The compliant HIPAA organization, is it a myth or a reality? In this article, I wanted to cover, at a high level, what you need to know if you manage or own a medical facility. As of December of 2016, there have been over 150,500 HIPAA complaints against medical facilities in the US. With each complaint there are typically a multitude of other violations and patients who are unhappy because they believe regulations were not followed.
2016 was the biggest yet for monetary settlements under the Health Insurance Portability and Accountability Act’s (HIPAA) privacy and security rules and it is said that 2017 is keeping pace. The U.S. Department of Health and Human Services (HHS) announced 12 such settlements in 2016, averaging nearly $2 million.Organizations such as PrivacyRights.org educate patients about their rights and how to file a complaint. Each patient can "blow the whistle" about HIPAA violations, regardless of accuracy.
When someone files a complaint, the process is as follows:
News stories about violations and multi-million dollar fines are common.
Is your practice secure? If you are reading this and other articles on HIPAA compliance, you’ve taken the first steps.
This video review the basics of HIPAA, along with a few tips:
There are three areas of concern in HIPAA compliance, including:
- Administrative Safeguards - Assignment of a HIPPA security compliance team.
- Physical Safeguards - Protection of electronic systems, equipment and data.
- Technical Safeguards - Authentication & encryption used to control data access
Step 1 - Build Your Team
What should your team look like?
To be compliant, your team will need to:
- Perform ongoing risk analysis of the administrative, physical and technical safeguards.
- Utilize risk management methodologies to reduce vulnerabilities and risk.
The first person on your team is an officer who is responsible for maintaining and enforcing the HIPAA standards within the organization.
The team will also include an:
- Executive level sponsor who reports to the board on HIPAA compliance.
- A managerial leader, to drive through business and political red tape.
- Someone who will evangelize the need for HIPAA compliance.
- One or more technical experts who have the technical expertise to recommend, maintain and enforce HIPAA standards.
Step 2 - Security Hardening
In network parlance, hardening is the practice of securing a hardware and software system. HIPAA compliance is about hardening more than just the technology. At its simplest, the team ensures that physical access to the data is blocked. Are the doors to the server room closed and locked down? Are computer screens placed physically in such a way that data can't be seen by anyone other than the medical professional and the patient.
There are three weak spots in any network.
- Workstations and computer screens
- Media (wires or wireless communication to the main servers
- The physical servers where the data is stored
The technical team members should be familiar with the tactics in securing data at each of these three points. Technical checklists will enforce regular review (both automated and manual reviews), but not limited to, these areas:
- Hardware, software and data transmission security
- Disaster Recovery including backup planning and testing
- Incident response to changes to systems
- Logging and reviewing patient record Information access
- Auditing mechanisms for software, hardware and data control
Step 3 - Culture of Compliance.
Technical compliance is the simplest part. Members of the team will become evangelists of HIPAA compliance. The team will own the vision, messaging, processes, reporting and the culture of patient data protection.
The team you put together will be more than just a technical team. This will also be a business team. The team will carry out a cultural change that supports a vision of patient security.
If HIPAA is a concern, you can contact me here. I welcome your call or email. We can talk about your team, software or processes and how they may be limiting your revenue growth.
If you are interested in assessing common security issues, you can use our new 15-Minute Technology >