The feds are serious about enforcing the HIPAA Privacy rule. When physicians and health care professionals use mobile devices, they trigger HIPAA and can expose their organization to deep trouble and heavy fines unless they are careful.
The feds are serious about enforcing the HIPAA Privacy rule. When physicians and health care professionals use mobile devices, they trigger HIPAA and can expose their organization to deep trouble and heavy fines unless they are careful.
For example, Becker’s Health IT & CIO Review chronicles 15 of the most expensive “settlements” (fines, really) imposed on health care organizations for patient health record data breaches during the past few years.
One-third involved storage devices
Five of the 15 involved lost or stolen storage devices with unprotected personal health information. Stanford Hospital & Clinics in California led the unfortunate group by compromising more than a million patient records as a result of the theft of two unencrypted laptops.
Stanford paid $3 million for that breach–exacerbating another fine of $4 million after investigators found 20,000 patient records posted on line. The other 4 instances similarly involved thefts of laptops and hard drives, costing each organization an average of $1.5 million.
Perhaps the most embarrassing and unfortunate breach was one New York health insurance agency, which had to fork over $1.2 million. They returned their leased photocopy machines but forgot to wipe the health record data for over 344,000 individuals stored in the copy machine memory.
What the HIPAA Security rule requires
Yes, the HIPAA Security Rule permits health care providers to store information and communicate electronically with their patients. However, health care professionals must, according to the HIPAA Security Rule, apply “appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information,” to wit:
Administrative protocols include:
- having a process and procedure in place to react to security breaches
- doing a periodic risk assessment for mobile device usage
- establishing safeguards to prevent unauthorized alteration or destruction of electronic health records
- putting a training program in place so that everyone knows how to securely access and properly use mobile devices
- educating everyone involved on the consequences of HIPAA violations, including the heavy fines involved
Physical protection includes:
- keeping mobile devices inventoried and accounted for
- locking mobile devices away when not in use
- attaching electronic tags to locate missing mobile devices
- shutting down or locking mobile devices remotely
Technical safeguards include:
- installing anti-virus software on all mobile devices
- instituting firewall protection
- encrypting electronic personal health information
- relying on off-site data centers for backup and disaster recovery
- restricting access through biometric authentication
- making sure mobile devices use the same security protocol as banks and financial institutions
So mobile storage devices, unlike full cabinets of paper records, are particularly vulnerable to loss and theft. Under HIPAA, health care managers are accountable for what their employees do, even away from the workplace. When breaches happen, they can compromise millions of records and cost the organization millions of dollars.
Want to stay ahead of HIPAA?
Alvarez Technology Group is the trusted choice when it comes to staying on top of HIPAA compliance. Also for the latest information and technology tips, tricks, and news in Salinas, contact us at (831) 753-7677 or send us an email at [email protected] for more information.