Do I really need to waste my time on HIPAA?
Dental and Medical practices deal with HIPAA every day. The question is, “Do the Doctors and Staff really understand what is at stake, and why they should care?”
The original purpose of HIPAA was patient privacy. Labeling a patient’s chart with a big red flag on the outside jacket reading “HIV POSITIVE” could result in a law suit, and big fines. Since those early days, HIPAA has evolved into a Cyber Security behemoth that is impossible to manage internally unless you have dedicated full time IT Security staff. For many Dental and Medical Practices, internal IT staff is not financially feasible.
I routinely hear people using the terms ‘security’ and ‘compliance’ interchangeably. The fact is, passing a HIPAA Compliance Audit does have a lot to do with security, but keeping your patient’s ePHI both secure and readily accessible to authorized staff is the primary focus for HIPAA. Many technical safeguards are typically ignored in small and mid-sized Dental and Medical Practices. Paying attention to the policies, procedures and technical safeguards will really help protect your patient data and prevent huge fines (up to $1.5M in a calendar year) when an auditor completes their report.
HHS defines four main areas of Technical Safeguards:
- Access Control – Limiting access to those who need it to perform their job duties. For instance clinical staff typically don’t need access to financial data.
- Audit Controls – Capability of knowing who is accessing your information, when, and for what purpose.
- Integrity Controls – Awareness of the data integrity. Has it been falsely modified or corrupted? Are there Backups onsite and offsite? Are the backups tested, and are they encrypted?
- Transmission Security – Do you still send emails to other practices with unencrypted patient information, x-rays as an attached file, or other unencrypted attachments?
Here are a few of the dozens of REQUIRED technology safeguards:
- Anti-virus/spy software – ALL computers – Advanced Persistent Threat Protection helps protect from Zero-Day internet-based intrusion attempts
- Authentication – ALL computers – A secure password policy outlines specific gaps, such as not sharing passwords and enabling multi-factor authentication
- Data Encryption – ALL internet-capable devices – Encrypts data before transmission over the internet. Especially critical on mobile/portable devices
- Data Firewall – ALL locations – Installing an off-the-shelf device is NOT enough. Firewalls are required to be Monitored and Managed
- Remote wipe capability: This tool can permanently delete data stored on a lost or stolen mobile device, minimizing the possibility of a data breach.
- Auditing Software – ALL computers – Monitors usage and reports on any changes to hardware systems, data files, user accounts, ePHI content, and more.
When there is a breach, and there will be a breach, how will your office handle the after-effects?
Unfortunately, data breaches are a painful reality in today’s world. The hackers are targeting medical practices like yours. We work to protect the safety and security of your doctor, your practice, and your patients.
Before you dismiss getting serious about Compliance and Security, seriously consider:
- Individual patient records can bring more than $100 each on the black market. Hackers are motivated by money and are after ePHI wherever they can steal it – from large hospitals and small private practices alike.
Just 500 patient records can yield a hacker $50,000 or more. Investing a little time to research your practice and formulate a successful plan of attack to steal your patient records can prove quite profitable for the attacker.
Small practices are easy “soft targets” for hackers since they typically don’t have adequate prevention, detection, recovery and reporting capabilities. How many patients are in your database?
- Data breaches make the news. Your professional reputation will be affected by the breach. How long have you worked to build that reputation? How many patients can you afford to lose to bad publicity?
- Who will you call if the FBI knocks on the door and asks to see your HIPAA Security Documents – Your “IT Guy”? Does he seem like he knows HIPAA Security & Compliance?Is he working to protect you, your practice, your patients? Has your “IT GUY” ever mentioned HIPAA?
- Would you even know if your office had a data breach? How would you know? Does your staff know what to look for? Most computer and network security breaches – even in large corporations – go un-detected for up to 200 days.
- What is the procedure in YOUR office for reporting a breach, and to whom?
I challenge you to ask yourself and your staff to explain how you would identify a security breach. Or would you be unaware until the FBI calls or knocks on your door?
Call today to learn more about moving your practice toward security and compliance.
Security Risk Assessment, Compliance, and Managed IT Services from the leader – Action DataTel
Let us worry about your computers & networks so you can focus on managing your business!
~ Technology Management
~ Information Consulting
~ Security & Compliance