Going Beyond HIPAA: 5 HIPAA-related Pitfalls and How to Avoid Them
The Health Insurance Portability and Accountability Act (HIPAA) is a very complicated compliance standard to tackle. There are strict privacy requirements surrounding the handling of patient medical and personally identifiable information, but how these requirements are met is left largely up to the individual healthcare organizations. Add HIPAA’s requirements for portability and accessibility to the fact a given healthcare organization’s electronic medical records (EMR/EHR) system may not be able to directly communicate with another organization’s and exchanging protected information can get complicated.
Give yourself a HIPAA crash course with our HIPAA Knowledge Hub >>
The complicated process of exchanging protected health information (PHI) opens the door to accidental HIPAA violations, and potentially worse, a full-scale data breach. To help, here are 5 common HIPAA pitfalls to avoid while you navigate the path to compliance:
Insurance Claims Denial
Every organization that needs to comply with HIPAA should be keenly aware of the costs of a data breach, but what happens if a violation or breach happens anyway?
Organizations typically have some kind of insurance policy to protect against damages from HIPAA violations or data breaches, but it is not uncommon for them to have their claim denied over improperly filled out applications, a failure to maintain adequate security, or otherwise not meeting the requirements placed by the insurance company.
Insurance providers may have security requirements that go beyond what is required by HIPAA. It is important for organizations to meet these requirements not only to ensure their insurance policy is valid in the event of a breach, but because they can often help an organization shore up its security, helping to avoid a breach or violation in the first place.
Lawsuits and Legal Expenses
The annual Cost of a Data Breach Report 2019 from IBM Security and the Ponemon Institute indicates one of the biggest expenses related to a data breach isn’t the fines from the violation itself, rather the “post data breach response.” That is, everything related to helping customers affected by a breach, as well as costs associated with redressing the situation, paying reparations, and dealing with any legal fallout from partners.
What this means is that while complying with requirements laid out by HIPAA and insurance policies is essential, it is also vital to ensure your organization complies with every other relevant law, standard, business associate agreement, or even contractual obligation. Considerations even extend to things like PCI DSS compliance if a given healthcare organization accepts or handles credit card payments, satisfying state laws for protecting patient and employee information, and ensuring the organization and its employees meet professional licensing requirements.
There are multiple reasons for this. Not only does compliance with many of these requirements help bolster your organization’s security posture, but it also helps to ensure any available legal protections are applicable and works to mitigate liability if a HIPAA violation does occur. This in turn can help reduce the overall cost of the post data breach response.
For example, if an organization contracted to handle payment processing for a major hospital suffers a data breach resulting in a HIPAA violation, the hospital may hold them responsible for damages if the payment processor failed to meet PCI DSS compliance, regardless if they were meeting the requirements for HIPAA compliance. On top of this, the payment processor may see their insurance claim denied over failing to maintain PCI DSS compliance.
Hardware and Software Misconfiguration
Setting up an IT environment is complicated in the first place. Add in HIPAA compliance requirements, contractual and insurance obligations, and meeting other applicable standards and legal requirements like the ones mentioned above, and it’s a recipe for confusion. Confusion, in turn, leads to mistakes.
A best practice for mitigating this confusion is to identify all of the requirements for your IT environment, both in regard to the functions it needs to perform and the legal and security requirements it needs to meet. From there, generate a thorough checklist for every individual piece of hardware and software that needs implemented, being sure to include things like proper environment architectures, app security policies, and even steps for testing to ensure the environment and all of its components are functioning as intended.
Falling Out of Compliance
Basic logging and monitoring is a requirement of HIPAA, however modern monitoring solutions can do more than meet HIPAA requirements. Many of these solutions can not only deliver valuable insights into usage trends in your IT environment, but many are capable of proactively identifying security risks. These risks can include misconfigurations, suspicious network activity, and applications or hardware that have fallen out of compliance or need a software update.
Further, in the event of an audit or incident, a quality logging solution can help provide clear insight into user and environment activity. Detailed logs can help rapidly address the requirements of a compliance audit as well as in identifying the source of a data breach if one occurs.
An organization leveraging a quality logging and monitoring solution should not stop there, however. While it may deliver meaningful and actionable insights into your environment’s activity, audits remain the best way to assure ongoing compliance. Organizations may leverage internal compliance assessment teams and monitoring solutions, however it is possible for organizations to erroneously believe they are compliant when they are not. As such, it remains a best practice to leverage an expert third party to conduct compliance and security audits, including for HIPAA.
Every time a new piece of hardware or software is implemented, one of the last steps on the implementation checklist should be to audit the entire IT environment before making it live. An audit serves as a final check to ensure applications and hardware are properly configured, the environment is architected in the most efficient way. An audit can also check to ensure that the organization is in fact meeting all of the requirements and criteria for HIPAA and any other applicable legal requirements and security policies like those noted above. The audit can also check to ensure that security policies, procedures for implementing the policies, and evidence they’ve been implemented has been properly documented, and that those policies have been updated as appropriate.
If security gaps or any other issues are identified in this audit, the organization will then have a chance to remediate these issues before the environment goes live and the issues actualize into real problems. Organizations should leverage both regularly scheduled as well as random audits to help avoid any undetected error or issue that could result in a breach or falling out of compliance. Additionally, in the event of a breach or HIPAA violation, regular audits may help mitigate claims that a given organization was negligent in their security practices.
To learn more about these and other HIPAA-related pitfalls from a leading HIPAA compliance specialist, view our webinar >>
XMedius offers a suite of HIPAA-compliant secure file exchange solutions that can help organizations avoid HIPAA pitfalls by helping meet security and compliance requirements (including PCI DSS).
Solutions like XM Fax and XM SendSecure offer organizations a way to securely share Protected Health Information (PHI) while providing logging functionality that captures user activity, leading to a clear, easy to read report for auditing.