HIPAA compliance is critically important, but unfortunately not at all simple. Here are 5 deadly sins you might be committing, and the secrets to avoiding them.
Okay, so we’ll admit, we’re pretty biased. We’re all about the strong, secure and streamlined managed IT environment, not only because it’s just so much easier for you … but also because it’s so much more secure. And when it comes to HIPAA (Health Insurance Portability and Accountability Act of 1996), that’s really, really important.
Now, we could spend a lot of time spewing legislative babble at you in an effort to make this point, but you already know what HIPAA is. Besides, all that babble boils down to one outcome: If you’re not careful, HIPAA will bite you in the rear. Big time.
Consider the numbers. According to the U.S. Department of Health & Human Services, there have been more than 36,000 HIPAA complaints since 2003. Of those, 69 percent of them resulted in corrective action.
It doesn’t take a genius to know that “corrective action” isn’t in the practice’s favor, and doesn’t typically do much for PR. Quite the opposite, in fact. If you want to ensure this doesn’t happen to your business – and that you avoid the potentially disastrous consequences of being found flouting HIPAA compliance rules – it’s time to get it together.
It’s time to face your sins now because when it comes to HIPAA, deathbed conversions just won’t cut it. Here are the five main sins you might be committing unintentionally … and how to avoid them.
Forgetting About Physical Security … or Cloud Security
Many companies rely more heavily on either paper or electronic records-keeping systems. That’s fine, except for the blind spot it creates regarding the other medium. “Oh, we don’t really use paper anymore,” a tech-savvy physician will say, forgetting about the stockpiled files in the back room. Or, “Oh, we don’t do much in the cloud,” the old-school doctor claims, forgetting that she uses several vendors who store plenty of data there.
When it comes time to perform risk assessments or put safeguards in place, you need to pay attention to both. Otherwise … curtains. And not the lacy, soft lighting kind.
Failing to Unify Vendors, Services, and Platforms
Many businesses, without intending too, end up juggling multiple products and services from multiple vendors. Over time, as you add this and that IT application or hardware to keep your business running smoothly, you build up so many that it’s hard to keep track of them all. Result: Low security. Additional result: Overwhelm. Final result: Head in the sand, mimicking ostrich, hoping it will all go away.
Instead, you need to unify those products and services, bringing them into one complete system that eliminates the need for multiple vendors. Don’t know how? That’s normal; you just need a managed IT specialist at your side. So get one. Now. Before your coffee break.
Relying Too Heavily on General Insurance
Yes, it’s important to ensure you have watertight data security. Yes, it’s critical that you choose the right combination and in-house and cloud-based IT services. Yes, it’s an absolute must to have excellent insurance. And no … that’s not enough.
Why? Because no matter how many safeguards you put in place for both your physical and electronic environments, whether you store your data on-site or in the cloud, it doesn’t do you a lick of good if you break compliance and don’t have the insurance to cover your proverbial behind.
Believe it or not, many practices aren’t aware that most general insurance doesn’t cover electronic data storage. That means if you have a breach, you may not be covered. Whoops. Time to talk to your insurance guy and make sure you’ve got across-the-board coverage, then find an IT provider who will reduce the risk of a breach as much as possible.
Performing Audits Internally
Internal audits! What a money-saver! Why pay others to do what you could do for yourself, right?
Nope to the nope. Not a good idea. Even if you work hard to stay apprised of changes in policy or the evolving abilities of cybercriminals, it’s still unlikely you can stay up-to-date enough to remain fully secure. You need the help of an outside auditor, who can pinpoint your outdated security practices and help you bring them up to speed. Plus, you’re poorly positioned to perform your own audits simply because you become used to a way of doing things, and you’re therefore less likely to change even when you know you have too.
So don’t rely on you. Go on, say it out loud: I shall not handle audits internally. I understand that this might ruin my company and steal my soul. I shall atone for my sins by outsourcing my audits today, and I shall never look back.
Thinking Risk Assessment Is Enough
Risk assessment is not enough. The very nature of the word “assessment” means you’re supposed to do something with that information. So by all means, get assessed … but then take the next step.
Usually, when you perform a HIPAA compliance assessment, you’re looking for weak links in your data security. The assessment will point to missing safeguards, both physical and technological. Working with your IT provider, it’s important you manage login information, automatic log-offs, clearance levels, security training and more. Only when you put an ongoing plan in place can you be sure you’ve done your best to remain in compliance.
Another common mistake: thinking a single risk assessment is enough. That’s not the case. Rather, you need to perform them continually, responding to changes as they come.
The takeaway? Remaining in compliance isn’t easy, but it’s absolutely crucial. It’s time to think about it and make a plan that will last well into the future. And it’s time to do it today … before your coffee break, remember?
Author: Aaron White, Date: 2nd November 2017