Shortlist of Questions to ask yourself to see if you need assistance with HIPAA Compliance and Security.
- Do you have a designated security officer?
- Do you have documented designated tasks for the security officer?
- Has the security officer done the additional training?
- Have you documented your Business Associates?
- Have you verified your Business Associates are contracted and compliant?
- Have you done a Risk Analysis?
- Do you have evidence of compliance?
- Are any drives or files encrypted?
- Do you have a file scan report?
- Have you done the general HIPAA training for everyone?
- Do you have copies of the training certificates?
- Do you have copies of implemented HIPAA policies and procedures?
- Do you have a Disaster Recovery plan for physical, administrative, and technical applications?
- Do you have a business continuity plan?
Some basic explanations to Questions you need to ask yourself to see if you need assistance with HIPAA Compliance and Security.
- Do you have an annual Risk Analysis Report (Your risk analysis should identify the likelihood, impact, and risk for specific threats, such as lost or stolen devices, computer virus (malware), and malicious insider, as well as natural and environmental threats)?
- Do you have an annual Remediation Report (Your risk analysis should identify the specific safeguards to reduce risks of threats, such as encryption for a lost/stolen device, or maintaining software with the latest security patches for malware (computer virus)?
- Do you have HIPAA Security Policies (You should have policies and procedures that cover the 18 standards and 36 implementation specifications in the HIPAA Security Rule, such as Encryption, Protection from Malicious Software, Log-in Monitoring, etc.)?
- Guides, Templates, and Toolkits not Completed (fines have been given for using template policies that are not followed)?
- Missing Documents Referenced in Policies (if you have not created all of the documents referenced in your policies, such as a Risk Management Plan, you may not be complying with your own written policies and may be at risk for higher “willful neglect” HIPAA penalties)?
- No Policies for Addressable Implementation Standards (if your policy templates require you to analyze “addressable” policies, you may not have a policy in place if you have not documented what is reasonable for your practice. Addressable does not mean optional)?
- Implementation (identifying a treat in your risk analysis without a plan to implement safeguards to mitigate the risk can lead to heavy fines – you must have an Implementation Plan)?
- No Documentation of HIPAA Activities (if it isn’t documented, it didn’t happen. Record dates, personnel who performed or verified, and other applicable details when safeguards are implemented)?
- Ongoing Compliance Not Reviewed (you need documentation of ongoing compliance, such as when the software is updated with the latest security patch, review of audit logs, verifying termination procedures were followed, etc)?
- New Technology or Operations Not Evaluated (you need to assess new technology or operations, such as upgrading your EHR for Stage 2 Meaningful Use or beginning a social media program for your practice, and implement the appropriate safeguards to comply with the HIPAA Security Rule
What are the consequences of not complying?
If there is a significant breach of the practice
- HIPAA fines of up to $1,500,000 per incident
- Fines and Lawsuits possible from several other government agencies such as the FBI and State Attorney’s Office to start with.
- A 93% chance of going out of business within two years according to the Small Business Agency.
If there are just fines for HIPAA violations (see examples below)
- $150,000 HIPAA Fine (“…failing to identify and address basic risks, such as not regularly updating their IT resources and available patches and running outdated, unsupported software”
- $1,975,220 Fine (“… previously recognized in multiple risk analyses that a lack of encryption… was a critical risk)
- $1.44 Million Dollar Verdict (“Indiana Court of Appeals upheld a $1.4 million verdict against Walgreens Co. and one of its pharmacists who shared confidential medical information about a client that had once dated her husband”
What are the Initial steps to get started
The HIPAA auditor from Health and Human Services will need to see documented proof that the practice is doing its best to comply. Providing an auditor with evidence that the following four things have been done increases the odds of passing the HIPAA audit.
- Identify who’s in charge
- Perform a risk analysis
- Develop and document policies and procedures
- Create a Mitigation plan
5 ways to avoid health data breaches
- Conduct an annual HIPAA security risk analysis
- Inoculate yourself by encrypting data-at-rest
- Conduct more frequent vulnerability assessments and penetration testing.
- Invest in security awareness of your workforce
- Engage with your business associates
What is ransomware
Fundamentally, ransomware is “a type of malicious software designed to block access to a computer system until a sum of money is paid.” Typically, two types of ransomware may be deployed – lock screen or encryption. A lock screen attack is identified by a message popping up on the computer screen, which prevents the user from either using the PC or accessing files. An encryption attack occurs when the files are encrypted and become inaccessible.
Is a Ransomware attack considered a HIPAA breach?
OCR says ransomware usually triggers the HIPAA breach notification rule