by Jay Hodes - President, Colington Consulting
If you track the healthcare sector like I do, then it should not come as a big surprise how many HIPAA data breaches are occurring on a regular basis. Almost every day there is another news article announcing breaches large and small. Why is that? Why is compliance so hard to achieve? When analyzing how reported breaches are occurring it seems like there are two distinct categories.
The first is human error. A little over a year ago, the HHS Office for Civil Rights released the most current statistics on how breaches were occurring. Those stats showed 78% of breaches are caused by human error, including lost and stolen devices and impermissible disclosures. This is an astonishing number to say the least, especially since most of those breaches may have been preventable.
HIPAA regulations mandate that annual security awareness training must be provided to all members of a covered entity’s workforce. The guidance for Business Associate workforce members is not as consistent. Best practices indicate any member of a Business Associate workforce who is required to access protected health information (PHI) and electronic protected health information (ePHI) must receive this training.
But training must go beyond the annual requirement. The HIPAA Security Standards also call for periodic security reminders but stops short of defining what that actually means other than providing these updates.
The second category is not implementing the proper technical safeguards. This category takes some effort and potential cost to implement. Technical safeguard requirements mandate areas like the use of unique user identification for all workforce members, conducting information system audits to verify authorized access, and verifying that a person or entity seeking access to ePHI is the one claimed.
Simple measures such as setting auto logoff to a minimal amount of inactivity—around five to seven minutes for any device that can access ePHI—can help. Even the use of lockable screen savers can minimize unauthorized viewing of a work station monitor or laptop.
Although encrypting data is an Addressable Implementation, meaning the regulations provide some flexibility in meeting the standard, it is now a critical area that must be addressed by any organization that can create, store, transmit, or receive ePHI. Even though the regulations call for conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the organization to assist in determining if encryption is necessary, organizations should just go ahead and encrypt the data. The price to do so will be far less than costs associated with breach notification, investigation, and follow-up requirements. Encrypting all ePHI is a no-brainer and should be part of any HIPAA compliance program.
Organizations must be proactive in managing all aspects of their HIPAA compliance program. They should never assume the workforce understands the level of necessary compliance that the HIPAA Security Official knows needs to be in place. Organizations should establish a culture of compliance to continuously reinforce best practices for the entire workforce.