HIPAA is among the most extensive, comprehensive sets of regulations in any industry – enough so that compliance can often seem like a herculean task for the unprepared. And it isn’t just first-timers, either. Even experienced health enterprises can violate HIPAA without even realizing it.
We’ve already gone over a pretty comprehensive checklist of what’s necessary to safeguard digital PHI. Today, we’re going to go a bit deeper. We’re going to explore some incredibly common but little-known mistakes you might be making in your compliance efforts.
SMS, Voicemails, and Other Conversations
We’ll start with what may well be the most common HIPAA issue in healthcare – unprotected, unsecured text messages. Texting is, believe it or not, one of the primary means of communication between nurses and doctors. Unfortunately, most hospitals fail to take the necessary steps to protect these transmissions from unauthorized parties.
The security shortcomings of text messaging are extremely well-documented. The technology at the core of most SMS messages – the SS7 Network – was not created with security in mind. There are multiple vulnerabilities in the network, and hijacking tools are readily-available for cybercriminals who might seek to steal health data.
If your hospital or care organization uses SMS for two-factor authentication, you’re essentially inviting criminals to break into your network, installing ransomware or exfiltrating PHI. Instead of SMS, consider using a secure enterprise messaging service of some kind, and relying on more advanced authentication techniques. It isn’t just SMS that’s an issue here, either.
What many care providers fail to realize is that voicemails and in-person conversations are subject to the same HIPAA regulations as healthcare data. Having a conversation with a patient within earshot of any unauthorized individual – be they a patient or otherwise – counts as a violation, as does leave a voicemail that contains PHI of any kind.
Ensure your staff understands they have a responsibility to keep data safe not just over their devices but in their conversations and interactions.
Leaving Workstations Unattended (And Unencrypted)
The days when all your IT department had to worry about was a few desktop workstations and laptop computers are far behind us. The number of devices and endpoints within your organization has increased exponentially – and will continue to do so, with no real end in sight. You need to ensure you have a way to lock down any unattended devices, and that you have policies in place to ensure that internal hardware is properly locked-down.
Do your workers ever leave their smartphones or tablets unattended? Are your workstations configured to immediately switch to the login screen after an extended period of inactivity? What sort of enterprise mobility management solution do you have in place to lock-down remote devices?
Issues With Insurance
You’ve probably got some form of insurance in place to protect your organization against malpractice and HIPAA violations. However, does that insurance provide coverage against cyber incidents? Does it protect your organization against the consequences of cyber attacks or data leaks?
If not, it’s imperative that you perform a risk assessment across your organization with the help of a third-party cybersecurity expert. Figure out your primary areas of risk, and ensure you’re covered against all the possible damages you might accrue.
Bad Business Associates
It’s important to remember that HIPAA doesn’t just apply to your organization – it also applies to everyone you do business with.
Make sure any vendor you work with has read their business associate agreement thoroughly. More importantly, understand that there’s no such thing as being designated HIPAA-compliant or certified. A vendor can go through an audit, they can have HIPAA-compliant infrastructure or practices, but it’s not like there’s some sort of document they can hold up to prospective clients.
The surest sign that a vendor is worth working with – that they actually take compliance seriously – is that they’re willing to sign your BAA.
Social Media Slip-Ups
Last but certainly not least, if you’re using social media to promote your healthcare organization in any way, you need to make sure everyone within your organization is schooled on the ins and outs of HIPAA. That includes everyone from your nurses to your marketing department. More than once, I’ve seen a care provider inadvertently (and unknowingly) flirt with noncompliance by posting a photo to Instagram, or a hospital staff member violate healthcare regulations via a quick selfie.
You can’t go into social haphazardly. You need to treat it the same as you would any other communication channel – if not even more stringently, as it’s nigh impossible to remove a post from the web once it’s been put online. Ensure you review every single social post before it goes live, and don’t share PHI through mediums like Facebook messages.
Bridge The Gaps In Your HIPAA Awareness
At the end of the day, HIPAA is about doing everything in your power to safeguard the personal information of your patients. Given how extensive can be, it’s easy to slip up without even realizing it. What we’ve laid out here are some of the most common blunders – but this list is by no means extensive.
The best thing you can really do is study and understand HIPAA guidelines, ensuring that you work exclusively with covered entities and business associates who are themselves schooled in compliance. Liberty Center One is one such associate – we have a long history of working with healthcare agencies, and we know exactly what it takes to stay compliant. Contact us today to see what we can do for you.