Maintaining your site’s HIPAA compliance

The last year has seen an unprecedented number of cyber breaches and incidents in the healthcare industry. In August 2016, 8.8 million healthcare records were exposed or stolen. That’s on top of the 11 million records exposed in June 2016. With numbers like these, it’s imperative you maintain your site’s HIPAA compliance.

According to IBM’s 2016 Cyber Security Intelligence Index, the healthcare industry has become the No. 1 target for cyber criminals. Not only has it suffered data breaches, but ransomware has locked down hospitals, placing patients’ data — and their health — at risk. Now more than ever, cyber security in the healthcare industry is of the utmost importance.

What is HIPAA compliance?

The Health Insurance Portability & Accountability Act (HIPAA) is a law enacted to protect the millions of working Americans and their family members who seek medical attention in the United States. Most of the HIPAA regulations cover the legal aspects of protecting patients’ confidential information, including the fines for violations.

The original HIPAA was enacted in 1996 before everyone started to become “connected.” The Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted in 2009 and is much more aware of the technology. One of the goals of HITECH was to raise awareness of and utilization of approved Electronic Health Records (EHR).

Why is this important for my website or organization?

If your site in any way handles information that is covered under HIPAA regulations, you could be subject to an audit by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS). From January to August of 2016, organizations have paid more than $20 million in HIPAA fines as a result of HIPAA compliance violations. With all the high-profile health industry breaches, audits are performed more regularly.

Auditors are starting to perform random HIPAA compliance audits of healthcare industry sites.

 

So in addition to auditing sites with reported breaches or following up on whistleblower reports, auditors are taking security a step further. It’s important to keep your site HIPAA compliant in order to be prepared for any random audits.

How do we avoid the HHS wall of shame?

OCR, who performs the HIPAA audits, is also required to maintain a list of sites with HIPAA compliance violations and breaches that affect more than 500 people. This web page is known as the HHS wall of shame. They have recently upgraded the page to be fully sortable and searchable.
 

Expertise matters

How do you avoid being listed on the wall of shame? The first question you should ask is:

“Does this information REALLY need to be connected to the internet?”

If the answer is no, don’t connect it just because it’s easier. Realistically, this is rarely the case. In most cases today, it’s not only desirable to have this type of data connected to the internet but a necessity. Protecting an internet connected server with HIPAA covered data or the office of a small medical practice that is connected to the internet is not something that should be left to an average site admin or website developer.

Have someone who’s familiar with HIPAA and system security review your setup annually.

 

HIPAA regulations require three annual audits: administrative, privacy and security. These audits should show that your organization has done everything within its power to protect the Personal Identifying Information (PII) and Personal Health Information (PHI) in its possession. The majority of the $20M in fines so far in 2016 were due to “failure to implement Administrative Privacy and Technical safeguards.” The fines for HIPAA violations could easily bankrupt a small medical practice.

Training and awareness

Under the current, most prolific threats, training, and awareness are the best tools to avoid breaches. The majority of breaches in recent years have been attributed to insider threats.

The insider threat isn’t always a disgruntled employee.

 

A good employee with all the best intentions, but a lack of security understanding, can be a more powerful threat than a disgruntled one. Malware on an employee’s computer from visiting disreputable websites or viewing unknown email attachments can grant attackers unrestricted access to the data you most want to protect — or it could hold that data for a ransom.

Running a site with access to data covered by HIPAA is becoming more difficult. The threat by hackers is increasing, and the government is increasing their enforcement of HIPAA regulations through audits, fines, and mandatory corrective actions. If your site has access to HIPAA information, ensure you are taking all possible steps to protect that information. If you don’t have the needed expertise in house, make sure you seek it out.

 

(Originally posted on the Go Daddy Garage)