Maintaining the privacy of patient information is critical for quality patient care. It’s also central to a strong HIPAA compliance program. To comply with HIPAA, covered entities and business associates must not use or disclose protected health information (PHI) without authorization. But they need to go further, to do everything possible to maintain the security of information that is held or transmitted electronically.
Those who follow a strong HIPAA compliance program are ahead of the game, but the problem is that PHI can be hidden in places you might not expect. Even if you have the right policies, you’ve done a Risk Analysis, follow a Risk Management Plan and have trained the workforce, you might be overlooking places where PHI ends up, hidden and forgotten.
Hidden PHI Can Be Costly
If PHI is hidden, you don’t control it. You won’t know if it’s at risk for theft or loss, or what measures should be taken to keep it secure.
In 2020, the average total cost of a data breach in a healthcare organization is $7.13 million, and the trend is going up – this is a 10.5% increase over 2019, according to the IBM Cost of a Data Breach Report 2020. The cost of data breaches in healthcare is the highest among the 16 industries evaluated in the IBM Report.
In addition to investigations and fines from the Office for Civil Rights, the agency that enforces HIPAA, a growing risk is the threat of lawsuits from enterprising lawyers helping patients sue healthcare organizations for negligence, or breach of contract when their PHI is breached. It’s not a HIPAA lawsuit per se, since HIPAA does not provide for a private right to sue, but HIPAA rules are often held up as an example of how healthcare organizations should act, and failure to follow the HIPAA basics can be costly when a judge or jury is deciding the case.
HIPAA Checklist Should Include Finding Hidden PHI
While each category below includes more details, the top three items on a HIPAA checklist are:
- HIPAA Policies
- Risk Analysis – Risk Management
- (Here is where you should find ALL the PHI)
- Workforce Training
The Risk Analysis, among other things, should require an inventory of all PHI locations. Obvious locations are easy: office files, office computers, the server, laptops and other electronic devices that an organization owns and issues to staff. Less obvious ones are the office printer, personal devices owned by employees but used for work, business associates’ computers and other electronic devices. And when you locate the PHI, you need to establish measures to secure it.
Common Risks of Hidden PHI
- Copy machines/printers with memory storage
- Mobile Phones – when a workforce member leaves
- Business associates
- Affiliates and partners
- PHI on a home computer and other personal devices
- Medical devices
- Disgruntled employees
- Is there a strict Bring Your Own Device Policy?
- Expert sanitization of hard drives
The compliance manager should review the Risk Analysis, and be sure all the less obvious locations are accounted for.
One of the biggest risk areas is PHI under the control of business associates. Billing and collection companies handle enormous amounts of patient data in order to perform their functions in support of healthcare organizations. The largest healthcare breach of 2019 affected over 25 million people and occurred at American Medical Collections Agency (AMCA), a business associate of Quest, LabCorp and many other companies.
Covered entities that use business associate vendors must perform “due diligence”. Find out whether they follow HIPAA. When did they last perform a Risk Analysis? If you are a covered entity, do you have a Business Associate Agreement in place; if you are a business associate and have subcontractors supporting your work, the same obligations apply – due diligence, and a subcontractor BAA are required.
Electronic devices owned by employees are permissible under HIPAA, but make sure you have a Bring Your Own Device policy. At a minimum, employees must agree to follow all HIPAA policies of the organization, and if they leave, should allow their devices to be scrubbed of PHI before they go. The HIPAA E-Tool® has a BYOD policy, and recommended steps to secure patient data on employee devices.
The HIPAA E-Tool® Has it All
The step-by-step guide to the Risk Analysis module in The HIPAA E-Tool® is the best checklist you’ll find to make sure nothing remains hidden. Guidance from the Security Rule and NIST is included, to complete every task required for a thorough security risk assessment and a robust Risk Management Plan. It’s the most complete solution.