Medical Group Management Association (MGMA) reported out that a national healthcare organization paid the U.S. Department of Health and Human Services Office for Civil Rights (OCR) a whopping $1.9 million dollars for HIPAA violation after company laptops were stolen. The private health information (PHI) that was stored on the laptops was not encrypted – a big mistake that cost big dollars. In another instance of a stolen laptop the company was fined $250,000. Additional corrective actions were ordered for both groups by the OCR, but it seems that it was all a too little too late to prevent the breaches.
The lessons that can be learned from both of these incidents is that it is your business’ responsibility to take every precaution to protect your patients PHI. This protection of PHI can begin with a risk analysis.
Risk analysis can begin with a review of your hardware, software, websites, and physical location. Take time to evaluate your existing security and the likelihood of a security breach for the different areas of the business (hint: put stolen laptops near the top of your list).
Secondly, review your data storage systems and vendors. If you are using portable thumb drives this is another high risk area for loss or theft. Who are your primary users of PHI within your organization and outside? Is remote access available or only on-site. What are potential threats? Theft is just one way that PHI can be taken. Other human threats include hacking, viruses, inappropriate employee access and simple carelessness.
Identify your offices vulnerabilities and threats with a physical office walk through, an office survey on security, or reviewing your visitor access plan. For example, do you have physical barriers for non-employee access to back-office areas? Do you allow off site access or have employees who work from home? Review your administrative process for policy and procedure, employee accountability, and training protocols. Is anti-virus software installed on your systems? Do you have visible policies and processes such as reminders at your front desk to wait until called rather than standing behind others while checking in?
Lastly, you can evaluate your security controls with areas like access restrictions to computers and web sites, authentication through passwords, staff training on preventative measures, and hiring processes that include such things as a back ground and reference check. The best way to validate if processes are being adhered to is to implement an audit program.
Once the threat assessment is complete the level of vulnerability can be evaluated which will help with the prioritization of tasks leading to increased HIPAA compliance. Vulnerability should consider the potential impact, how cost effective the solution.
Any organization can conduct a risk analysis to get the process started. Learn about your organization so you can be proactive on issues of HIPAA and PHI. Not doing so could prove very costly as some organizations have learned the hard way.