Most providers today know HIPAA places certain standards on practices to keep patient’s Protected Health Information (PHI) safe. Failure to comply with these safeguards results in corrective actions and large fines. Just one compromised medical record can cost a practice $50,000.
However, many providers are focused on running their practices have no opportunity to sort through HIPAA regulations with the detailed attention required to achieve compliance. They also have long-held workflows reliant on non-compliant technology and record systems. The perceived cost, both financially and functionally, of achieving HIPAA compliance can seem daunting, so many practices accept the risks of continuing business as usual.
In this article, we list three direct steps you can take now to reduce the risk your practice. With minimal upfront cost or interruption in workflow.
1. Move your data to the cloud
If you rely on an on-site server to store all your patient data—or you’re carrying a backup hard drive to and from the office every day—moving your data to the cloud is one of the most immediate ways to cut costs and risks.
When your data is in the cloud, it’s stored at multiple high-security data centers. Because it’s backed up at multiple locations, no single disaster (e.g. fire or flood) can wipe out your patient data. Importantly, you won’t need a backup hard drive that may end up in the hands of data thieves.
Consider what happened at Washington State University in 2017. The HIPAA Journal reported a hard drive containing the identifiable information of more than 1 million research participants, including social security numbers, was stolen despite being locked in a safe (also stolen). The estimated cost of the breach was $245 for each exposed record. That’s one expensive hard drive.
Storage in the cloud not only protects your data, it improves the efficiency of your practice. Move to a cloud-based Electronic Health Record (EHR) system and you’re not bound by the size or space constraints of having a server tower live at your practice. You can even access patient data from other locations via laptop or smartphone.
Finally, the cloud is actually very cost efficient, often far less expensive than traditional backup systems.
2. Stop sharing PHI via Gmail, Yahoo! or Outlook
The HIPAA violations resulting in the largest fines most often stem from attacks on non-secure emails containing PHI. These hacking and phishing attacks are so frequent and successful because:
- They’re harder to track down because criminals execute them remotely.
- When undiscovered, hacking/phishing can go on perpetually, mining PHI and increasing the inevitable HIPAA penalties.
- Many email services that claim to be HIPAA compliant are actually not, unless used in a very narrow, unrealistic way. Data thieves rely on this false sense of security.
In 2018, Anthem, Inc., a nationwide health benefits company, paid $16 million to the federal government after falling victim to the largest U.S. health data breach in history. The thieves made off with the PHI of almost 79 million individuals, including everything social security numbers to employment information.
How did this happen? The “cyber-attackers had infiltrated their system through spear phishing emails” and “at least one employee responded to the malicious email and opened the door to further attacks.”
First, educate your team to never click on links or respond to emails that seem even vaguely suspicious or unsolicited. And, never, ever, send PHI through GMail, Yahoo! or Outlook, etc. as it’s easy to unwittingly commit a HIPAA violation through these popular services.
Second, your email service has to fulfill five federal technical safeguards to actually be HIPAA-compliant:
- Transmission security: messages and attachments must be encrypted
- Authentication: it must verify the people seeking access to ePHI are who they say they are
- Access control: logins must be secure, and an auto-logoff implemented
- Audit control: an audit trail of all messages must be available for at least six years
- Integrity: all data must be backed up securely with redundancy
Does your email fulfill all five? If it’s lacking even one safeguard—that’s a violation of the law. Take the key step of adopting a fully HIPAA-compliant email right away.
3. Conduct a Risk Analysis to See Where Else Your Practice is Compromised
Moving to a secure cloud-based EHR service and fully HIPAA-compliant email are guaranteed solutions against a huge number of electronic HIPAA violations.
However, there are more steps to take to be fully protected, and the process gets trickier here. As every practice functions differently, there is no one-size-fits-all solution for perfect compliance on every level (including human error). Everything from the angle of a computer monitor, failure to log out of secure portals when away the from desk, unlocked doors and data stored unwittingly on the hard drive within a fax machine can result in possible HIPAA violations. Did you know that many fax machines indefinitely store copies of everything they receive/transmit? That makes a fax machine a major liability.
Knowing every in and out of HIPAA law takes time and study. That’s why you should invest in a qualified professional to come to your practice and assess every aspect of how PHI is handled and stored. They will find and offer solutions to correct any aspects of practice activity currently putting PHI at risk.
Upfront costs for these services vary, but one thing is certain: achieving compliance now will cost you far less than a HIPAA settlement.
For more information about HIPAA compliance and PHI security, call iCoreConnect at 888-810-7706, visit iCoreConnect.com or HHS.gov. iCoreConnect’s ONC-certified practice management EHR software (iCoreDental) and HIPAA-compliant email service (iCoreExchange) encrypt data at the highest levels, and securely store PHI. iCoreExchange and iCoreDental are both vetted and endorsed by FDA Crown Savings. Active FDA members receive special discount pricing. iCoreConnect’s solutions meet or exceed all of the government’s five technical safeguard laws for HIPAA compliance.
PUB NUM. 3000.147.012119