HIPAA Compliance and Mistakes:

Similar documents
6 Ways To Protect Your Business From Data Breaches in 2017

Getting ready for the new UK data protection law Eight practical steps for micro business owners and sole traders

Chapter Four Discussion Questions

How to Finish the HIPAA Security Risk Analysis and Meaningful Use Risk Assessment

Walter E. Johnson Director of Compliance & Ethics Kforce Government Solutions

8 Ways To Build Your Brand Using Social Media

EGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY Created for mike elfassi

6 SAFETY CULTURE ESSENTIALS

GDPR Physical Security and Privacy Safeguards

More information is available by visiting worksafeforlife.ca and the NS OHS Division.

Mazzitti & Sullivan EAP Services Notice of Privacy Practices

Quick guide to the employment practices code

Facilitator s Guide Overview

Design Like a Pro. Boost Your Skills in HMI / SCADA Project Development. Part 3: Designing HMI / SCADA Projects That Deliver Results

An introduction to business continuity planning

My name is Sam Mulholland and I am the Managing Director of Standby Consulting.

Contents. Primer Series: HIPAA Privacy, Security, and the Omnibus Final Rule

From the Front Lines: Navigating the OCR Phase 2 HIPAA Audits

Grow Your Small Business With Salesforce SELL. SERVICE. MARKET. SUCCEED.

Social Media. Guide for employees

DOING WHAT S RIGHT. Our Code of Conduct and Ethics

HIPAA and Electronic Information

Social Networking. Management Guide. Compliance and Legal Services

8TIPS. for Successful CRM Implementation

Conducting Fraud Investigations with Magnet AXIOM

Computershare Group Code of

My Top 19 Customer Service Tips

Best Practices for Creating an Open Source Policy. Why Do You Need an Open Source Software Policy? The Process of Writing an Open Source Policy

A Best Practices Point of View from. Ensure Data and Financial Integrity and Security from the Inside Out

Data Protection Policy

How Your Business Survival Depends On Disaster Recovery.

Mitigating Implicit Bias in Interviewing

How to Hire a Consultant

Motivating Your Team: Increase Employee Engagement

IPS Trainer s Guide to IPS Supported Employment: A Practical Guide.

Governance & Total Compliance

Putting our behaviours into practice

Critical IT Incident Management Best Practices: IT Experts on Communication and Collaboration

An Employer s Guide to Conducting Harassment Investigations

ANNEX 2 Security Management Plan

Realizing. Issue 17 LEADERSHIP. Everyday Leaders Changing Our World. Linda Fisher Thornton in Conversation ETHICAL LEADERSHIP

Agenda. Last Module Handling Objections. Creating a Sense of Urgency. Best Way to Create a Sense of Urgency 4/13/2015

Tampa Bay Information Network TBIN Audit Plan

Communication Is Hard

Insurance Marketing Benchmarks Report

Health Spectrum Pharmacy Services succeeds in a fast-growing market with a range of pharmacy management solutions.

JUST BECAUSE YOU RE COMPLIANT, DOESN T MEAN YOU RE SECURE!

RESIDENTIAL SHREDDING

Board Portal Buyer s Guide Five Essential Qualities

5 Tips for Successful WMS Implementations TIPS, CONSIDERATIONS & ALTERNATIVES FOR DECISION MAKERS

"HANDLING A SEXUAL HARASSMENT INVESTIGATION"

Linda Carrington, Wessex Commercial Solutions

Important changes to our Individual Savings Accounts (ISAs) Terms and Conditions

BT and the Future of IT Security. Bruce Schneier Chief Security Technology Officer, BT BCSG. 27 February 2009

New Technology: Mission Impossible?

Workplace Health & Safety

Understanding Internal Controls Office of Internal Audit

Thinking of using Microsoft Office 365 For Your Business? If Not, You Should.

Impactful 1:1 Meetings

TEMPLE UNIVERSITY CEMS Chemical Environmental Management System

Bridging the CM Gaps: Use Case Analysis of a New Configuration Management System

DATA PROTECTION POLICY

Health & Safety at Work

Certified Identity Governance Expert (CIGE) Overview & Curriculum

On the Path to ISO Accreditation

Anti-bribery corporate policy

Determining Your Performance Evaluation Mindset

Many employees take a great deal of pride in their work and appreciate constructive feedback, he says.

GVN Safety Procedures and Emergency Guide

6 PERSPECTIVES OF A LEADER

Forward Booking Appointments: How to Fill Your Appointment Schedule. Karen E. Felsted, CPA, MS, DVM, CVPM, CVA Karyn Gavzer, MBA, CVPM

A crash course in Microsoft 365 Business. Achieve more in your business with an integrated security, management and productivity solution all in one.

Stepping Forward Together: Creating Trust and Commitment in the Workplace

Social Media Guidelines

The Vodafone Code of Conduct. Doing what s right

Course 4 Customer Relations

Transforming the law firm s document workflows for improved efficiency, compliance and reducing expenses.

Improving Employee Engagement: Using the Job Scenario Tool

Leveraging Risk Assessments to Raise Funding for Your Security Program

The Impact of Customer Discrimination Facilitator s Guide

OUR WAY OF DOING BUSINESS. The Mondelēz International Code of Conduct. v

Effective Mind Maps. Analyses of business mind maps by Chuck Frey, author of the Mind Mapping Software Blog

3 Questions. to Ask When Developing an Adaptive Security Awareness Program

Participant Copy. No. Participation is voluntary. Your decision will not affect your health care at Mayo Clinic in any way.

Banking in the Balance: Security vs. Convenience. IBM Trusteer s Valerie Bradford on How to Assess Digital Identities

Becoming a Lowes Front End Cashier

Privacy Incident Response & Reporting: Pre and Post HITECH

SOCIAL MEDIA AND THE WORKPLACE

HOW YOUR CAREER BACKGROUND CAN HELP YOU BECOME A BUSINESS ANALYST

Policy Outsourcing and Cloud-Based File Sharing

Dean College Social Media Handbook

Why choose Peachtree?

Innovative Marketing Ideas That Work

Safety starts with you. DOF Group Offshore Safety Booklet

PSC-ED-FSA-TISD. Moderator: Christal Simms November 14, :00 pm CT

Forty million credit cards hacked

6 Steps For Avoiding Expensive Trade Secret

Transcription:

HIPAA Compliance and Mistakes: Let s just say what everyone is thinking: Trying to be compliant with the Health Insurance Portability and Accountability Act (HIPAA) is tough! At HIPAAgps, we get that. We also get the importance of HIPAA compliance in protecting patient and client health information while providing the most efficient health care possible. We care about you and your patients, which is why we created the HIPAAgps online compliance platform and this guide to help you get on the road to becoming and staying HIPAA compliant. The primary goal of HIPAA is to allow for the increase of health care efficiency while making sure that organizations secure Protected Health Information (PHI), and thus reduce the risk of breaches to that information. HIPAA compliance requires active and dynamic action from everyone who works in or with your organization and deals with PHI. This includes your Privacy and Security Officer(s), Business Associates, management, employees, and sometimes even maintenance personnel. Each role within your organization and each of your business associates present different risks that you must manage to protect PHI, prevent breaches and protect your organization from severe penalties. To help your organization begin minimizing these risks and gain a better understanding of what the HIPAA standards require, we have compiled a list of 10 major HIPAA mistakes that occur in organizations, cause breaches, and ultimately lead to monetary penalties. Penalties for non-compliance with the HIPAA standards and for breaches can reach up to $1.5 million. We don t want breaches or fines to happen to your organization, and we know that you don t want them to happen either, so checkout this guide, and then visit us at HIPAAgps.com to get on the road to HIPAA compliance.

Writing down passwords and leaving them easily accessible. 1 Too often, employees write down their passwords on a sticky note, or some other piece of paper, and then leave the note in an unsecured drawer, an easily accessed personal notebook, or even worse, sitting on their desk. The point of a password protected account is to only allow access to specified personnel with access permission. By writing down a password and placing it in an easily accessible place, the employee gives a key to secured areas of your organization to whoever finds the note containing the password. To address this issue, encourage employees to use password protection apps that allow them to keep their passwords in an encrypted application or have them store the passwords in an encrypted file on their work or personal device. At minimum, ensure that they store the written note in a locked file within a locked room. Although it can be difficult to remember all the different passwords for different accounts, it is critical that your organization require employees to provide protection for their passwords and your systems. You can and should document this requirement within your Password policies and procedures, as required by the HIPAA standards. 2 Leaving health records open to public view. People are curious by nature, so leaving a paper health record file open at the front desk where patients check-in or a laptop containing PHI sitting open facing where people passing by can sneak a peek is asking for a breach. Expect wandering eyes. If one of your employees accidentally leaves a patient s file in the hospital cafeteria, there is a high likelihood that an unauthorized individual will have snuck a glance. Your organization would have to report the incident as a breach to the Office for Civil Rights (OCR) and Department of Health and Human Services (HHS), which could result in a fine. Even if, to the best of your knowledge, the person who viewed the material did nothing with it, your organization would still have to report it. Your organization is responsible for protecting PHI from those wandering eyes. When paper or electronic health records are left open, unauthorized people have the opportunity to see PHI, and if they do, it s a breach. To address this, instruct your employees to take precautions to protect PHI from unauthorized views and remind them that they are responsible for safeguarding the PHI that they re given. A few recommended requirements include: turning paper documents over in public places, like a receptionist s desk, when not in use; facing computer screens away from the public or using privacy screens; and keeping paper health records on their person while in use and safely secured when not in use.

3 Walking away from an unlocked computer. Similar to leaving records out in the open, leaving computers unlocked when stepping away enables anyone who comes along to access your organization s system. This could cause a very extensive, problematic breach, especially if an employee walks away leaving his or her computer unlocked with PHI applications pulled up. Access to your electronic records system could easily lead to a breach of more than 500 individuals, which, by HIPAA regulation, requires that you report the breach to all of the affected individuals, the Office for Civil Rights (OCR), and the media; Talk about bad publicity. Remind your employees that they will be held liable if something is inappropriately accessed on their account. They need to know that even though locking the computer for a quick bathroom run may seem silly, it s far from it. Serious breaches can happen in that amount of time, and they could lose their job because of it. It s also important to have automatic logoffs in place, but they should only be a failsafe, not a trusted go-to safeguard. Employees should always lock their computers when stepping away. It s a simple practice, but it s often overlooked.

4 Not using encryption and/or remote-wipe capabilities on mobile devices. Proper precautions like encryption and remote-wiping for mobile devices are crucial. Many organizations have been caught in a breach because they did not have these safety measures in place. They had mobile backup devices or flash drives with patient data on them, and they either lost the devices or they were stolen. The real issue here is not that the device was lost or stolen, although preventing that scenario should be a top priority, the real issue is that they did not encrypt the device, so now anyone can access the PHI it contains. Consequently, the organization has to assume that the PHI was accessed, forcing them to notify the OCR of a breach. Also, there are usually multiple patient accounts on one device, which can easily lead to a media firestorm. The organization then loses patient trust and pays a penalty for the breach. To protect against this scenario, always encrypt everything that stores, accesses, or transmits ephi. If possible, use remote-wipe capabilities to sanitize the device when it s misplaced or stolen. 5 Lack of tracking for mobile devices. An easy way to set your organization up for real trouble is by not keeping an inventory of your mobile devices. Lack of tracking can open your organization to the liability of a breach. If someone takes a flash drive with PHI, but no one knows where it went, your organization must assume there is a breach of PHI. This is another risk that can be easily managed. Implement sign-in and sign-out sheets. Also, make sure that employees know that if something happens to any PHI-holding devices while it is checked out under their name, they will be held responsible. By using the inventory process and a check-out procedure, you can protect your organization from a very avoidable situation. Plus, you will be able to show an auditor that you did implement a proper HIPAA mobile-devices inventory and you know who the responsible employee is. Having and knowing this information can help minimize the penalties in case of a mobile-device breach.

6 Throwing PHI in the trash rather than disposing of it properly. To start, let s first make sure that we are all on the same page with this issue: PHI materials, paper or electronic, should never be just tossed into the trash. Proper disposal procedures must be followed. This is another mistake that many organizations have made. Someone throws PHI in the trash, which is easily accessible to the public, and someone else gets their hands on it and then uses it for nefarious means. For example, a ruthless paparazzi reporter, who has been stalking a celebrity that comes to your office, digs in your trash and finds a patient note about the celebrity that details their recent diagnosis, and then posts a story about it. That is most definitely a breach that could not only have serious consequences from the OCR, but that celebrity could also sue for the breach of privacy and for damaging their reputation. You could also run into identity theft and fraud allegations, if you are not careful to follow proper disposal procedures. Your organization must be very clear about what your disposal procedures are, and you must have a policy and procedure document detailing this information to meet the HIPAA standards. Make sure that your workforce members know your procedures and agree to implement them. Your organization must ensure that all PHI materials are disposed of properly, which may require shredding or media sanitization.

Leaving doors unlocked or door keys accessible. 7 Although this may seem like a given, it can often be the cause of a breach since it is so easy to forget the importance of this security measure. Once again, your organization must protect PHI from those wandering eyes. By not locking the doors, or leaving the key in the door or filing cabinet, PHI becomes susceptible to a breach. For example, a nurse practitioner working at an elderly care facility left her key to the PHI cabinet sitting on her desk. When she returned to get the key, it was gone, and a PHI file cabinet had been opened. Even though no files were missing, the organization had to report the incident as a breach. Avoid this situation by ensuring that all doors are locked and keys are not left accessible. You can require that your workforce members keep their keys on them while working and securely stowed while not in use. An unlocked door or key lying on a desk presents serious breach risks that your organization can easily avoid. You have to inform your workforce members of the importance of protecting their keys. It should be common sense, but without a sense of urgency in protecting their keys and PHI, an employee could easily make a simple mistake that leaves your organization vulnerable. 8 Sharing or using PHI without paying attention to surroundings. Caregivers in organizations are often the culprits of these mistakes, but it can also be an issue in clerical settings. You never know what people will pick up from a conversation. If you re a doctor and you need to share treatment information with a surgeon, you should be aware of your surroundings and take all reasonable and appropriate steps to safeguard PHI as you disclose the information. In this case, that may mean speaking quietly so that the other patients and doctors walking along the hospital s hallway don t overhear you. Basically, to protect patient confidentiality, be aware of your surroundings. Speak to coworkers in a quiet voice so that you are less likely to be overheard. If possible, converse behind closed doors, or in a secluded area away from other people.

Increased risks for unauthorized disclosures come with many aspects of our digital age, like social media. Employee use of social media can lead to breaches and major issues for organizations. Too often, employees post work-related information online without checking for PHI first. For example, an employee may wish to simply extend well-wishes for a neighbor by posting something like: One of my neighbors came into the office for surgery today. Please pray for a speedy recovery for her. Even when a PHI post is made with the best intentions, it s still a breach. 9 Using social media improperly. Your employees must leave it to the individual to determine if and how his or her PHI should be shared. It is important that your organization inform your employees of what all constitutes PHI, and that you have policies and procedures in place that address social media and other Internet-use issues. Remember, if the information shared can in any way identify a person and relate that person to your facility, treatment or any other HIPAA-defined characteristic, then it s an unauthorized disclosure and a breach. Many organizations choose to take a firm stance that prohibits sharing any work-related information on social media. Some also restrict picture-taking at the office because there is always the chance that PHI could get caught in the background and then posted online. Using the HIPAA standards, your organization must determine the best social media policy for you. 10 Clicking links in emails. This is a common social engineering hack and a mistake that leads to many breaches. Oftentimes, multiple employees will receive the same email that appears legitimate. It will contain a link to something that most people would be interested in, like a funny video or an offer for something free. It is designed to be tempting and to lure people to click the link. However, the link doesn t provide what the receiver thought it would; instead, it loads malware to their computer. Through the malware, a hacker now has access to your system and can view PHI and steal it for whatever reason he or she wants. To combat this electronic attack, inform your employees of how to handle suspicious emails and unknown links. If they receive a suspicious email or feel unsure about an email link, they should immediately notify your IT department or their supervisor. Many times, they will not be the only one to receive the link, so quickly passing along the information throughout the organization is important to mitigate the risk of a breach.

The Road to HIPAA Compliance: Remember, it is your organization s responsibility to protect PHI. Your patients and clients are trusting that you will care for their information. HIPAA compliance requires that you meet several standards to protect PHI, and missing even the smallest regulation could result in a breach and serious consequences for your organization. Don t fall prey to these mistakes! Make sure that your organization has the necessary policies and procedures in place, and that all of your organization s workforce members are aware of their roles in regard to safeguarding PHI. To find out more about the many HIPAA requirements and how to become and stay HIPAA compliant, visit our website at HIPAAgps.com. We want to help your organization perform and keep track of your HIPAA compliance risk assessments, documents, employee training, business associate agreements and so much more. Let us help you get on the road to HIPAA compliance!

2015, HIPAAgps, LLC. All rights reserved.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback