HIPAA: Where The Points Don’t Matter & Almost Is Not Good Enough
Many organizations focus a lot of attention on securing infrastructure that stores protected health information (PHI), but become complacent with monitoring and policies after initial implementation. HIPAA sometimes gets treated as a checklist item. Once the organization has a “secure server”, there is nothing else to do.
These types of thoughts are dangerous for any organization. Penalty guidelines dictate that HIPAA violations not due to neglect can still carry penalties up to $50,000 per instance..
If there is a breach, you may be fined. End of story.
Take a look at Concentra Health Services. A staff member stole a laptop with protected health information (PHI) on it. This seems out of the hospital’s hands, right?
Concentra was fined $1.7 million dollars for not properly encrypting the laptop that was stolen.
So how do you avoid fines? Don’t have breaches.
This is easier said than done. Prevention and security safeguards are everything. Obviously procedures and reporting need to be in place, in case a HIPAA breach occurs, but organizations have to be proactive in how they secure PHI. Once a breach occurs, it is to late.
Organizations need to look at each set of stakeholders that come into contact with sensitive information, and develop strategies accordingly. Organizations should create plans by asking themselves:
- How are staff members accessing PHI?
- How are admins, IT, and developers accessing PHI and the infrastructure/servers holding it?
- How are consumers/other users accessing PHI?
- What devices will possible store or have access to PHI, for these stakeholder groups? How can we revoke access to data that may be compromised?
Policies that are put into practice need to be maintained and reviewed. Improperly throwing away a photocopier can cost an organization over $1 million in fines. The little things can result in big fines. Not knowing is not an excuse, or a way to avoid fines. Following best practices everyday is the only way to stay protected.
Jacob Nemetz is CEO of Dash Health Systems, a company providing an SDK that makes your apps HIPAA compliant.
Join the conversation. Learn more about our mission at www.dashsdk.com