[BreachExchange] Uncovering hidden holes in your HIPAA compliance

Audrey McNeil audrey at riskbasedsecurity.com
Wed Nov 2 19:09:23 EDT 2016


http://www.beckershospitalreview.com/healthcare-information-
technology/uncovering-hidden-holes-in-your-hipaa-compliance.html

Most healthcare facilities have ironclad HIPAA policies. They implement
HIPAA guidelines that have the series of administrative, technical and
physical safeguards required to ensure the integrity and confidentiality of
electronic protected health information (ePHI).

And yet, with the rise of electronic health records and the increased usage
of mobile devices, there has never been a more important time to take a
closer look at enhancing a HIPAA compliance program.

Even with the best HIPAA training and most thought-out planning, there may
be holes healthcare facilities don't even realize exist. Below are four
potential risks healthcare professionals should consider when reviewing
their policies.

1. Web contact forms or appointment forms
In the world of healthcare, there is often confusion regarding which web
contact forms need to be HIPAA compliant. And because of that uncertainty,
many contact or appointment forms are not compliant. If you are a HIPAA
covered entity (regardless of the facility's size), all of your web forms
should be HIPAA compliant.

Here's why:

When collecting contact or appointment request information on an online
form, there are often free text areas where patients can include additional
pertinent information. If patients assume the form is compliant, they may
share ePHI unknowingly.

For example, if your online appointment request form includes a text field
for a brief explanation of the reason for the appointment, a patient may
state, "I urgently need to make an appointment because I had a bad reaction
to the pain medication I'm using."

2. Patient review forms
Healthcare facilities and professionals often give patients the opportunity
to review their care through patient satisfaction surveys or review forms.
If those forms contain open, free-form text space, rather than requiring
specific answers, patients may inadvertently share ePHI while offering
thoughts on their experience.

As with appointment and contact forms, review forms need special care
because a patient who is reviewing a physician or facility could reveal
protected information. For instance, someone giving a review of a physical
therapist may offer up how kind the therapist was after learning about the
patient's cancer diagnosis.

3. Social media and advertising
Using social media is still new in healthcare, so many organizations have
yet to adopt or integrate social strategy into their current healthcare
marketing and advertising efforts. This is largely because they are fearful
of how it could impact patient privacy and HIPAA compliance. The nature of
social media and advertising suggests a lack of privacy, so there are
understandable risks.

Any advertising or posting on social media sites that contains even the
slightest hint of patient information could be in violation. For example,
if a plastic surgeon posts before and after photos of a patient's procedure
or a dermatologist posts a photo of a patient's skin condition, the
patient's identity could be revealed. Even if a social post or
advertisement only contains half of the patient's face, that person might
be recognizable to family or close friends, violating his or her privacy.

4. Email or text confirmations
Confirmations of doctor's appointments or prescriptions via phone, text or
email should not contain a lot of identifying information. While the HIPAA
Privacy Rule does allow a physician to communicate with patients, including
to confirm appointments, the physician should take precautions to protect
patients' privacy.

For example, when leaving a voicemail for a patient, the physician should
limit the message to just the information necessary to confirm an
appointment time or request that the patient call the physician's office.

Safeguarding Patient Information
One way healthcare facilities can ease the pain and uncertainty around
HIPAA compliant forms is to streamline the process through a HIPAA
compliant form builder. This type of software allows for easy collection
and storage of ePHI in a HIPAA compliant manner. It also allows for the
secure management of information across multiple touchpoints, including
doctors, administrative staff and other stakeholders.

Regardless of technological advancements, a patient's health information
must be handled with the utmost care and concern for privacy. And it's up
to those working in the healthcare industry to make sure respect for
privacy progresses along with the technology.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161102/342585c9/attachment.html>


More information about the BreachExchange mailing list