Written by Sarah Lim, Lic #0M52397
Between 20016 and 2019, more than $20 million was paid out for HIPAA fines. Although some of these breaches were considerable enough to make the news, most practices cannot and should not take a breach of security lightly.
The penalty is higher if the healthcare organization is found to be more negligent at the time of the HIPAA violation with fines ranging from $100 to $50,00 per violation or record. For individual physicians, even minor penalties can negatively impact their practices, including their reputation and business continuity due to a potential loss of revenue. After a single HIPAA breach, the practice’s name is permanently listed on the Office for Civil Right’s Wall of Shame and includes the offense, date, and number of individuals affected. This can impact the patient’s desire to continue with that provider. Then there is the added stress of having to take part in a government investigation as well as the additional cost of having to provide one year of free credit monitoring for those patients who were affected by the breach, as required by HIPAA. The following steps can be taken to prevent such breaches from happening.
Conduct a Thorough Risk Assessment
It is recommended that a baseline risk assessment is conducted at least once a year. By analyzing your risks, you will be able to identify your weaknesses and figure out how to apply different security policies. Most incidents that result in a fine are due to not having done a risk assessment or doing an inadequate job with the risk analysis. Having a thorough risk assessment along with written policies and procedures can help defend the practice against penalties.
Stress the Importance of Security Fundamentals
Since most breaches are the result of mistakes within the practice, it is recommended to focus on cybersecurity training around the basics of everyday work life. Basic security boils down to people’s passwords so if somebody were to get that password, they are in. The following are recommended tips on creating and managing passwords:
· Use long passwords with at least 12 characters,
· Use different passwords for each place or location that a user logs in at,
· Use a software application for managing and storing passwords in an encrypted format which is accessed via a master password,
· If possible, use multi-factor authentication which requires a password and fingerprint.
Another tip is to instruct medical staff not to access medical records unless they are needed to perform their job. A final tip is to stay current on cybersecurity training and knowledge. New threats come out all the time so what the knowledge you currently have from 3 years ago could already be outdated.
Require Reporting of Security-Related Mistakes
Most practices require clinicians and staff to report incidents related to security-related mistakes, such as clicking on a bad link or opening a suspicious attachment. Most of the time, there is no penalty by reporting a breach because the intention is to promote activity that helps find any gaps and make improvements. If the potential breach is discovered as early as possible, steps can be taken to minimize the damage by securing the password and sending a blast email notifying the staff of the breach and what steps to take to minimize the damage.
Lastly, health information technology systems need regular “tune-ups” to operate securely. It is crucial to install software updates when they are released and ensure that antivirus software is kept up-to-date.