Blog
The Most Common HIPAA Compliance Oversights
Three Important Steps that Organizations Should Take to Help Strengthen Security and Minimize the Risk of a Data Breach
With a new year comes new security challenges. This is why it is important to take stock of how your organization is currently dealing with HIPPA compliance issues. Unfortunately, most covered entities have been failing to properly examine and oversee their business associates. Many covered entities and business associates focus on addressing HIPPA compliance as a checklist activity as opposed to a comprehensive risk management process, and most do not provide operative training and communications awareness.
It is for this reason that organizations need to put a strong focus on strengthening their security practices to minimize the risk of data breach. Below are three security steps that organizations should be taking to ensure that their sensitive data remains safe:
- Investigate your vendors, business associates, and contracted third parties’ information security
It is important to note that around 20 percent of the breaches on the HHS wall of shame that involve major health data breaches involve a business associate. That being said, it is more than likely that your organization will have to share in the liability for the poor actions of your vendors, business associates, or contracted third parties.
Case in point: This past November, the Connecticut Attorney General applied penalties against both Hartford Hospital and its business associate EMC Corp, in response to a breach that occurred in 2012. This is but a small example of why it is of the utmost importance to make sure that your vendors, business associates, and contracted third parties:
- Have documented policies and procedures in place
- Have an adequate risk management process in place
- Provide regular information security and privacy training to employees
- Regularly send awareness reminders to employees
- Have implemented security tools that will protect the information you have entrusted to them
- Find and address all administrative, technical, and physical risks facing the organization
History has shown us that some of the most significant security breaches have happened as a result of organizations not properly addressing administrative, technical, and physical risks. And although risk assessment is a vital tool in identifying these risks, it is far from enough to prevent them. To further strengthen your security, you need to implement a risk management program that includes additional activities to manage risks, such as:
- Keeping track of mobile computing devices that have access to PHI
- Documenting those who are using personally owned computing devices
- Keeping anti-virus and anti-malware software up-to-date
- Applying security patches regularly
- Performing regularly scheduled audits
It cannot be stressed enough how important having a comprehensive risk management plan in place that includes keeping systems patched and up-to-date is to avoid the costly liabilities that come with a security breach.
- Thoroughly educate the workforce on security and privacy, as well as the importance of compliance
Ensuring that your workforce is trained in security and privacy is becoming more important than ever when you consider the numerous technologies and gadgets out there that enable healthcare workers to collect and share data. Security training for employees cannot be limited to a once a year occurrence, or a security crash course that occurs before or at the start of employment. There needs to be an ongoing awareness of activities and communications that are required by HIPPA to ensure that your sensitive data is secure. Organizations need to invest a fair amount of time and resources towards regular training to prevent security issues regardless of their organization’s size.
Does your workforce have a clear understanding of the steps needed to ensure compliance? Contact {company} at {phone} or email us at {email} to find out about our managed IT services for healthcare organizations.