How to Prevent a HIPAA Breach
As healthcare breaches become more commonplace, it is important to take precautions to avoid becoming the latest victim. How to prevent a HIPAA breach is discussed below.
How to Prevent a HIPAA Breach: Self-audits
The first step in how to prevent a HIPAA breach is to assess your organization’s technical, physical, and administrative safeguards. HIPAA covered entities and business associates must safeguard the confidentiality, integrity, and availability of protected health information (PHI). Conducting self-audits measure your safeguards against HIPAA standards.
The following audits are required to be completed annually:
- IT Risk Analysis Questionnaire: is meant to create a standard device installation and setup process across an entire organization.
- Security Standards: ensures that an organization’s security policies are in line with HIPAA requirements.
- HITECH Subtitle D: ensures that an organization has proper documentation and protocols in relation to Breach Notification.
- Asset and Device: is an itemized inventory of devices that contain ePHI. The device and asset list includes who uses the device and how an organization is protecting the device.
- Physical Site: each physical location must be assessed to determine if there are measures protecting PHI such as locks or alarm systems.
- Privacy Assessment (not required for BAs): assesses an organization’s privacy policies to ensure that PHI is used and disclosed in accordance with HIPAA.
How to Prevent a HIPAA Breach: Remediation Efforts
Once you have completed your self-audits, the gaps in your safeguards are identified. For your organization to be secure and HIPAA compliant, you must address the gaps with remediation efforts.
- Policies and Procedures: These must be customized to apply directly to your business practices. Policies and procedures must be reviewed annually to account for any changes in the way you do business. Policies and procedures dictate the proper uses and disclosures of PHI to ensure that your organization and employees are adhering to the minimum necessary standard.
- Business Associate Management: When your business associate is breached, it is likely that your data can also be compromised. This is why covered entities must vet their business associates before working with them. The best way to do this is by sending them a vendor questionnaire. Similar to self-audits, a vendor questionnaire identifies gaps in the business associate’s safeguards so that they may be addressed with remediation efforts. Before working with the vendor, they must agree to implement remediation plans to address identified deficiencies. You must also have a signed business associate agreement (BAA) with each of your business associate vendors. A BAA is a legal document that dictates what protections the business associate is required to have in place. A BAA also mandates that each signing party agrees to be HIPAA compliant, and each party is responsible for maintaining their HIPAA compliance.
- Security Standards: A major component of how to prevent a HIPAA breach is implementing security measures on your devices that “touch” electronic protected health information (ePHI). One “addressable” security measure is encryption. While not specifically mandated by HIPAA, organizations are required to have equally protective measures in place if they do not find encryption feasible for their organization. Encryption masks sensitive data so that it can only be read by authorized individuals possessing a decryption key. Encryption is particularly effective to prevent unauthorized users from accessing devices that are lost or stolen. The best way to prevent a breach due to hackers attempting to access an employee’s computer, or your organization’s network, is through multi-factor authentication (MFA) and employee training. MFA requires users to enter a combination of unique login credentials to access sensitive information. This is generally a username and password in combination with security questions, a one-time PIN, or biometrics.
- Employee Training: Although MFA and encryption ensure that your data is secure, hackers can also access employee’s computers through phishing attempts. Phishing attempts occur when a hacker disguises themselves as a trusted individual, sending employees emails that prompt them to click on a malicious link. Once the link is clicked, hackers can access the employee’s computer, and in some cases, your organization’s entire network. This is why employee training is an important component of how to prevent a HIPAA breach. Employees must also be trained annually on your organization’s policies and procedures, as well as HIPAA standards. This ensures that they understand their obligation to safeguard patients’ PHI.