Security Lapses Could See Majority of Health Practices Fined for HIPAA Non-Compliance

Share this article on:

Healthcare organizations face considerable data security risks, yet evidence suggests that while the importance of compliance may be understood, too little is being done to secure ePHI data. A recent survey has highlighted than many healthcare organizations are not paying attention to the warnings being issued by the government.

Physicians Practice conducted its annual Technology Survey and discovered that mobile devices are a particular area of concern, with only 31% of the respondents claiming to have implemented the policies and procedures covering the use of mobile devices in the workplace as demanded by HIPAA regulations.

Mobile devices are a major security risk due to the ease of theft or loss, yet many healthcare organizations have not taken steps to ensure mobiles are HIPAA compliant. Mobile devices often contain unencrypted patient data and personal mobiles are particularly high risk if used to access, transfer or view patient data. The survey revealed that almost 70% of healthcare organizations have so far failed to implement strategies to deal with the security threat that mobile devices pose.

All mobile devices which are used for work purposes must have appropriate safeguards installed to protect data in the event of loss or theft of the device. The HHS recommends using data encryption as this provides the strongest safeguards to protect ePHI data, although as a minimum requirement mobile devices must be password protected.

It is recommended that healthcare organizations issue mobile device agreements to all staff to educate on the importance of security and to advise the staff that the use of mobile devices is covered under the organization’s security procedures.

The survey also revealed other potential HIPAA compliance issues that have not been adequately addressed. The backing up and storage of electronic patient healthcare information is another major area of non-compliance. 39% of respondents admitted that ePHI is not backed up and secured off-site using either a secondary server or other data backup method; a requirement under the HIPAA Security Rule.

More worrying is the fact that 69% of respondents had not conducted a risk analysis. This is a requirement under the Security Rule and also for any organization looking to meet the government requirements for meaningful use of EHRs.

Implementing appropriate strategies and safeguards can be a time consuming job, yet it is vital that data is secured to avoid incurring HIPAA non-compliance penalties and to ensure patient data remains secure. Stiff financial penalties exist for each non-compliance issue and the OHS is issuing record fines for non-compliance and data breaches. Healthcare organizations should therefore take HIPAA regulations seriously, conduct a thorough risk analysis and identify potential vulnerabilities. Action must also be taken to address all security concerns and keep data safe and secure in both storage and transit.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On