Healthcare organizations in the 21st century must optimize two different subsets of technology to be successful. The cutting-edge equipment required for diagnosing and treating patients is one, and the network of computers used for managing patient data is the other. And while faulty heart monitors and insulin pumps can be catastrophic, failing to meet HIPAA compliance requirements can be disastrous, too, as in the case of Hartford Hospital.
HIPAA has been in effect since 1996, so hospitals, clinics, doctor’s offices, nursing homes, and all other “covered entities” are aware by now that they need to secure patients’ Protected Health Information (PHI). But are you aware of all the different areas of IT where things can go wrong, resulting in penalties and expensive lawsuits? Are you aware that the State of Connecticut has ruled that patients may now sue any healthcare provider they believe violated their privacy rights?
Managing PHI to ensure it never gets compromised and you never get sued isn’t hard to do. Your staff, especially your IT personnel, simply need to be cognizant of the fact that cyberthreats are rife and patient data resides on numerous devices on your network. The following list is by no means comprehensive, but it highlights five of the most common HIPAA compliance blunders your people need to avoid.
1. Losing Devices
When an employee of a data analysis firm outsourced by Hartford Hospital carried a laptop home from the office, nobody thought much of it. Until their home was broken into and the laptop -- along with 8,883 patient records -- was stolen, subjecting them to a $90K fine. That’s not exactly the same as “losing” a device, but it demonstrates just how vulnerable mobile data can be.
2. Accessing PHI from Home Computers
Given the rise in popularity of cloud computing, healthcare employees connecting to their office networks remotely via personal devices is prevalent. With respect to HIPAA compliance, the main issue is that those devices may not be as safe as company-managed ones which have been outfitted to meet PHI cybersecurity requirements. A second issue is that home computers can be accessed by people who aren’t authorized to see PHI.
3. Leaving Hospital Computers Unattended
Workplace safety takes on a whole new meaning when HIPAA is involved. You could think of it as workstation safety, particularly in large hospitals where there can be hundreds of PCs and laptops rolling around public areas on carts. All it takes for a PHI violation to occur is for a doctor, nurse, patient, or visitor to glance at the wrong screen or snap a well-timed, well-positioned selfie to put your organization at risk.
4. Not Wiping Copy Machine Hard Drives
Many healthcare organizations lease copy machines through a service provider who also handles hardware upkeep. This gives them access to the hard drives where records of every scan and copy are kept in memory. So before returning your rented machines -- and possibly even before a technician comes to perform routine maintenance -- the hard drive data should be deleted, or you could be exposing thousands of PHI files.
5. Improperly Emailing PHI
It is possible to email PHI and remain in full compliance with HIPAA, but there are strict rules to follow. Chief among them is ensuring PHI emails are encrypted, which takes a bit of expertise and hands-on management to pull off. You also have the option of sending unencrypted PHI emails, but that would require even more work informing every patient of the risks and obtaining explicit, expressed consent.
Besides email, does your organization communicate with patients using SMS or any other text messaging applications? If so, beware that the requirements for texting PHI compliantly are even more strenuous than emailing, and that intercepting text messages is easier.
In the first quarter of 2018, 1.13 million patient records were exposed in 110 PHI breaches nationwide, and if the breakdown was anything like 2017’s, the causes were evenly distributed between insiders’ errors or wrongdoing, hackers’ exploits, and loss or theft. What this means for healthcare organizations going forward is that not only must IT be optimized for HIPAA compliance, but employees must be trained and trained and trained some more. Charles IT is Connecticut’s leader in both of these key areas of PHI safety, so if you have any questions get in touch today.