THE HIPAA ‘DIRTY DOZEN’ – FIND OUT ABOUT THE MOST COMMON HIPAA VIOLATIONS
By Tod Ferran, CISSP, QSA
Time and time again we see many common HIPAA issues arise in both large and small entities. We’ve compiled a list of the most common HIPAA issues that can lead to violations that we see in the field – and most are relatively easy to fix. Take a look at the following list to see if your organization struggles with any of these common HIPAA violation examples.
Protected Health Information (PHI) or Other Sensitive Data in Plain Sight
Protected Health Information (PHI) in plain sight includes everything from passwords on sticky notes, to white boards with patient names and diagnostics, to billing/coding forms sitting on the receptionist’s desk where patients check-in. Sensitive data is everywhere. To evaluate your organization, start by walking through your facility as if you were a patient. Follow the patient flow through your organization. What can be seen at each step? Whether it is a training/policy update or privacy screens for computers, make the changes needed to prevent patients from seeing other patient information. Now consider what is left out overnight when janitorial staff comes through, or if there were a break-in. Be sure everything is locked up tight at the end of each day.
Missing or Incomplete Business Associate Agreements
Business Associate Agreements (BAA) are too often overlooked. Ensure your organization understands the definition of a business associate, and identify the business associates with which your organization engages. Be sure you have proper contractual agreements with them and monitor their HIPAA compliance. The next step in this process is to understand the risk that each of your business associates brings to your entity. Even if you believe they lower your overall risk, it will be highly dependent on the security controls they have in place with regards to the data you share with them.
Lack of Password Protected Screen Savers
Some entities have enabled screen savers but without forcing re-entry of the password. This is surprisingly easy to fix. For example, in Windows 8, open the control panel, then personalization and screensaver. Here you can enable the screen saver, change the timeout and check the box to ‘on resume, display logon screen’. If you are using a Windows domain controller, you can configure this using group policies once then push it to all systems.
Inadequate Security Awareness Training
Businesses usually do a good job of providing training opportunities for their staff within select individual roles, however many entities neglect cyber security awareness training for all staff members. Conduct a short 10- or 15-minute security awareness training every month to help keep security top-of-mind. Short and continuous security awareness training may be more effective than one annual two-hour training. Staff will retain more information and you gain the ability to leverage current events in the news that may impact your work environment.
No One Assigned as a Privacy and Security Officer
Smaller entities frequently appoint “everyone” as the person responsible for privacy and security. While everyone needs to be accountable, ultimately one individual needs to be responsible for ensuring that training happens and policy and procedures are followed. The Privacy and Security Officer keeps abreast of changes as they happen and makes updates to the environment as needed. Assign these duties and responsibilities to an individual and provide training.
Lack of Risk Analysis and Risk Management Plan
A proper risk analysis will consist of reviewing foreseeable threats, defining acceptable levels of risk then implementing appropriate controls based on the risks, potential harm to others and your entity’s mission. Outsourcing this process, even for smaller entities is common and the best way to stay on top of your risk management obligations. With so much involved and so many different facets to review from a security and regulation standpoint, the vast majority of entities, both large and small, simply do not have the right in-house staff to complete the analysis. Time and again we see settlements (also known as fines) with the US Department of Health and Human Services (HHS) that specifically call out the lack of a complete and thorough risk analysis as part of the basis for the fine. Partner with a security organization to assist in completing a risk analysis for your organization at least annually.
It’s not uncommon to see shared logons being used by nurses and/or receptionists. Tracking and accountability is critical every time patient information is accessed, updated or deleted. Staff members must have individual logon credentials and never use shared accounts or share their password with anyone else. Assign each staff member a unique User ID and train them on passwords and the confidentiality of their credentials.
Improper Destruction of PHI
Throwing patient information into a recycling bin is not a proper means of destroying PHI. Just ask former dentist Joseph Beck, who put his patient files into a church recycling dumpster. He received a $12,000 fine for the HIPAA violation from the Indiana attorney general. Make no mistake. Any hardcopy with PHI on it needs to be pulped, burned, pulverized, cross-cut shredded or otherwise destroyed. If you don’t immediately destroy the document, it should go into a locked bin until it can be destroyed. If you use an outside company to shred documents, that company should be providing a certificate of destruction to you. If they haven’t provided a certificate of destruction, ask for one.
Improper Disposal of Equipment
Printers, copiers and fax machines all have hard drives in them, just like your laptops, workstations and servers. All are likely to have electronic protected health information (ePHI) on them and must be securely disposed of when they are no longer needed or reach their end of life. Affinity Health paid a $1.2 million fine for returning copy machines to their vendor when the lease was up, without securely deleting the ePHI on the hard drives inside. Sadly, Affinity first learned about the problem on the CBS evening news! Be sure to remove and destroy all hard drives or have the data on them securely deleted prior to disposal or repurpose.
BYOD (Bring Your Own Device) Containing Unencrypted ePHI
BYOD is becoming more and more prevalent in the healthcare business. Providers bring their own cell phones or tablets to work, and expect to use them on the entity’s network, often planning on reviewing patient data. Other staff are following suit. This presents challenges for encrypting the data on these devices and proper security of the applications on those devices. All too often, these personal items are used by children of the staff when at home. If a family member of staff sees patient information on one of these devices, it is an ‘impermissible disclosure’, a HIPAA violation. In addition to that, in our findings, it’s not uncommon to find malicious apps installed, usually packaged with a popular game app that no one realized was a problem. And how do we handle it when (notice I did not say ‘if’) these devices with ePHI on them are lost or stolen? If we must let these devices onto our network, a policy and process must be put in place to load encryption and remote wipe tools.
Stolen Laptops, Tablets and Backup Media
Stolen devices/media seem to be the biggest source of known breaches. Even the ‘smash and grab’ burglaries where workstations are stolen from a small provider may have ePHI data. The problem, from a HIPAA violations perspective, is that these devices have unencrypted ePHI on them. Just like the BYOD’s, we should have encryption enabled and remote wipe tools installed. Fines for losing patient information are stiff. The company QCA, lost a laptop with the ePHI of only 148 patients (yes, less than 200 patients) and received a $250,000 fine.
ePHI Sent Over Regular Email Accounts
Email is a quandary. On the one hand, it is an effective communication tool for nearly everyone, on the other hand very few people realize the inherent insecurity and alternatives for securing email. In short, email traverses the internet in a fashion that it passes through many hands and there is no way to know who has looked at it. Think of it as sending a postcard through the regular mail, then imagine that not only does the USPS carry the postcard, it may go through the hands of hundreds of people even just going across town. There is no way to know who read the postcard as they carried or handed it off. There are several solutions, such as Zixmail, hushmail and entrust® which can securely handle your email protecting it all the way to the recipient.
Now you know the ‘dirty dozen’ HIPAA violation examples most commonly seen in entities. How is your organization doing, do you have all 12 locked down? If not, now is the time to make changes and improve your security posture!
For more information, assistance with your HIPAA initiatives or to schedule a more targeted discussion around the challenges faced by your entity, contact HALOCK.