The University of Rochester Medical Center (URMC) reported breaches – in 2013 and 2017 – after it discovered that protected health information (PHI) had been disclosed through the loss of an unencrypted flash drive, and the theft of an unencrypted laptop.
The Office for Civil Rights (OCR) determined that URMC had failed to: conduct risk assessments; implement sufficient IT security measures; and, use device, media and encryption controls. URMC was held accountable, to the tune of $3 million, plus corrective actions to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
"Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk," Roger Severino, OCR Director, said in a Nov. 5, 2019, press release from the U.S. Department of Health and Human Services (HHS). "When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect."
HIPAA Enforcement is at an All-Time High
This settlement is but one of many examples. Don’t let it happen to your organization. Healthcare leads all industries in cybersecurity attacks and data breaches. Frustratingly, most incidents originate inside the organization.
Technical, physical and administrative safeguards to protect sensitive information are mandated by HIPAA 2020. Your organization is required to complete self-audits, and to vet vendors carefully.
Don’t make the mistake of thinking your organization’s data breach will be covered by general insurance. Insurance often is contingent on performing risk assessments, also required by HIPAA, and it’s a good idea to get help with this from an experienced third-party like Emerge IT services.
HIPAA 2020 Requirements
Organizations working in healthcare must implement “reasonably appropriate” protections to secure patients’ personal health information. Reasonably appropriate protections include:
- Technical safeguards: Cybersecurity measures, such as encryption and firewalls, to protect PHI on electronic devices. All devices containing PHI need protection.
- Physical safeguards: This means the security of your organization’s physical property and can mean integrating security cameras, keypad locks, unique employee access codes and alarms.
- Administrative safeguards: You must have written policies and procedures for all of your business practices and employees must be trained in those procedures.
Self-Audits Required by HIPAA in 2020
A healthcare organization must conduct six self-audits a year, and five for business associates. These audits include:
- A security standards audit: Checks for compliance with HIPAA security standards.
- A security risk assessment: Reviews overall security to identify and correct gaps.
- An asset and device audit: Ensures that organizations identify all devices, and users, that access electronic protected health information (ePHI). Protections on all devices also must be listed.
- A Subtitle D audit: Determines whether procedures are in line with HIPAA breach notification requirements.
- A physical site audit: Reviews security needs and measures in place, such as securing cameras, keypad locks and alarms.
- A privacy assessment: Reviews an organization’s privacy policies to ensure that PHI use and disclosure complies with HIPAA standards.
Business Associates (BAs) Must Be Vetted
Before it is permitted to share PHI with business associates (BAs), healthcare groups have to vet the BAs security measures to make sure PHI protection is in-line with HIPAA standards. This can be done through a Vendor Questionnaire. If you do not vet your vendors, you can be held responsible when one of your BAs incurs a healthcare data breach.
In addition, a Business Associate Agreement, a legal document stating that each party agrees to be HIPAA-compliant -- and each is responsible for its own compliance -- must be executed or both entities will be held responsible, regardless of which one has a security breach.
Don’t Forget about Social Media
Social media is an often-missed area of HIPAA compliance concerns. Social media must be treated as another communication channel in your organization. Potential violations include: sharing patient photographs without written consent, posting rumors, or publishing any patient health information.
Consult an Expert
Cybersecurity threats in healthcare are real, and failing to comply with HIPAA standards can have costly consequences. Emerge IT services can assess all of your network and PHI cybersecurity needs. For more information, give us a call at 859-746-1030.