[BreachExchange] Top 10 Ways Your Healthcare Organization May be Violating HIPAA and Not Know It

[Audrey McNeil]

http://resources.infosecinstitute.com/top-10-ways-healthcare-organization-
may-violating-hipaa-not-know/

HIPAA legislation was established by the US Federal Government in 1996.
These are rules and standards designed to protect the security and privacy
of patient health information. It has implemented national requirements for
organizations and individuals designed to enforce certain technical,
physical and administrative safeguards to maintain the integrity,
availability, and confidentiality of protected health information.

The majority of any HIPAA violations are accidental and come down to
ignorance; therefore, it is critical that your organization is aware of all
of the potential risks. Here are the top 10 ways your company may be
violating HIPAA and not even know it.

The Top Ten Ways Your Organization Might Be Violating HIPAA

1. The lack of HIPAA Awareness Education.

HIPAA violations occur when employees have not been sufficiently trained in
all areas of the law. One of the easiest and most proactive ways to avoid a
violation is through continuous training throughout the year to employees.

HIPAA training requirements are extensive, and they are often the source of
much confusion for organizations. There is no specific length for training;
it is advised that training for privacy and security should be no longer
than 20-40 minutes for each session that is covered. This will ensure that
information is retained and applied by all employees.

2. Employees Unknowingly Revealing Confidential Patient Information to
Third Parties.

Discussing information about patients to co-workers and friends is a
significant HIPAA violation which can lead to a steep fine. It is essential
that employees are mindful of their environment and that they limit their
conversations regarding patient information to the workplace only, to avoid
any massive penalties.

3. The Venue in Which Confidential Medical Information Is Accessed and
Viewed.

The majority of clinicians use their laptops or home computers after hours
to access patient information, for follow-ups and to record notes. If the
screen is left open, and a family member accidentally sees this
confidential data, then a HIPAA violation has occurred. Make sure that your
laptop and computer are password protected and all other devices are kept
out of reach to reduce the risk of patient information being stolen or
accessed by unauthorized individuals. In this regard, using Two Factor
Authentication (2FA) is recommended.

4. The Misuse and Mishandling of Medical Records.

One of the many common HIPAA violations is the mishandling of patient
records. Sometimes written patient information is accidentally left on a
chart in an exam room giving other patients access to it. Thus, all printed
or written medical records should be properly kept out of the public’s view.

5. Fully Understanding Disclosure Requirements and When Consent Is Needed.

Any personal information that is not used for the operation, healthcare, or
payment that is permitted by the Privacy Rule of HIPAA requires written
consent. If an employee has doubts, it is best to get authorization before
any information is released to ensure that HIPAA regulations are being
adhered to.

6. Storing medical information on unauthorized Smartphones.

A HIPAA fine may be issued if patient information is accessed through the
use of an unauthorized smartphone, desktop or laptop. Due to the small size
of mobile devices, they are extremely vulnerable to theft. Thus, every
precaution should be taken (such using passwords, single sign-on solutions,
2FA, etc.) to access to specific patient information.

7. Revealing Medical Information at the Wrong Time and the Wrong Place

It is quite common for patient information to be breached accidentally in a
social situation. Therefore, it is advised for the medical practitioner to
be prepared not to reveal patient information at any type or kind of social
gathering or event.

8. Texting Patient Information Without the Usage of Encryption Protocols.

An easy way to provide information quickly is to send a text message
containing test results or vital signs via an authorized Smartphone.
However, this also puts patient information at risk as cybercriminals can
easily access the information if the communications line is unencrypted.
Thus, the use of an encryption program will allow medical practitioners to
text confidential medical information safely, but it must be installed on
the authorized wireless devices of both parties.

9. Illegal Access to Patient Files by Unauthorized Employees.

All employees must be authorized to access patient information. To do so
otherwise is illegal and can lead to a substantial fine. It should also be
noted that individuals who sell or use PHI for personal gain are putting
themselves at risk of a fine or prison time.

10. Using Social Media to Share Medical Information.

It is essential that all employees are made aware that posting pictures or
sharing patient information via social media platform is a severe HIPAA
violation. Healthcare companies should create specific rules that sharing
or posting medical information on social media sites is strictly forbidden
that can lead to substantial, financial penalties.

Preventative Measures

Identity thieves go to great lengths to locate patient information. Thus, a
successfully destroyed medical record is one that has been rendered
indecipherable, unreadable and cannot be reconstructed. As a result, many
healthcare providers and hospitals have adopted the use of shredding
machinery. These include the following.

Mobile shredding. This involves making use of shredding box trucks that
have been equipped with industrial shredders. All of the required medical
records are destroyed in the presence of the medical practitioner.

Once the shredding has been completed, the company provides a formal
certificate of destruction. This guarantees that the shredding was HIPAA
and Fair and Accurate Credit Transactions Act (FACTA) compliant.

Offsite shredding. A truck collects the documents and transports them to a
secure offsite shredding facility. After the medical records have been
shredded, the same type of certificate is issued.

Take Away

The security and privacy of patient health information should be of utmost
priority for all medical professionals. You can prevent violations by
conducting annual HIPAA training. HIPAA regulations should also be
implemented into company policies and procedures so that it becomes
ingrained in the everyday corporate culture.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171220/25b10263/attachment.html>