Case in point: in August 2022, A Massachusetts dermatology practice agreed to pay more than $300,000 to settle an alleged HIPAA violation because they tossed specimen bottles with patients’ protected health information into unsecured dumpsters on their property.
Here are four HIPAA data security best practices that will help you keep from being the next example of what not to do.
HIPAA Data Security Best Practice #1 – Where’s the PHI?
If the healthcare industry were like a pirate movie, PHI would be the treasure. Think about it–the pirates (cybercriminals) are trying to steal it because it is so valuable, and PHI earns hackers as much as 50 times more than financial records.
The first step in protecting the PHI in your care is knowing where all of it is. Are there paper files in cabinets or long-term storage? Where is your electronic PHI stored? How do you handle paper and electronic files when they are no longer needed? Is there any PHI in places we’ve overlooked (like on specimen bottles)?Â
These are just some of the questions you need to consider. Creating a complete inventory of all PHI in all its form is crucial to developing an effective strategy for HIPAA compliance and data security. After all, one of the primary purposes of the HIPAA law is to protect PHI.
HIPAA Data Security Best Practice #2 – How’s My HIPAA Data Security?
Once you know where PHI is stored, you need to examine how secure it is. Start with your HIPAA policies and procedures and evaluate if they are adequate to your needs. Then determine if those policies are being followed correctly.
Part of achieving and maintaining HIPAA compliance is conducting an annual HIPAA Security Risk Assessment as required by law. If done thoroughly, this yearly activity will help you identify any technical or non-technical gaps in your compliance with the HIPAA Security and Privacy Rules.
HIPAA Data Security Best Practice #3 – Am I Mitigating My Risk
Any gaps identified in the security risk assessment must be addressed through remediation. Now is when you fix all non-technical holes like updates to your HIPAA policy and procedures, administrative safeguards, and workstation security. Then you need to close the technical gaps like user authentication, encryption, and access and audit controls for access to PHI.
Notice that we started with the non-technical side of things. So many people think that security and compliance are all on the technical side. The truth is that HIPAA compliance is following the requirements of the law and being able to prove it. The non-technical aspects of your compliance plan, like policies, are just as crucial to HIPAA investigators as how your files are encrypted.
HIPAA Data Security Best Practice #4 – Do I Have an Incident Response Plan (and is it current)?
Believe it or not, HIPAA regulators don’t expect you to be perfect. What they do expect is that you will be realistic. Breaches are going to happen.
Whether the cause is an accident, negligence, or criminal activity, HIPAA investigators will want to know if you had an Incident Response Plan (IRP) and if you followed it.
A comprehensive IRP clearly defines who is responsible for incident response and what actions they should take, including notifying affected individuals and government agencies as required under the HIPAA Breach Notification Rule.
We’ve listed four HIPAA data security best practices, but the ultimate goal should be achieving HIPAA compliance in a way that works for your organization. Our experts at Compliancy Group are willing to help you meet all the required standards and get the peace of mind from knowing you are fully compliant.