Healthcare News & Insights

Security breaches: How protected is your organization?

HIPAA violations can cost healthcare organizations between $50,000 and $2.3 million. But those fines aren’t only because of health information breaches. 

477089257Out of all the HIPAA cases the government has reported, half of them were because organizations couldn’t show they’d taken preventive security measures ahead of time and were complying with HIPAA regulations.

Some of those protective measure include having written HIPAA policies and procedures, risk assessments or HIPAA training certificates for employees. If your facility can produce these things, even if there is a breach, the fine will be a lot less severe because you took proactive measures.

During a recent presentation, attorney David Vaughn shared invaluable information about best HIPAA practices that can help organizations stay compliant, reported FiercePractice Management.

Security measures

Many hospitals know how important it is to encrypt protected health information (PHI) and conduct regular risk assessments.

For added protection in case of a HIPAA infraction, ask if your facility has the following:

  • Business associate agreements with indemnity clauses — If a business associate causes a breach of your PHI, your facility could get stuck paying the penalty even though you did nothing wrong. Indemnity clauses can prevent that from happening.
  • Cyber liability protection — According to Vaughn, cyber liability can protect in cases where an electronic health records vendor goes out of business. And make sure your business associates carry $1 million in cyber liability coverage.
  • Encryption of all PHI-storing equipment — If equipment contains any kind of PHI, make sure it’s encrypted. We’re talking cell phones, tablets, work stations, thumb drives, and any other electronic thing with PHI on it. While it’s not required by law, half of all breach cases involved a stolen or lost piece of equipment that wasn’t encrypted. Plus — and this is definitely a positive — if a computer is stolen but encrypted, it doesn’t need to be reported to the government as unsecured equipment.
  • Device removal policy — All healthcare organizations should have clear policies about removing records or devices with PHI. Baughn suggests having set rules on who can remove records, where they can be kept and how long they can be out. Reason: this reduces the risk of information or devices being lost or stolen.
  • Risk assessments — Seeing as hospitals are such large entities with hundreds of computers, not to mention tablets, smart phones, etc., Vaughn believe the best way to do risk assessments is to hire a third party. It’s a complex process that takes a lot of time and effort, and is best left to the experts. Plus, it’s not a once-and-done process. Risk assessments need to be conducted periodically.

Organizations who are on top of HIPAA compliance won’t have a lot to worry about. But let’s face it, people make mistakes and sometimes breaches occur despite an organization’s best efforts. Proving to the government, however, that the proper preventive measures were taken can reduce the severity of fines and punishments for the breach.


Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.