HIPAA Violations: How can technology overcome these?
As you realize just how important this information is, you must also realize how at risk it is when it falls into the wrong hands. There have been numerous examples over the past several years of ransomware attacks that hold medical information hostage until an exorbitant fee is paid. Other cyber-attacks seek to sell health information for money or use the information to steal one’s identity.
A policy is known as the HIPAA privacy act, which stands for Health Insurance Portability and Accountability Act, seeks to keep any personal medical information private and confidential while also setting industry-wide standards for billing and other electronic needs related to health care. HIPAA violations can cause significant loss, particularly for the individual patients who are affected.
What is a HIPAA Violation?
A HIPAA violation is anything that allows personally identifiable patient information to be released to someone who does not have the need to know it. This could include health information in oral, paper or electronic formats.
Personally, the identification information includes demographic data provided in conjunction with the following:
- Physical or mental health information from the past, present or future
- Provided health care
- Payment information for provided health care
Many healthcare providers do not even realize that they are violating HIPAA. For example, they may ask personally identifiable questions during a check in that can be overheard by other patients. However, some of the most painful and disastrous violations are those that occur with the help of technology.
While the improvement in technology has really helped the healthcare sector provide better and more comprehensive care, the systems that monitor patient information have not caught up yet. This leaves electronic records at high risk of experiencing healthcare data breaches.
The current year has seen hundreds of thousands of patients in the United States affected by data breaches. For example, over 120,000 patients were affected by a cyber-attack on the Arkansas Oral Facial Surgery Center. Health care providers using MongoDB databases have been affected by a hacking on 26,000 of these servers.
Another hacking in May affected approximately 300,000 patients of the Women’s Health Care Group in Pennsylvania. These electronic data breaches must be reduced by using technology to prevent hacking, employee mistakes, accidental access and other common violations.
What are the most common causes of HIPAA violations and how can they be reduced?
While healthcare workers do occasionally violate HIPAA as they speak or send papers across offices, the majority of HIPAA Violations occur through electronic means. Below are seven of the most common causes of data breaches and the technology that can come to the rescue to reduce or stop them.
- Unsecured transmission through mobile devices
Mobile devices have given health care workers great flexibility in providing care. Doctors can now communicate with patients from the comfort of their own homes, view laboratory data on their phones and prescribe medications with the push of a few buttons. Nurses and other healthcare workers also routinely use mobile devices to communicate with each other and even to check up on their patients.
However, mobile devices are not nearly as protected as most computers are with many of them lacking the data transfer controls that are needed to stay in compliance with HIPAA. These devices must be able to encrypt data before transfer to another device and should only be able to communicate within the organization’s internal network. Mobile devices should not be able to store sensitive patient information.
- Hacking and phishing
A surprising 98 percent of healthcare data that ends up in incorrect locations can be traced to hacking. Healthcare organizations must maintain their own servers and encrypted hard drives for storage so as not to depend on other databases that may be targeted by hackers.
Even phishing has created security breaches that result in huge amounts of healthcare data being stolen. Phishing scams can be averted by using two-step authentication methods along with forced screen locks and automatic log-offs on multi-user computers and mobile devices. Biometric scanning can be used to ensure that the correct person is seeing pertinent patient data.
- Organizational corruption
Sadly, some healthcare organizations can blame internal corruption for their poor HIPAA compliance. Upper levels of management must put systems in place to monitor employees’ usage of computers and patient data. User activity logs should be generated weekly, and random checks of activity tracking can keep employees on their toes. Using fully encrypted information can keep employees from sending private information to those outside their health care system.
- Improper information disposal
When healthcare data must be disposed of, it should also be done in a manner to ensure HIPAA compliance. Of course, physical papers should be sent through a thorough shredding either by employees or by an outside company. Electronic data may be more difficult to erase, but deletion logs and automatic permanent backup systems can keep data safe and private.
- Third party API access
Third parties must sometimes access an organization’s electronic systems to install or repair software. Regular audits should be performed to ensure that no patient data is leaked and to ensure that third parties sign HIPAA compliance forms before accessing healthcare software.
- Weak privacy rules enforcement
Some healthcare organizations do not work to enforce HIPAA significantly among their employees, leading to careless handling and accidental leakage of pertinent information. Strong access controls must be used across all electronic devices to ensure that employees are not allowed to become careless. Additionally, compartmentalization of data will ensure that devices can work separately from each other to avoid extra employees seeing patient information.
- Misplaced or lost devices
Healthcare organizations are typically busy places where devices can be misplaced or lost in the daily handling of patient care. Management should put policies in place to ensure that organizational devices are returned at the end of each shift or are audited for home use. Strong bring-your-own-device policies should be in place to limit employees bringing their phones to their workstations. Device location services can be used to find lost mobile devices, and remote data wiping should be used immediately on any device that cannot be found within a specified time.
While healthcare information is increasingly in jeopardy these days from a host of unlikely digital sources, proper security compliance within healthcare organizations and plenty of safeguards can protect against intentional and unintentional employee sharing of protected data. It can also eliminate or at least reduce threats from hackers and those who use phishing schemes and ransomware to attack unsuspecting companies. With new rules, plenty of audits and encrypted data, you and your patients can feel safe entrusting information to health care workers.