Are you guilty of these HIPAA violations?
(Last updated on September 26, 2019)
The Health Insurance Portability and Accountability Act (HIPAA) may be one of the most complex standards to understand but the purpose of it is simple: to protect personal health information (PHI) of patients against unauthorized access. According to the 2017 Healthcare Data Breach Report from cloud access security broker Bitglass, hackers were responsible for 80% of healthcare record breaches in 2016. Your organization may be making it easy for hackers to gain access and risk exposing patients if you are doing any of the following:
- Sending PHI via email without encryption,
- Using Yahoo, AOL or Free Gmail to send protected health information,
- Sharing accounts or passwords to access PHI,
- Not reviewing audit logs,
- Not training employees on HIPAA security.
Is your organization guilty of some or all of the above HIPAA violations? Steps you should take immediately to ensure compliance
- Encrypt all data that contains patient data. A majority of data breaches are due to stolen or lost data that was unencrypted. When transmitting PHI, make sure it is encrypted in accordance with HIPAA standards and transmitted over a secure connection. It is also crucial to encrypt data living on desktop computers, laptops, tablets, smart phones and other mobile devices.
- Implement password policies that ensure strong password creation. The policies must require that passwords meet certain criteria, to protect against hackers and their tools. Specops Password Policy forbids non-compliance passwords such as usernames, incremental passwords, dictionary words and even passwords from leaked lists. This makes sure you adhere to HIPAA password requirements.
- Secure password reset procedures. When it comes to creating a secure password reset procedure, make sure you have a self-service password reset solution that leverages multi-factor authentication to verify users identities before allowing them to reset or change their passwords, even when they are calling the helpdesk. Specops uReset is a self-service password reset solution that supports over twenty forms of authentication that can be combined, layered and weighted. The solution’s flexible multi-factor authentication capability secures the password reset process by ensuring that end-users have to use more than just one form of authentication (typically their old password or unsecure security questions) to be able to complete a password reset. It also saves your organization unnecessary time spent on password resets.
- Review audit logs. We’ve all heard of stories of hackers or disgruntled past employees gaining unauthorized access to PHI and using it for illegal activities. The HIPAA Security Rule requires periodic review of audit logs. This will help you uncover strange activity such as having an abnormally large amount of patient records accessed and retrieved in a day.
- Schedule regular employee training. According to this study by NueMD, 36% of medical officials fail to gain an adequate understanding of HIPAA regulations. Make sure everyone that comes in contact with PHI understands the requirements of HIPAA and what the consequences of not following the rules are. It’s also helpful to discuss some common scenarios employees might face day-to-day and the proper ways to handle them.