There are several things a healthcare covered entity or business associate needs to do to avoid HIPAA fines and the possibility of being listed on the wall of shame, but the immediate need is to perform a thorough risk assessment. And that usually means having a third party perform a credible risk assessment that includes privacy, security and technology assessments.
Unless your organization has conducted a thorough risk assessment in the last 12 months and taken action to address issues, you’re playing with fire and it’s probably very hot.
The threat of a cyber breach is much larger and more imminent than you can imagine. The head of the FBI has said there are only two kinds of companies, those that have been breached and those that don’t know they have been breached.
The first step is to perform a Risk Assessment that includes privacy, security and technology assessments. The security and technology assessment needs to be executed by a knowledgeable person who is not your IT or MSP staff or person. The assessment needs to identify the ePHI and all places the ePHI is stored, transmitted and accessed.
Questions to ask and address:
- What types of sensitive data does your organization store, use, or transmit? For Healthcare this is ePHI.
- Who should have access to ePHI?
- Who has access to ePHI?
- Why are they using ePHI (Do they need access to ePHI)?
- What device do they use to access/store it?
- Where are they using it?
- When are they using it?
- Is the data encrypted when it is stored and transmitted?
- How is access to ePHI controlled?
- Who controls access to ePHI?
- Is ePHI allowed to be transmitted outside the practice?
- If so, why?
- How?
Don’t forget you must document how you’re going to secure your ePHI.
- Inventory your entire network, including network devices, laptops, workstations, mobile devices, servers, storage devices, fax machines, copiers, all-in-ones and digitally connected medical devices.
- Do you have Policies and Procedures that address how you handle and secure your ePHI?
Once you have an inventory of your computer systems and knowledge of your ePHI access points and storage locations, you can begin to work on a security strategy to protect your ePHI.
It’s not easy, but with the right help and guidance you can significantly improve your HIPAA compliance, reduce the threat of cyber-breaches and hopefully avoid the wall of shame.
To check your level and the current requirements of HIPAA compliance take the HIPAA quick-check, it’s free and only takes a few minutes.