HIPAA

86% of Practices Miss This Crucial HIPAA Requirement
Best Practices, HIPAA

HIPAA Audits are Back: 86% of Practices Miss This Crucial Requirement (And How to Fix It)

May 29, 2024 Comments Off on HIPAA Audits are Back: 86% of Practices Miss This Crucial Requirement (And How to Fix It)

May 29, 2024 The random HIPAA audits are officially back. Melanie Fontes Rainer, Director of the Office for Civil Rights (OCR), confirmed in a recent interview that the OCR is proactively conducting audits as part of a series of improvements.  Following a five-year hiatus from proactive audits, the Office for Civil Rights (OCR) has been updating key HIPAA regulations. For instance, the OCR is also releasing an updated Security Rule by the end of the year to better reflect innovation since its original publication over twenty years ago.  As the OCR continues to advance HIPAA rules, it’s vital to be prepared with a foundation of a compliant practice.  At the base of this foundation is the Security Risk Analysis (SRA), a commonly missing HIPAA requirement. During the last round of proactive audits, 86% of Covered Entities could not show a properly documented SRA for their practice.  What is a Security Risk Analysis (SRA)?  The OCR defines an SRA as “an accurate and thorough assessment of potential risks and vulnerabilities to confidentiality, integrity, and availability of electronic Protected Health Information (ePHI).” The SRA is focused on protecting ePHI. It is a continuous requirement and needs to be updated when significant changes occur to your practice. It’s best practice to complete the SRA at least annually.  An SRA is a complete evaluation of how PHI is protected. Questions include encryption practices, staff training, disposal of PHI, and more.  Why is the SRA Important?  The SRA documents proof that a practice has appropriate safeguards to protect sensitive patient data. It requires practices to conduct self-audits and identify risks and vulnerabilities before they become issues. This means anticipating vulnerabilities and implementing preventative measures before sensitive data is compromised. If followed correctly, the SRA acts as a vital line of defense, helping prevent data breaches, ensuring patient privacy, and building trust within the healthcare system.  How do I complete an SRA?  Completing an SRA is crucial for protecting sensitive patient data. The good news is that several approaches are available, each with varying costs and timelines. Before starting an SRA, it is essential to have an HCO, or HIPAA Compliance Officer, in place to manage HIPAA documentation and the SRA process.  You can complete the SRA internally using online resources provided by the OCR. While there are free resources, this option is less intuitive than others, can be time-intensive, and requires significant team effort. Manual audits can take weeks to months to complete.  You could also hire an external auditor or consultant to complete your SRA. Hiring a consultant might reduce the burden on your team but can be costly. The average price of an external auditor is in the thousands, with some costing upwards of $20,000. Additionally, these external audits can take months.  An alternative option is intelligent compliance software, which provides significant benefits for meeting the SRA requirement and more. It allows you and your practice to navigate the SRA cost-effectively and efficiently. While a manual audit usually takes weeks to months, an audit assisted by software can be completed in significantly less time, simplifying the SRA process, and saving your practice substantial costs and assuring protection.   Why Should I Use Compliance Software? As the Security Rule is updated, your compliance program also deserves an upgrade.  Intelligent software solutions can help you easily fulfill complex HIPAA requirements, prepare for potential risks and vulnerabilities, and protect patient data. Many organizations overlook the SRA, but software solutions can streamline the process and protect your practice. To learn more about Abyde’s innovative software solutions, schedule an educational consultation.  

Your Biggest HIPAA Vulnerability
Best Practices, HIPAA

Why Improper Documentation Can Be Your Biggest HIPAA Vulnerability

May 23, 2024 Comments Off on Why Improper Documentation Can Be Your Biggest HIPAA Vulnerability

May 23, 2024 Secure documentation is essential in any industry. However, in healthcare, there’s even more on the line. Ensuring HIPAA compliance with proper patient data care is crucial. Let’s explore how it works. Required Documentation for HIPAA HIPAA requires Covered Entities (CEs) and Business Associates (BAs) to document how they manage Protected Health Information (PHI).  Your organization needs to document its compliance process to be HIPAA compliant. This process includes your initial Security Risk Analysis, identifying risks and vulnerabilities, completing training, and any partnerships your organization might have with BAs. Under the Breach Notification Rule, any breach must be documented and reported, and affected patients must be notified. Written proof is required that your organization takes appropriate measures to protect patient data, especially when dealing with PHI. Additionally, your practice’s policies and procedures must be easily accessible and personalized for your location. Personalized documentation of policies, like a Disaster Recovery Plan, details the best course of action for your employees and their roles if a situation arises.  What Happens if Documentation isn’t in Place? When documentation isn’t in place, it can lead to fines.  Proper documentation is crucial for HIPAA compliance. HIPAA mandates personalized documentation of your practice’s compliance program, which identifies your practice and shows that appropriate measures are in place to secure PHI. The Business Associate Agreement (BAA) is a legally binding contract required for Covered Entities to establish with their Business Associates. The BAA outlines each party’s responsibilities for securing PHI. This documentation is vital for ensuring compliance with HIPAA regulations and identifying duties in the relationship. Many organizations have faced fines for neglecting this essential documentation. For instance, the Center for Children’s Digestive Health was fined $31,000 for lacking a BAA.  While thorough documentation practices are essential, many practices using manual methods often fall short, leading to HIPAA violations. At the latest HIPAA Summit, the OCR stated that some of the most common recurring HIPAA violations include incorrect documentation, especially missing BAAs. It’s a simple task to ensure accountability, but it’s necessary.  How Intelligent Software Solutions Can Help Documentation is essential but can be overwhelming. Compliance software simplifies the process, saving countless hours and protecting your practice. Innovative cloud-based solutions enable you to auto-generate and manage your policies and procedures quickly. You can create your documentation dynamically in seconds, ensuring your practice has the most up-to-date documentation. BAAs, a commonly overlooked document, can also be managed within software. Drafting the agreement and sending the documentation through the software simplifies the process.  To learn more about how Abyde can streamline and simplify your HIPAA compliance, please schedule an educational consultation.

Top Five Reasons Why You Need Compliance Software
Best Practices, HIPAA

Top Five Reasons Why You Need Compliance Software For Your Organization

May 21, 2024 Comments Off on Top Five Reasons Why You Need Compliance Software For Your Organization

May 21, 2024 As a healthcare provider, staying updated on evolving regulations is crucial to protecting your practice, its reputation, and its patients. But complying with regulations can be daunting; even the most diligent teams face challenges. In light of the recent Change Healthcare Breach, it’s more important than ever for practices of all sizes to reevaluate their compliance approach.  This is where automated compliance software provides an excellent solution to streamline, simplify, and secure the process. This blog post explores the benefits of intelligent software compliance programs for protecting your practice in place of manual compliance efforts and how software can help you succeed.  Top Five Reasons Why You Need Compliance Software  1: Automate Tasks & Reduce Manual Work An average manual HIPAA audit can take anywhere from several hours to several months to complete. When patient care is the focus, this is wasted time. Intelligent, user-friendly software assists practices in understanding the process and managing their time efficiently. With algorithms running the program, employees can dedicate more time to patient care, optimize workflow, efficiently schedule appointments, and reduce wait times. 2: Avoid Fines with Compliance Software The average cost of a HIPAA fine in 2023 was $321,269.  In comparison, investing in software is much less expensive than a potential fine, saving practices hundreds of thousands of dollars with preventative measures.  Ensuring ongoing compliance is the key. Software simplifies necessary processes to ensure compliance, potentially reducing common infractions that result in fines and penalties. 3: Effectively Manage Risk  HIPAA is highly detailed and demanding, requiring practices to maintain meticulously documented and ongoing compliance programs.  With centralized documentation, integrated Security Risk Analysis (SRA), and automated ongoing risk monitoring, risk can be mitigated. Software can dynamically generate policies and reporting, streamlining cumbersome processes. With thorough reporting, organizations can make informed decisions and proactively identify gaps. Stronger risk management protects practices against threats to their reputation, finances, and operations.  4: Develop a Thorough Understanding of Compliance  Understanding the regulations is essential for maintaining HIPAA compliance. Access to comprehensive training and up-to-date resources to ensure compliance is another advantage of software solutions.  Regular training establishes a foundation for your organization to foster a culture of compliance. Software companies also provide dedicated support teams to assist your practice with questions. 5: Stay Ahead of Regulations  The Office for Civil Rights is always improving and updating HIPAA rules to keep up with the latest technology and practices. Melanie Fontes Rainer, the director of the OCR, recently discussed the HIPAA Security Rule, stating that HIPAA is technology-neutral and scalable, but it doesn’t reflect how we receive healthcare today. This is particularly important considering the OCR has recently issued new HIPAA and online tracking guidelines. As technology advances, so does regulation. Changes in regulations are challenging to keep up with. Alternatively, software is regularly updated to align with compliance changes, simplifying reviews of the evolving healthcare landscape. You can minimize risk and stay compliant by receiving the latest HIPAA updates from your software provider. How Abyde can help Manually managing HIPAA compliance can be risky and error-prone, leaving your practice exposed. Instead, you can easily navigate requirements and safeguard your practice while saving significant hours and costs. All while promoting a culture of compliance through staff education on regulations and requirements, it’s all possible with software by Abyde. To learn more about ensuring your practice is compliant, email info@abyde.com and schedule an educational consultation.

HIPAA for Small Medical Practices
HIPAA

How Your Small Medical Practice Can Thrive with the Help of Automated Compliance

May 10, 2024 Comments Off on How Your Small Medical Practice Can Thrive with the Help of Automated Compliance

May 10, 2024 We’re celebrating National Small Business Day by highlighting some of the hardest-working individuals in the industry who serve patients day in and day out. Small medical practices account for a significant portion of the healthcare system, with over half of physicians working in practices with ten or fewer doctors. Additionally, many physicians own their practices, with 44% being self-employed.  Running your small medical practice comes with great benefits but unique challenges. Read more as we discuss the common hurdles and how intelligent software-based compliance solutions work for your small practice.  Small Practice Challenges: Cost Small medical practices operate with fewer resources. Cash flow and high costs are common dilemmas for small medical practices compared to hospitals. With fewer resources, small practices can be more vulnerable when challenges arise.  For instance, as seen with the Change Healthcare breach, over 78% of surveyed small medical practices cited facing difficulties, with 31% unable to run payroll.  While navigating high operating costs, the annual average ranges from $600,000 to $800,000, finding affordable yet effective resources is imperative.  Small Practice Challenges: Administrative Burdens Administrative work can significantly impact the success of a practice. Time is valuable, especially when the office staff is a few people wearing many hats. Without the right tools, administrative tasks take a significant portion of a healthcare employee’s day. For instance, the average doctor spends almost 10 hours weekly completing clerical tasks, or roughly one-fifth of working hours.  Maintaining complex and time-consuming HIPAA and OSHA compliance are examples of such tasks. Having comprehensive compliance programs is vital to being compliant. Without an automated solution, some administrative tasks include writing thorough policies and procedures, manually tracking staff training, and maintaining organized compliance documentation.  Small Practice Challenges: Burnout Burnout is a common experience in healthcare. More than 90% of doctors have felt the impact of burnout. Juggling a demanding healthcare role with the responsibilities of running the practice itself can take a significant toll if not managed correctly.  Administrative tasks contribute to this stress, with 64% of doctors noting clerical requirements as a significant stressor. HIPAA and OSHA compliance can be overwhelming, and the consequences can be severe. When fines can cost your small practice millions of dollars, finding a solution to alleviate compliance stress is essential.  How Abyde Can Help Running a small medical practice can be difficult, but it is a testament to your dedication to your patients.  Abyde understands that you want to spend more time with your patients, and automating HIPAA and OSHA compliance is a path to that goal. Our automated,cloud-based compliance software is for healthcare professionals like you seeking a secure and simplified approach to managing compliance. With Abyde’s easy-to-use solutions, your practice can save time and money, mitigate risk, and ensure you are always up to speed with the latest compliance requirements.  To learn more about Abyde’s solutions, email info@abyde.com or schedule an educational consultation with one of our experts here. 

UnitedHealth Group in the Hot Seat
Cybersecurity, HIPAA

UnitedHealth Group in the Hot Seat: All Eyes on the Change Healthcare Breach

May 1, 2024 Comments Off on UnitedHealth Group in the Hot Seat: All Eyes on the Change Healthcare Breach

May 1, 2024 Over the last several months, your friends at Abyde have kept you updated on the latest in the Change Healthcare Breach.  Since February 21st, this breach has held the healthcare industry captive, likely the most significant healthcare data breach in the United States ever.  Change Healthcare, nestled under the UnitedHealth Group umbrella, processes about 50% of U.S. medical claims, is still picking up the pieces. If you work in healthcare, you feel the sting of the attack. Almost all hospitals reported financial damages because of the attack.  So, how did we get here?  You’re getting answers, as CEO of UnitedHealth Group, Andrew Witty, is set to testify in front of two congressional panels today.  Don’t worry, we’re not going in blind! While Witty might be on center stage today, a written testimony has already been released. Stay tuned because we’re decoding this testimony and answering your burning questions.  Pack your bags! We’re taking a quick trip to the Capitol! Party Crashers This compliance catastrophe began on February 21st, with the BlackCat hacking group infecting Change Healthcare’s systems with ransomware.  However, the team of malicious hackers had been plotting for over a week, being in Change Healthcare’s systems for nine days before the attack.  How did they get in?  It wasn’t a Mission Impossible stunt, avoiding lasers and jumping between buildings, but a simple case of compromised credentials.  Using a stolen login, the black-hat hackers could log into a Change Healthcare application portal and remotely access desktops. This portal didn’t have a standard security protocol: multi-factor authentication. Multi-factor authentication (MFA), like a code sent to your phone before logging in, is a typical security standard for protecting sensitive data. Implementing technical safeguards, like MFA, falls under the HIPAA Security Rule.  Mopping up the Mess While Change Healthcare is no stranger to hacking attempts – thwarting 450,000 intrusions a year – once the ransomware was identified, Change Healthcare sprung into action. According to Witty, the Change Healthcare team immediately severed connectivity with the data centers to avoid the spread of ransom.  Change Healthcare started from the bottom up, rebuilding the foundation of its technology infrastructure, replacing thousands of laptops, implementing new credentials, and new servers with the help of Tech powerhouses like Amazon and Google.  As of today, the ransomware only impacted Change Healthcare and none of UnitedHealth Group’s other organizations.  Witty also admitted to meeting ransom demands, saying it was one of the toughest decisions he’s ever had to make.  What’s Next?  These uninvited party crashers have put the UnitedHealth Group in hot water. These congressional hearings are just the tip of the iceberg for the medical titan.  Here at Abyde, we’re keeping a close eye on things, and you can bet we’ll keep you in the loop through our blogs and social media on the latest in these hearings.  Want to stay on top of all things compliance? Follow us and watch for our This Week in Compliance series – it’s your one-stop shop for compliance info!

HIPAA Compliant Marketing
Best Practices, HIPAA

Can You Post That?: The Secret to HIPAA Compliant Marketing

April 30, 2024 Comments Off on Can You Post That?: The Secret to HIPAA Compliant Marketing

April 30, 2024 Going viral in healthcare has a much more serious meaning than in marketing. Marketing in healthcare is essential. You want more people to know about your practice.  Like everything, the internet has revolutionized how patients look for a healthcare provider.  The internet is most people’s first introduction to your practice, with 75% of prospective patients first searching online for a healthcare provider.  Marketing and healthcare might seem like oil and water, especially when you throw HIPAA in the mix, but we promise you can do both, just with some rules.  Ready to take your patient engagement to the next level? Here are some tips and tricks when it comes to marketing your practice and being HIPAA compliant.  Tracking Tips One of the most common forms of marketing is online tracking tools.  Have you ever searched for something online and seen an ad on another website? For example, while falling down the rabbit hole of watching cat videos, you go to another site. Suddenly, BAM! Cat toy ads on every other site. While we aren’t complaining about seeing more cute cats, this isn’t a coincidence. It’s just tracking tools at play.  Almost every site you visit is trackable, with 90% of sites online having at least one tracking script installed.  Online tracking tools have been in recent healthcare compliance news, with the OCR releasing new HIPAA-compliant guidance.  Online tracking tiptoes into non-compliant territory, but installing software on suitable sites can be beneficial.  First, when working with a marketing company and installing this tracking software, ensure a Business Associate Agreement (BAA) is signed. A BAA outlines the responsibilities of each party, in this case, your practice and a marketing company, when handling Protected Health Information (PHI). These agreements ensure that both parties are on the same page, are liable, and know the importance of protecting patient data.  First, HIPAA does not apply to unauthenticated public sites like your practice’s homepage. Once patients are logging in, that’s when HIPAA comes into play. The information tracked must be the minimum necessary, and overall, can’t relate to the past, present, or future health, health care, or payment for health care.  Following the proper protocols helps avoid fines and keeps your practice running smoothly. Back in January, the NewYork-Presbyterian Hospital was fined $300,000 due to improper tracking practices.  Social Media Guru We’re not expecting you to become TikTok famous, but social media can be helpful in your practice. 74% of people online use social media, and nearly half have used it to learn more about a doctor or health professional for their care.  A social media page can be like a welcoming front door for patients. So, if you’re using it, make sure it’s HIPAA-compliant and shines a light on your fantastic practice!  When posting on social media, ensure PHI or patients who still need to sign a media consent form are visible.  While we know you might be excited about a patient’s new smile before and after braces, without consent, you might not be so happy with the fines. In Abyde’s software, we feature a media consent form, helping to keep your practice complaint.  Raving Reviews  Now, we’ve all read Google reviews. Whether it be the new Mexican restaurant up the street or your new general practitioner, we rely on others’ experiences when making a decision. Over 70% of patients trust Google reviews when searching for a new healthcare provider.  When responding to reviews, it’s essential to follow the simple rule: less is more. You can reply to reviews; make sure that identifiable information about a patient isn’t shared. For instance, even if it’s a lovely review, sharing a patient’s treatment online is unnecessary.  It’s essential to keep your cool when responding to these messages.  If it is a negative review, take it offline! Offer secure forms of contact for a patient, addressing their needs in a HIPAA-compliant manner. We’ve seen the repercussions of a Google review HIPAA violation. Manasa Health Center LLC was fined $30,000 for sharing PHI online in response to negative reviews. Even if the negative reviews were hurtful, we’re safe to say it probably wasn’t worth that much!  What’s Next?  We all know social media can be a game-changer for your practice, boosting patient numbers and engagement. But with great power comes great responsibility.  That’s where Abyde swoops in – streamlining compliance for your practice. Abyde simplifies compliance, and with features like the intuitive Security Risk Analysis, you’ll have all the tips and tools you need to ensure you’re compliant. So, get back to posting (safely)!  To learn more about compliance for your practice, schedule an educational consultation with one of our experts today! 

The Brief History of HIPAA
HIPAA, Legislation

The Brief History of HIPAA: How We Got Here and Why it Matters

April 29, 2024 Comments Off on The Brief History of HIPAA: How We Got Here and Why it Matters

April 29, 2024 At Abyde, it’s clear that we eat, live, and breathe HIPAA. Let’s take a trip down memory lane as we start this new week.  HIPAA has become a staple in championing patient’s rights, but how did we get here?  Gather your compass and maps because it’s time to set sail on a compliance cruise because we’re exploring the beginnings of HIPAA.  Blast to the Past: The Beginnings of HIPAA  We’re going back in our time machine to the 90s. The digital revolution was starting in a time of grunge and oversized flannels. From trading cassettes for shiny CDs to the sweet, sweet sound of screeching dialup, the 90s were defined by innovation. As we were (slowly) getting connected online, so were Covered Entities (CE). As the internet became more common, so did ePHI, or electronic Protected Health Information. Health information went digital, so it was time for some federal rules. Enter HIPAA!  HIPAA, or the Health Insurance Portability & Accountability Act, was signed into law on August 21, 1996, by Bill Clinton.  HIPAA, or the Kennedy Kassebaum Act, provides the privacy and rights of patients’ data. But hold onto your hats! This was only the beginning of HIPAA legislation.  The Privacy Rule: Keeping it Quiet Coming into effect in April of ’03, the Privacy Rule established the standards to protect the privacy of PHI, limiting how PHI is shared. This rule boils down to sharing the bare minimum information.   In this, the Minimum Necessary standard is put in place. The Privacy Rule requires that only essential and necessary information is shared regarding taking care of a patient. There are some times when this standard doesn’t apply, including:  The Privacy Rule also establishes the Right to Access, giving patients power over their medical records.  This lets patients get their medical records fast!  The Right of Access, under the Privacy Rule, usually requires patients to receive their medical records within 30 days. Some states are even quicker!  The Security Rule: Keeping it Secure Not too long after, the HIPAA Security Rule came into play in April 2005. The Security Rule establishes how the ePHI needs to be protected. This rule sets the standards for all the safeguards to keep patients’ information safe. The categories of safeguards are:  The Breach Notification Rule: Keeping it Transparent Fast forward a few years, and HIPAA throws another punch for patient privacy – the Breach Notification Rule!  This one landed in September 2009; however,  the government was still figuring out the rollout of HIPAA enforcement between the Security and the Breach Notification rules.  Monetary penalty enforcement officially began in 2006, but a significant piece still needed to be added to protecting patient data.  With all this data protection, patients needed to know if something went wrong, right?  That’s where the Breach Notification Rule kicks in. The Breach Notification Rule defines what a small (>500) and significant (<500) breach is and how patients need to be notified when their information is compromised. Patients deserve to understand the scope of what’s going on with their data! The notification should explain the breach, what information was potentially exposed, and how individuals can protect themselves. For the OCR, it all depends on how many people were affected.  So, even though a BA might not be working with a patient, the business still has to keep their PHI under lockdown!  Omnibus Rule: Keeping it Clear Fast forward to 2013. The final HIPAA Omnibus Rule was created to clarify further and strengthen HIPAA regulations. Some of the new updates included:  What’s next?  Over the last 30 years, the HHS has updated best practices under HIPAA, ensuring patient data is appropriately secure as innovations arise.  Some of the latest guidance released includes marketing tracking tips and significant changes to 42 CFR Part 2.  Want to make sure you’re up to date on the latest of all things HIPAA? See the latest on our blog and social media!     

Improper Access of PHI by Staff
Best Practices, Cybersecurity, HIPAA

Compliance Catastrophes: Improper Access of PHI by Staff

April 24, 2024 Comments Off on Compliance Catastrophes: Improper Access of PHI by Staff

April 24, 2024 It’s hump day! As we get through this middle bump of the week, we’re still rolling our series, Compliance Catastrophes; real-ish world examples of nightmare scenarios!  Today, we’re looking at you, healthcare workers and Business Associates! We know you do amazing work when taking care of patients, but keeping data secure is a part of building an awesome practice or business environment.  When given the keys to keep Protected Health Information (PHI) safe, it doesn’t mean to open the treasure chest of data! When working in this field, you’re around a lot of sensitive information, and it’s vital to uphold your commitment to patients by keeping it confidential!  We know it’s not all healthcare workers or their associates, but more people break this rule than you’d expect.  We’re getting scientific! There was a recent study that highlighted over 400 employees inappropriately accessing PHI at a hospital, and many only stopped accessing unauthorized PHI due to being warned they were caught by email.   It shouldn’t take being caught to change bad behavior! You know the drill – improperly accessing PHI is a breach of trust.  But just to be safe, let’s see an example of what you should not do. Now, joining us today, you guessed it, is our unlucky friend, Catastrophe Cathy.  PHI Peeking Cathy was at the front desk when a familiar face showed up for an appointment. An old friend from high school that she hasn’t seen in years!  They chat for a little bit, and Cathy can’t help but wonder what brought this friend in.  When she’s closing up, she can’t ignore the voice in the back of her head to go look. She falls for the temptation and searches for her friend’s medical information, curious about what brought her old friend into the practice.  As she’s reading about her old friend, another employee notices what she’s doing. Cathy is embarrassed and ashamed, as well as she should be! She was breaching her old friend’s PHI. That information is strictly confidential, no matter how close they used to be.  Real Life: Real FinesYou might think that a situation like this could never happen to you, but it happens often and there are severe consequences.  Last year, the OCR fined Yakima Valley Memorial Hospital in Washington State due to some snooping security guards. Curiosity didn’t kill the cat, but did leave it with a hefty fine! Over 400 patients’ records were looked at and the hospital was charged with a pretty expensive bill: $240,000!  To avoid snooping breaches, make sure all staff are properly trained on their roles and responsibilities. Access controls need to be monitored often, ensuring staff only have access to what pertains to their role. Additionally, make sure logs are reviewed, keeping your eyes open for any suspicious activity.   We all deserve our health information to be secure, and healthcare workers and business associates are at the front lines of keeping it confidential. To learn more about common compliance catastrophes, email us at info@abyde.com and stay tuned for the next in our series on our social media! 

HIPAA Compliance Stolen Devices
Business Associates, Cybersecurity, HIPAA

Compliance Catastrophes: Stolen Devices

April 23, 2024 Comments Off on Compliance Catastrophes: Stolen Devices

April 23, 2024 Welcome back to another blog on Compliance Catastrophes: real-ish world examples of nightmare scenarios! We’re going through the most common reasons for data breaches in healthcare and how your practice or business can stay safe.  Stolen devices in the workplace are one of the main reasons for a breach. According to the OCR, theft accounts for nearly 20% of large breaches (five hundred or more patients affected) over the past ten years.  A stolen device can quickly spiral into a HIPAA nightmare. That’s why devices need top-notch security for the safety of Electronic Protected Health Information (ePHI).  No question, ePHI needs protection. That’s why I’m here to remind you: when you have a device with it, stay alert!  Now, let’s see what happens when someone slips up and neglects their device protection responsibilities.  Let me reintroduce our friend, Compliance Cathy, she’s having a tough week!  Dinner with a Side of Disaster After a long day at the practice, Cathy was ready to get home and see her friends for dinner. When Cathy was at the restaurant, she left her computer bag on her passenger seat, being way more focused on the meal she was going to devour. While her steak was a perfect medium rare, the situation outside was a recipe for disaster!  When Cathy got outside, her night was spoiled. Her car was broken into! She realized immediately what went wrong. Her work laptop was stolen. The worst part, her computer was unencrypted, meaning the thief had easy access to patients’ PHI at the practice!  Device Safety 101  First, if you don’t have to bring home your work laptop, don’t! There’s less liability if the device is stored properly at work.  Even if you leave it at work, make sure it is secure at all times. For instance, at your practice or business, make sure the doors are locked when no one is at work and proper security is installed, like alarms and cameras.  Next, ensure all devices with PHI are properly encrypted. Encryption means sensitive data is unreadable for anyone except those authorized to view the information. Additionally, make sure strong password policies are in place. No more Password 123! Your friends at Abyde recommend that passwords must be at least 8 characters, including a number, an uppercase letter, a lowercase letter, and a symbol. Finally, make sure remote deletion is set up for all devices that have PHI, allowing you to use another device to wipe the stolen or lost device clean.  Keeping it Real Stolen devices are a common compliance catastrophe, and the OCR has enforced fines for non-compliant practices.  Don’t believe us? Here’s a real-life example of a stolen device catastrophe. In 2020, Lifespan ACE, a Rhode Island healthcare system, was fined over a million dollars when an employee’s car was broken into and an encrypted laptop was stolen. We’re not just making this stuff up! If you find yourself in a situation like Cathy’s, immediately alert the authorities of the theft. Contact your workplace and IT department, following company procedures.  See if your practice has remote deletion in place, wiping the stolen device. Your IT partner will likely handle all remote deletion and encryption of sensitive data. Some companies provide these services specifically for healthcare. We’re more than happy to point you in the right direction when it comes to your compliance journey, so just reach out if you’re looking for the right services for your practice or business.  Of course, ensure this breach is logged into your Abyde software and reported to the OCR.  With the right protocols, you can prevent and mitigate a stolen device.  While Cathy’s filet mignon dreams were burnt to a crisp, that doesn’t have to happen to you. To learn more about device safety, email us at info@abyde.com and follow us on social media for the latest news! 

Are you prepared to navigate a HIPAA compliance audit? Join experts for a live webinar with real audit scenarios and outcomes.

REGISTER TODAY
X