7 Ways You Could be Unknowingly Violating HIPAA
Non-compliance with HIPAA can easily lead to unintended breaches where data is exposed to unauthorized parties. This can be very expensive! The cost of a breach depends on your degree of negligence; it ranges from $100 to $50,000 per violation (or per data record).
You don’t want to be caught in a situation where inaction, neglect, or lack of knowledge can result in unintended breaches. Many small and large organizations are often unknowingly using systems in a way that is either already in breach or which results in frequent sporadic breaches.
Check your organization!
If any of the following scenarios apply to you, it is worth bringing them up the person responsible for compliance (your HIPAA Security Officer) to include in your mandatory yearly Risk Analysis. Is the risk of breach worth continuing with “business as usual?”
1. “Opt In” Email Encryption
Hopefully, by now most people know that Electronic Protected Health Information (ePHI) and email don’t mix unless you have a HIPAA-compliant email provider who has signed a Business Associate Agreement with your organization. However, in our experience, most HIPAA-compliant email security is Opt In. With Opt In email, messages are sent insecurely unless the sender, explicitly designates that one needs encryption (e.g. checking a box or entering a word such as “secure” in the message subject).
These Opt In systems are popular because (a) messages are HIPAA-compliant when encryption is chosen, and (b) when not sending ePHI, it is “email as usual.” People are not required to change or think about it … they just use email as they always have.
This is the fatal flaw with Opt In systems. If the sender simply “forgets” (or doesn’t think, or maybe can’t be bothered) to enable encryption, then the ePHI-laden message is sent insecurely in breach of HIPAA. This happens all the time with Opt In systems.
When it is up to a person to choose for every message whether encryption is needed, it is guaranteed that sometimes the wrong choice will be made or the person will forget to choose — ePHI will go out insecurely in breach of HIPAA. It’s human nature.
Even data loss prevention systems, which automatically encrypt when a message has specific words, phrases, or patterns, are imperfect and cannot be relied on to catch all messages with ePHI.
The risk of using Opt In encryption is simply too great. It is much better to either encrypt everything that is sent from an email address that sends or receives ePHI (e.g. have one email addresses for sensitive material and another separate one for regular correspondence) or to employ an Opt Out mechanism. With Opt Out, all messages go securely unless the sender explicitly indicates that the message does not contain ePHI.
When it is up to the sender to explicitly choose if a message is allowed to be insecure, it is very much harder to send ePHI insecurely “by accident.” The senders are automatically accountable for the security, or lack thereof, of messages sent.
Opt Out encryption prevents breaches through inaction and creates accountability on the part of the sender.
2. Sending Text Messages
Medical professionals (e.g. doctors, nurses, psychologists, therapists, dentists, etc.) frequently text each other and even text patients (e.g. for scheduling appointments). Texting is easy and patients like to communicate via text. However, many of these text messages (even scheduling ones) contain ePHI. Sending them using your regular phone texting system is in violation of HIPAA. This has to stop.
It would seem that many people do not yet realize that texting falls under the same HIPAA security rules as does email and that sending regular texts can not be compliant (For details, see: Can text messaging be HIPAA-compliant?). Continuing to send ePHI over text constitutes willful neglect of HIPAA and can result in the largest of fines.
Instead, if you want to use a text-like real-time communication system, you need to use a HIPAA-compliant SecureChat application for your mobile devices. This must provide, among other things, strong encryption, audit trails, archival, and a Business Associate Agreement.
3. Email and Text Appointment Notifications
If your office sends email or text messages that indicate a patient has an doctor’s appointment, this is almost always ePHI. Appointment confirmations are ePHI because they indicate that a particular person (i.e. this is “identifiable” via the patient’s email address, name, or phone number) has an appointment with a specific health care provider (i.e. gives information about the “future provisioning of health care”).
This information must be sent securely … and too many times it is not. See: HIPAA Compliance is needed for Emailed Appointment Reminders.
If your organization sends electronic appointment reminders, please find a way to deliver these notifications securely to your patients. For example, delivery can be via a tie-in to a HIPAA-compliant email or text messaging system.
4. Insecure Web Intake Forms
Every day we find medical web sites that have web forms for “getting more information” for general intake and for other purposes. These form pages are not often encrypted and the form submissions themselves are not processed in a compliant manner. They are often insecurely emailed to an administrative assistant for processing.
If your web site is requesting and collecting ePHI (e.g. identifiable medical information about an individual), then your web site is required to handle that information with care commensurate with HIPAA standards.
Check out your web site and see what forms you have there, what they collect, and how the information is handled. You may need to update your site to secure your form pages with TLS and to incorporate a secure form processing solution to properly deliver that sensitive data to you. Without this, every form submission may be in breach.
5. Sharing a Login
Sharing logins and email addresses is easy and cheap. Everyone just knows the shared login and password and logs into the same system. HIPAA, however, requires unique logins for everyone in an organization. HIPAA also requires auditing to indicate when people do what (e.g. who logged in when?). When you are sharing a login, you lose accountability and that can be a direct violation of your HIPAA requirements.
Are you sharing logins? Add that to your HIPAA Risk Assessment to see if its worth it. In many cases, there are ways to achieve the same results and still have unique logins for everyone.
6. No Risk Assessments or Training?
This is the situation in many smaller organizations:
- Employees are not trained on HIPAA, how to do their jobs in a compliant way, and how to deal with and report breaches.
- Yearly Risk Assessments are not performed, resulting in no action being taken to mitigate the risk of breach.
These requirements apply even if you are the only person in your business (e.g. a sole practitioner). In this case, you are the the “HIPAA Compliance Officer”, you must be sure that you are trained on HIPAA, and you must perform your Risk Analysis, and you must be sure that all ePHI under your purview is safe.
If you are neglecting these basics and something goes wrong, your HIPAA fines will be much larger due to apparent “willful neglect”. If you are in this situation, start with a detailed Risk Assessment to see where you stand. Then start mitigating your risks, training your employees, putting policies into place, and working continuously to minimize the possibility of data leakage. HIPAA-compliance is an ongoing process as the security landscape and your business’ processes and vendors change over time.
7. I Took Care of HIPAA Last Year
Smaller companies, especially, tend to make a push to become “HIPAA compliant” and then “forget it,” assuming that they are “all set.” They have limited resources and would rather devote as little time and thought to HIPAA as possible; that is completely understandable from a business point of view. However, HIPAA mandates yearly reviews of your policies and risk. You need to be updating your and your employees training and your organization’s policies yearly. There are even some things that you may need to be doing on a quarterly basis. Keep a calendar and make sure that you are devoting the appropriate time and resources to both continued compliance and continued risk management.
Do I have To?
While this may seem very intimidating, especially if you have limited resources, getting started and addressing your HIPAA requirements and the concerns presented here will pay off in the long run. Low hanging fruit is easily and cheaply dealt with. Simply knowing where you are at risk, in many cases, goes a long way towards enabling you to mitigate that risk through changes in behavior, vendor, or policy. The fact that you are working on it, know where you stand, and are taking steps to improve (however fast or slowly based on the resources at hand and the degree of risk) can also goes a long way toward turning breaches due to “willful negligence” … to much less expensive fines if something goes wrong.
Finally, there are many companies whose focus is on helping you meet your HIPAA compliance requirements. From performing a Risk Analysis, to writing internal policy documents, to outsourcing your email, web, and text messaging services. Getting help from third party expert companies reduces your liability, reduces your workload, reduces the burden of knowledge and expertise on you, and ensures that your needs are taken care of by specialists.
LuxSci specializes in HIPAA-compliant email, web site, web form, and secure messaging systems.
- HIPAA Compliance is Needed for Emailed Appointment Reminders
- How to Setup HIPAA Mutual Consent for Insecure Email at LuxSci
- If my web site is very simple, do I have to worry about HIPAA compliance?
- Opt-In Email Encryption is too Risky for HIPAA Compliance
- LuxSci has Explicit HIPAA Agreements with Vendors – including McAfee