Anyone dealing with protected health information (PHI) has to comply with HIPAA including doctor offices or nursing homes.
The Health Insurance Portability and Accountability Act (HIPAA) was designed to ensure personal health information is protected from unauthorized disclosure and ensure that patients have access to their own health information. 

It has multiple technology guidelines that apply to anyone that generates, transmits or stores patient health records.  

Unfortunately, these regulations can be difficult for many small and mid-sized businesses to get their heads around which leaves many Connecticut business owners at risk of a HIPAA violation. There is always the question of “Have we thought of everything?”

HIPAA violation penalties range from $100 to $50,000 per incident or per health record.

If technology and network systems are not set up with the proper protections, it can lead to a data breach or data leakage incident due to the inadvertent exposure of PHI. HIPAA fines can be levied for anything from failing to properly secure a patient records database to leaving a laptop unattended with a patient record in plain sight on the screen.

Be Aware of These HIPAA Mistakes to Avoid

There are some common HIPAA mistakes that businesses tend to make which get them into trouble.

Being aware of these pitfalls and how to avoid them can help you prevent a costly data breach and result in fines and loss of business.

Not Having Adequate Data Encryption on Mobile Devices

Mobile devices are often outside a company’s on-premises firewall or other security protocols but they are being used much more often by on-the-go medical staff to review patient information.

One of the mistakes companies make is not properly securing or encrypting data being transmitted to and from staff mobile devices which can lead to it being compromised.

Putting in place a business virtual private network (VPN) can help you avoid this problem. It encrypts all internet traffic and can be used on both computer and mobile devices.

Lost Laptop or Mobile Device Containing PHI

Another common HIPAA violation can happen when someone loses a laptop or mobile device that contains PHI.

Once a device is lost or stolen, anyone can access anything on it if you don’t have protections in place which means you could be facing fines for each patient record exposed.

An endpoint device manager, such as Microsoft Intune, can help you secure lost devices immediately. This type of tool allows you to remotely lock or wipe a device as well as detect any activity.

Not Using HIPAA-Compliant Business Associate Agreements

Companies that are subject to HIPAA are also responsible to ensure any vendors they work with and share sensitive information with also follow HIPAA guidelines.

The HIPAA rules dictate the need to create and use business associate agreements that confirm this HIPAA compliance. Business associates can include IT professionals, payment processors or anyone else that may have access to patient information.

Many IT professionals can help you with vendor management when it comes to HIPAA compliance to ensure each of them signs a HIPAA-compliant Business Associate Agreement.

Not Notifying Impacted Parties of a Breach Within 60-Days

When a data breach happens, all that is usually on a company’s mind is securing their data and immediately addressing the reason for the breach. In the aftermath of returning to normal business operations, 60-days can go by pretty quickly. Some companies may not even realize they need to make all notifications within that time.

HIPAA requires that anyone impacted by the data breach, including any clients that may have had their information exposed, need to be notified within 60 days of breach discovery (not containment).

HIPAA regulations can seem overwhelming if you are trying to navigate them on your own and things like the 60-day notification rule can easily fall between the cracks. This is another reason to work with a trusted IT partner like Sound Computers for HIPAA compliance help.

Human Error – Lack of Data Handling Procedures

A patient health record left out in a common area, an unattended computer without a screen lock and a clicked phishing email link are all examples of human-caused reasons for HIPAA violations.

If an organization doesn’t have clear data handling policies that employees are regularly trained on, human errors are much more likely to cost you in HIPAA compliance penalties.

It is important to conduct ongoing cybersecurity and HIPAA compliance training so procedures stay fresh in an employee’s mind. Some of the things you should cover are the following:

  • How to identify a phishing email
  • Password security
  • Data handling procedures
  • Physical device security
  • The cost of HIPAA violations
  • Examples of unintended HIPAA violations
  • Mobile device security

Get the Help You Need with HIPAA Compliance 

Sound Computers can help your company avoid making common HIPAA mistakes by ensuring you have the network and technology protections in place you need.

Contact us today and we can customize a protection plan that fits your unique needs. Call 860-577-8060 or reach us online.

August 10, 2020
Steven Nuhn