents need to be secured when not in use (think locked drawers and filing cabinets) and should be shredded if no longer needed with a cross-cut shredder.
- Not properly securing remote devices and access – While email may be something that we see the most, this item is the one that has potentially the biggest impact. In this day and age, many of us work from home or places other than the office. And we have all heard stories of stolen laptops and lost data. But it keeps happening. One critical item to make sure is in place is to encrypt the hard drives (and removable media like USB sticks) of any device so that if it is stolen the data becomes difficult to access. The other is in regards to remote access. Always use a VPN tunnel to access corporate files and resources. The VPN tunnel will encrypt the traffic between the device and the company. And make sure that VPN is using multi-factor authentication. Many compromises come from guessing or stealing passwords. Having a token or other factor when logging in prevents easy social engineering attacks.
Achieving HIPAA Compliance involves quite a bit of effort and hard work to ensure that information is protected and that staff understand how and why certain actions must be taken. Closing the gaps in these areas will not only help you on your way, but they are all excellent general security practices as well!
For more information on how Compass can assist your organization with HIPAA Compliance, please contact us or download our HIPAA Services brochure below! Also, feel free to drop us a question or comment on how you handle HIPAA Compliance at your organization in the comment section below!
No Comments Yet
Let us know what you think