Compliance with HIPAA/HITECH data breach regulations requires ongoing effort. With less funding and staff resources available for IT security, small practices are especially at risk. Due to the wide ranging sources of cyber threats, a practice needs to remain aware of all known data breach sources.
In addition to lost or stolen devices/drives without encryption, procedural errors also remain a concern. Data disclosed to incorrect/unauthorized personnel, improperly disposed of devices/records, insufficient access controls, Business Associate (BA) non-compliance, and ineffective e-mail policies are examples, which have lead to officially reported breaches.
Breach identification may not always be immediately evident. For instance, many firms over the years did not factor into account how photocopiers frequently retain data. To remove a copy machine from a room could circulate decades’ worth of PHI, as the document image history is often stored internally. Practices often overlook such factors unless consulting an outside specialist on risk assessment/audits.
Studying officially reported breaches on record gives insight towards common data breach sources:
A few key takeaways from the above directory, to prevent typical breaches:
- Devices and storage storage mediums containing any amount of PHI must always be encrypted; this applies to every device category (laptops, workstations, external hard disks, thumb drives, mobile phones, tablets, etc.). To avoid HIPAA/HITECH penalties and fines, a missing device will not constitute a data breach if encrypted to NIST specifications; basic username/password sign-in screen does not qualify.
- Due to the lack of audit trails and encryption, minimize storage of hard copies on-site (i.e., paper records); otherwise additional precautions are necessary (assigned room keys, surveillance cameras with alarms); locking the room and building is not enough.
- Shred all documents before disposal, including hard copies and electronic records. As a rule of thumb data “shredding” should at least meet the 7-pass DoD 5220.22-M standard.
- Maintain role-based access controls, along with updated firewalls, intrusion detection, and malware prevention software on all networked devices.
Your practice may have already experienced a data breach. Compliance with regulations should be a firm’s first focus to qualify for incentive payments and avoid costly fines/damages. Precautions should aim to reduce the risk of breach from as many sources as possible. Risk analysis should factor in your practice’s level of technology, in addition to the nature of your PHI/data. Effective risk analysis and compliance consulting can prevent future breaches and determine the proper steps, in the event of a prior breach. User error is often the weakest link, so employee training and awareness courses are also advised.
Learn more about updated HIPAA breach rules and best practices in securing electronic Protected Health Information (ePHI) by attending our webinar scheduled on August 14th.
Latest posts by EHR 2.0 (see all)
- Trump Administrations’ Effect on Healthcare Organizations - January 23, 2017
- HIPAA Fine for Lack of Timely Breach Notification - January 11, 2017
- HIPAA Compliance 2016 Year in Review - January 9, 2017