The most common HIPAA blunders your business should avoid

The most common HIPAA blunders your business should avoid

Modern-day healthcare organizations are faced with the technological challenge of marrying medical equipment with data management equipment. Medical equipment, despite their cutting-edge, life-altering capabilities, do not always work seamlessly with the data management equipment needed for storing and accessing patient information.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was created to modernize the flow of healthcare information in an effort to combat waste, fraud, and abuse, as well as to improve and simplify the administration of health insurance, among other services. HIPAA mandates the proper collection, accessibility, and storage of patients' protected health information (PHI), and these procedures have become an important part of determining the competency of IT providers for healthcare facilities.

Managing PHI is a challenging task because it contains information that can be used for illicit gain if it falls into the wrong hands. Despite the threat of expensive lawsuits and penalties, however, many healthcare organizations still make mistakes in handling PHI. Here are some cases that highlight the most common ones:

Device loss and unencrypted devices

Between 2012 and 2013, the healthcare firm MD Anderson became embroiled in three separate cases of PHI device loss. An unencrypted laptop belonging to a Dr. Millikan was reported stolen in May 2012. The laptop, which he had been using to work from home, contained the PHI of more than 29,000 people. Then, in July 2012 and December 2013, two separate unencrypted thumb drives were misplaced. The two devices contained the PHI of almost 6,000 individuals. As punishment for its failure to guard the PHI of tens of thousands of patients, MD Anderson was ordered to pay over $4.3 million in fines in 2018.

This case was a twofold blow to the company because it highlighted two incorrect practices: the use of unencrypted devices, and negligence in handling sensitive information. Thumb drives are cheaper than ever, and it is easy to take these devices for granted because they’re simple to replace. But the information contained in them is worth more than the devices themselves. What’s worse, not only were the devices lost, they were unencrypted as well, so the information stored on them could be freely used by whoever took the device.

Incorrect configurations

New York hospital, Middletown Medical, discovered in January 2018 that one of its radiology interfaces had been inadvertently set to allow unauthorized users access to electronic patient information such as full names, client ID numbers, birth dates, and patient service histories. For some patients, diagnosis codes and radiology images were also accessible, although some critically sensitive data such as Social Security numbers and financial information were not breached.

Modern technology now allows machines to securely communicate with information management systems, which can be quite useful especially for companies that have a large customer base. However, this also means that errors such as these can have grave consequences, as people are infallible and prone to mistakes.

Improper data management procedures

In January 2018, health insurance provider Tufts Associated Health Maintenance Organization, Inc. discovered that one of its mailing vendors had been mailing out member ID cards in envelopes that had clear windows. This allowed the members’ PHI to be seen. The company alerted their 70,000-strong membership base quickly thereafter, and while a post-mortem of the case showed that the risk was quite small, it opened up the company to the risk of litigation.

To compare, a similar case in 2017 involved around 12,000 individuals and culminated in a $17.2 million class-action settlement by the erring party, Aetna. Improperly-used data can ultimately be harmless to patients, but no healthcare organization should run that risk, especially since it can hurt the business’ bottom line.

A smart solution is to acquire the services of a competent IT company so that you can be assured that your medical equipment and your data systems are working together in complete harmony. Managed services allow you to focus on your business, assuring that your processes are regulations-compliant and that your data is secure and accessible anytime you need it.

Arnet Technologies offers a HIPAA-compliant EasyNET Virtual Office solution that provides secure mail, disaster recovery, network access control, business-specific software, and 24-7 support - all for a flat monthly fee. Contact us for a quote today!

We just released another FREE eBook: 3 Types of Cyber Security Solutions Your Business Must Have!DOWNLOAD HERE
+ +