It’s time to get smart about HIPAA compliance today. It’s not just complicated – it’s now more complicated because the healthcare industry has become increasingly dependent on digital communications.
As you know, HIPAA requires specific protections for medical data, and adhering to these requirements is challenging to implement in a digital space where threats abound, and healthcare companies are less prepared than ever.
That’s why we suggest you take a look at the worst HIPAA compliance mistakes—Be wary of these traps!
Believing That Your General Insurance Extends to Digital Security
General liability is essential for healthcare organizations—However, it doesn’t protect against everything. Did you know that digital security isn’t covered by your general insurance? You must get data breach insurance to help you recover from a data attack or loss.
Data breach insurance helps cover the costs of a data security breach for things like identity protection solutions, public relations, legal fees, liability and more depending on the coverage you choose.
Assuming You Can Handle Audits Internally
I always tell my clients that relying on internal audits is dangerous, and particularly so when it comes to data security. Most healthcare organizations are poorly positioned to audit their own digital security practices. It’s time-consuming and, due to fast-evolving external factors, it’s very easy to miss something or misunderstand a threat.
You should always bring in an expert to conduct data security audits. Where To Start can help with this.
Not Having a Plan for Social Media
In many ways, social media and HIPAA compliance are polar opposites. Social media is cavalier in the way it uses and spreads data, while HIPAA exists to keep data as private as possible. The problem is that healthcare organizations often rely on social media to communicate to patients and advertise their services.
Some social media use is to be expected—But, many healthcare organizations don’t address security issues when using social media because they don’t believe they’re sharing PHI—Wrong!
Sometimes, without knowledge of HIPAA regulations, employees mistakenly post protected data, especially if no one tells them not to! This is particularly problematic because there’s no way to get that data back once it’s live on social media. Even if a post is deleted, the info still lives on in an external server somewhere, making it a direct HIPAA violation.
Your employees need proper social-media training that includes bans against providing private information, even if a patient asks for it. Only let trained individuals post on your social media accounts so there are no accidental HIPAA violations. Where To Start can provide Data Security Training for your employees that covers social media use and much more.
Not Considering the Implications of Partner Contracts
You surely scrutinize your business agreements. But are you considering the fact that business associates may unintentionally share confidential patient information? And, if they do, that your healthcare organization will be responsible for the breach?
When you sign contracts for common data services, you may be violating HIPAA regulations without realizing it. You must consider how data is stored and moved in the cloud when working with others. Plus, a lot of companies advertise that they’re “HIPAA compliant” or “certified for HIPAA data” when this isn’t true. They will lie to get your business, and you’ll be at least partially liable if something goes wrong.
It’s important to find associates who have experience and long-standing respect in your industry— Where To Start does—And you should use BAAs (Business Associate Agreements) that reduce liability if a business associate experiences a data breach.
Not Complying with State and Local Laws
You stay on top of state and local regulations, but you may be missing something when it comes to HIPAA. HIPAA regulations typically supersede state laws, because state laws are less stringent. In cases where state law is stricter, then it should be followed—And this includes states of residence for the patient as well as your organization. This can prove particularly confusing when trying to expand or deal with complex cases (court subpoenas, familial access to data, etc.).
State and local laws can be confusing when navigating HIPAA regulations. This is another reason that external audits from Where To Start are an important part of your security process.
Forgetting About Guidelines for Lost or Stolen Devices
It’s not just healthcare organizations that have trouble with this, but you have the most to lose. Today’s mobile devices are ubiquitous, and, yes, frequently used for work. But, they also get lost, or even stolen, and that jeopardizes PHI.
If your computer devices aren’t protected with the right encryption and authorization, then you can be fined when a device goes missing. Always have a reporting system and mandatory encryption for data on all your mobile devices.
Not Planning for Data Destruction
According to HIPAA, electronic health data must be destroyed when replacing old computers with new ones. This means clearing all data, and then destroying the device itself.
To make sure data is cleared and your old computer devices are properly retired, you should ask Where To Start , your trusted managed services provider, to handle this task.
Do you have questions about HIPAA compliance or other data security requirements? We can help. Contact Where To Start to learn more about the services we provide in San Francisco. You can reach us at email@example.com .