HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Security Lapses Could See Majority of Health Practices Fined for HIPAA Non-Compliance

Healthcare organizations face considerable data security risks, yet evidence suggests that while the importance of compliance may be understood, too little is being done to secure ePHI data. A recent survey has highlighted than many healthcare organizations are not paying attention to the warnings being issued by the government.

Physicians Practice conducted its annual Technology Survey and discovered that mobile devices are a particular area of concern, with only 31% of the respondents claiming to have implemented the policies and procedures covering the use of mobile devices in the workplace as demanded by HIPAA regulations.

Mobile devices are a major security risk due to the ease of theft or loss, yet many healthcare organizations have not taken steps to ensure mobiles are HIPAA compliant. Mobile devices often contain unencrypted patient data and personal mobiles are particularly high risk if used to access, transfer or view patient data. The survey revealed that almost 70% of healthcare organizations have so far failed to implement strategies to deal with the security threat that mobile devices pose.

All mobile devices which are used for work purposes must have appropriate safeguards installed to protect data in the event of loss or theft of the device. The HHS recommends using data encryption as this provides the strongest safeguards to protect ePHI data, although as a minimum requirement mobile devices must be password protected.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

It is recommended that healthcare organizations issue mobile device agreements to all staff to educate on the importance of security and to advise the staff that the use of mobile devices is covered under the organization’s security procedures.

The survey also revealed other potential HIPAA compliance issues that have not been adequately addressed. The backing up and storage of electronic patient healthcare information is another major area of non-compliance. 39% of respondents admitted that ePHI is not backed up and secured off-site using either a secondary server or other data backup method; a requirement under the HIPAA Security Rule.

More worrying is the fact that 69% of respondents had not conducted a risk analysis. This is a requirement under the Security Rule and also for any organization looking to meet the government requirements for meaningful use of EHRs.

Implementing appropriate strategies and safeguards can be a time consuming job, yet it is vital that data is secured to avoid incurring HIPAA non-compliance penalties and to ensure patient data remains secure. Stiff financial penalties exist for each non-compliance issue and the OHS is issuing record fines for non-compliance and data breaches. Healthcare organizations should therefore take HIPAA regulations seriously, conduct a thorough risk analysis and identify potential vulnerabilities. Action must also be taken to address all security concerns and keep data safe and secure in both storage and transit.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.