By Michael Senter
Maintaining round-the-clock HIPAA compliance is a constant challenge for healthcare providers and other HIPAA covered entities. For small and medium-sized organizations, the challenge of HIPAA compliance can be particularly difficult due to a lack of skilled personnel, resources, and budget.
To make matters worse, just over a year ago, the OCR announced an initiative to more widely investigate HIPAA breaches affecting 500 people of fewer. While small breaches can occur at organizations of any size, the announcement was a reminder to those at the smaller end of the scale, that when it comes to a HIPAA breach, size doesn’t matter.
5 HIPAA compliance tips for small-medium sized businesses
To minimize the risk of a data breach occurring, small and medium-sized organizations should pay attention to the following five tips.
The 2018 Data Breach Investigation Report (DBIR) by Verizon revealed that healthcare is the only industry in which internal actors are the biggest threat to cybersecurity, which makes it vital for healthcare employers to develop robust policies and procedures that minimize risks from within – and regularly train staff to adhere to them. HIPAA compliance can only truly exist in an environment that encourages a culture of security and privacy, and this starts with proper education.
Keep communication secure
Maintaining secure internal and external communications is an essential part of safeguarding sensitive health information. Email, text messaging, and faxing are all common forms of communication in modern healthcare settings, but they are not inherently secure; a lack of encryption, lapse user access controls, or non-secure servers can represent significant security vulnerabilities. Therefore, upgrading legacy systems to modern, secure alternatives should be a top priority for HIPAA covered entities. For example, replacing text messaging with a proven HIPAA-secure mobile messaging solution helps keep data protected, while simultaneously improving collaboration and workflow.
Look beyond digital
While breaches of digital data get the most headlines, physical records still need to be treated with the same care and attention. To avoid potential HIPAA violations caused by paper documents, staff should be trained to err on the side of caution and assume everything on file is private. Any old or unwanted documentation containing PHI, no matter how insignificant it may seem, should be disposed of properly to a point where the information is indecipherable.
Keep on top of BAAs
Any entity that manages the transmission and storage of PHI on behalf of a healthcare organization – such as mobile messaging or hosting service provider – is regarded as business associates (BA). HIPAA requires covered entities to enter into a business associate agreement (BAA) with each of their business associates to ensure PHI remains secure and protected at all times. A failure to comply with this rule leaves organizations at risk of facing significant fines and reputational damage.
Protect mobile devices
The growing adoption of BYOD (bring your own device) in healthcare environments presents many potential benefits, however, it also brings new risks. According to the HHS, a reported 10% of major health data breaches involve a mobile device, which makes it critical for device owners to take action to ensure their smartphones, laptops or tablets do not become security vulnerabilities. To mitigate the risks, organizations must ensure all devices are secured with encryption, with strong passwords and multi-factor authentication, and only ever allow staff to exchange sensitive health information via pre-approved HIPAA-secure applications.
A journey, not a destination
HIPAA compliance is a constant burden for all organizations, regardless of size, and if past breaches have taught us anything it is that no organization is exempt from risk. In addition to the advice outlined in this article, covered entities should take time to review the HHS.gov website to obtain a detailed explanation of their responsibilities under HIPAA, and advice for preventing data breaches.