At first glance, you might be thinking, “There’s no way my organization is violating HIPAA law!” But the truth is it’s a lot more prevalent than we think. And the changing nature of how work is done (i.e., often from home) only makes it more common.
It’s true: protecting data and personal information regulated under the Health Insurance Portability and Accountability Act, known commonly as HIPAA, is proving to be more challenging than ever.
Yes, access to healthcare has grown exponentially through the increasing use of telehealth. But we must be conscious of the potential risks of the growing amount of HIPAA protected information in cyberspace.
This dilemma has only grown in stature when companies have more employees working from home during the pandemic.
Employees working from home present unique challenges for businesses that use data protected by HIPAA: they now need to send information usually protected on internal networks externally to their employees at home.
How can you be sure you’re not violating HIPAA law on a regular basis?
It’s tough to protect this information under the government’s current guidelines.
The Department of Health and Human Services’ Office of Civil Rights has temporarily suspended penalties for noncompliance with HIPAA rules associated with telehealth temporarily.
But the restoration of penalties will happen. So, companies must build an IT infrastructure compliant with HIPAA’s standards now.
Here are several vital points to keep in mind when considering HIPAA and your company’s information.
Violating HIPAA Law Example #1
Communication of Patient Information via Unencrypted Communications.
One of HIPAA requirements is that somebody who sends communication via email or text containing HIPAA protected information needs to send it via an encrypted communication channel.
An encrypted communication channel is challenging in a world where people want their information easily accessible through text or email.
A study published in Telemedicine and eHealth indicated that the use of text messages in healthcare is extensive, and doctors and medical professionals are regularly committing HIPAA violations.
HIPAA email rules require covered entities to implement access controls, audit controls, integrity controls, ID authentication, and transmission security must be fulfilled to do the following:
- Restrict access to Protected Health Information (PHI)
- Monitor how PHI is communicated
- Ensure the integrity of PHI at rest
- Ensure 100% message accountability, and
- Protect PHI from unauthorized access during transit
But what is encrypted communication?
Many times from a patient or medical professional’s viewpoint, it’s a barrier of access for the individual on the receiving end.
Encrypted communications need a few extra steps to ensure only those meant to see the information can.
One way providers are navigating these waters is by requesting patients’ consent to send information through unprotected channels. Although this is a legal option, it goes against the spirit of HIPAA.
The medical community are stewards of their patients’ data and this process shifts the responsibility for that stewardship. Instead, consider the use of online secure portals. They are now the most frequently used methods for secure communication.
Patient information is updated on a secure website and an email with a note saying their records have been updated is sent. The patient can then securely log in to the website to see the updates.
Violating HIPAA Law Example #2
Network Systems Prone to Intrusion
Now, a large segment of our workforce continues to work from home. That means companies continue to scale up their systems to allow remote access to their workstations. Because employees are now tunneling into these systems from an external source, they create potential cybercriminals’ entry points.
In fact, according to the Department of Health and Human Services (HHS), 17,000 patient records are breached every day. And even more shocking, 31% of all reported data breaches in 2013 took place in the healthcare sector. This was almost eight years ago and browsing the HHS website for current investigations shows it hasn’t improved.
In September of 2020, the University of Kentucky Healthcare was a victim of a Hacking/IT Incident on their network server. Ultimately, it affected 63774 individuals with personal healthcare information, and 9.7 million records were compromised. (It is important to note the owners of the servers hacked are innocent until proven guilty as it is still under investigation.)
Your IT department must establish and continuously update VPN appliances and firewalls with the most recent security patches and configurations. Implementing a multifactor authentication (MFA) on all VPN connections is another best practice to enforce.
If MFA isn’t possible, consider making sure your employees at least have strong passwords.
Protect Your Internal Communications at All Costs
Meetings that initially took place in person are now held on conference calls or video conference calls. As many of us have recently seen, these meetings are prone to intrusion from individuals generally seeking to disrupt the meeting’s content.
But, consider how easy it has been for individuals to interrupt these meetings! You can be assured others join meetings covertly to intercept valuable content.
To start protecting your business from sleuths:
- Always guard your meetings with passwords
- Ensure your digital systems get updated with the most recent security protocols
Stay up to date with cybersecurity trends in 2021! Here are five to be aware of right away.
Violating HIPAA Law Example #3
Transporting and Storing Audio Data
Something else you may not have thought of? Making sure participants working from home and participating in video conference calls don’t have an Alexa or Siri device within “hearing” distance of the meeting!
As part of the terms of service for these devices, Amazon and Apple record and send what they hear to servers for analysis and natural language speech refinement.
And the transport and storage of that data is violating HIPAA law.
It can be a scary endeavor to deal with information protected by HIPAA. After all, your business is prone to a double whammy of not just exposing valuable customer information—it may also be revealing HIPAA covered information subject to future litigation and fines.
This scenario came to a head during a 2015 data breach of Anthem when hackers potentially acquired personally identifiable information of over 78.8 million people. Anthem’s breach resulted in paying a $16 million settlement to HHS. Not to mention, over 100 private class-action lawsuits, including one case settled at $115 million.
(By the way, while you’re here you might also want to check out VPN for Healthcare Workers who work from Home – Security Risks)
How can your company avoid such massive fines for violating HIPAA law?
By having your systems and processes reviewed regularly by your IT team and your HIPAA auditors!
Your patients and clients expect that you do your best to make sure that their PHI is safe. If you’re concerned about how your information may be at risk, contact CloudNexus today for a personal consultation.
Did you learn a lot about violating HIPAA law in this post? Read these three articles next: