HIPAA Violations and Healthcare Risk Management… Know the Risk.
Last month, we started covering the most common HIPAA risks that lead to a violation. Our first blog talked about outside vendors and breaches related to unsecured patient information. In this article, we’re going to cover ePHI and healthcare risk management.
HIPAA Violation Scenario.
As an organization, you probably store confidential patient information electronically. This information may be on laptops, tablets, servers, phones, and other portable devices. When you access information, it’s probably a click or two away. One day, a potential breach is flagged. You correct the breach and continue on your way, sharing information back and forth. Unfortunately, you have also committed a HIPAA violation.
Why Is This A Violation?
In the above scenario, it may be difficult to track exactly where the violation comes from. Let’s take it step by step.
ePHIs and HIPAA:
ePHI stands for Electronic Protected Health Information. When you store information electronically, it must meet HIPAA protection guidelines at all times. The first part of the violation comes from how the information is stored. In the above example, it does not mention how the information is being protected from possible breaches. This is incredibly important because protected patient information cannot be stored on any device in just any way.
Laptops, computers, tablets, phones, etc. must have software on their hard drives to protect ePHIs at all times. If an unprotected device is stolen, your organization will be at risk for receiving a HIPAA violation.
Breaches can occur at any time. Being a victim of a breach does not mean you’ll receive a violation. But, a violation can occur if you don’t run a risk analysis and follow up with a risk management process. In the above example, after the breach, the ePHIs were still shared back and forth in the same manner as they were prior to the breach. If the organization was conducting continuous risk analysis, the ePHIs would not be vulnerable. The analysis would flag the transmission and usage of the information as an issue. From there, a risk management system would be put in place to further protect against a breach.
Creating a Risk Management Process.
Risk management starts with the information systems you’re using. Always pick the right system that allows you to protect your patient information with the necessary amount of HIPAA compliance. Next, you will want to select and implement the appropriate amount of security controls. This is similar to a system that will not allow you to log in from two different locations at once.
Limit the amount of access you give individuals. A person should not be able to get into the system without providing the appropriate credentials. Make sure the system’s security controls lock login access down if too many failed login attempts are made. Finally, make sure to monitor the system continuously. If a breach happens, correct it, and improve your security system.
Before you go…
Risk management is an ongoing concern for organizations like yours. With the right procedures in place, HIPAA Violations can be kept to a minimum. Our company specializes in helping you take steps towards keeping your company in compliance at all times. Give us a call today to learn more about HIPAA compliance and what you need to do to stay current.