While advising covered entities and business associates of various sizes about HIPAA compliance issues, I've noticed three common bad practices.
Most CEs fail to appropriately vet and oversee their BAs. Most CEs, as well as BAs, address HIPAA compliance as a checklist activity instead of a comprehensive risk management process. And many do not provide effective training or awareness communications.
"A risk assessment is an important tool in identifying risks, but you cannot stop there."
As a result, I recommend organizations make three New Year's resolutions to help bolster security and minimize the risk of a data breach:
1. Ramp Up Contractor Scrutiny
Do you know how well your vendors, business associates and contracted third parties - who I will collectively call "contractors" - are protecting the information with which you've entrusted them to perform some sort of business activity?
Keep in mind that about 20 percent of breaches on the HHS "wall of shame" of major health data breaches involve a BA.
Also, be aware that your organization will probably share liability for the bad actions of your contractors. Case in point: In November, the Connecticut Attorney General applied penalties against both Hartford Hospital and its business associate, EMC Corp., as a result of a breach that occurred in 2012.
In 2016 make sure your contractors:
- Have documented policies and procedures. If they aren't documented they don't exist.
- Understand that they must appropriately secure, and not share, the personal information you've entrusted to them.
- Provide regular information security and privacy training to their workers, and regularly send awareness reminders.
- Have a risk management process in place.
- Have implemented basic security tools to protect the information you've entrusted to them.
2. Go Beyond a Risk Management Checklist
It's vital to address administrative, technical and physical risks. Significant breaches have occurred as a result of not addressing all of these risks. Of course, a risk assessment is an important tool in identifying risks, but you cannot stop there. You need to implement a risk management program that includes additional activities to manage risks, such as keeping track of mobile computing devices with access to PHI; documenting those using personally owned computing devices; staying on top of new Internet of Things plans; making sure big data analytics is not used in a way that brings unacceptable security and privacy risks; keeping anti-malware updated and applying security patches regularly; and performing audits, just to name a few.
Here's a perfect case in point. After numerous breaches, on Nov. 30, 2015, Triple-S Management Corp. agreed to pay a $3.5 million HIPAA non-compliance fine and to implement a robust corrective action plan to establish an effective HIPAA compliance program with effective security controls. Among the HHS findings:
- Failure to implement appropriate administrative, physical, and technical safeguards;
- Impermissible disclosure of PHI to an outside vendor with which it did not have an appropriate business associate agreement;
- Failure to conduct an accurate and thorough risk analysis; and
- Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its PHI to a reasonable and appropriate level.
If the insurer had a comprehensive risk management program in place, including keeping systems patched and up-to-date, Triple-S probably could have prevented the breaches.
3. Educate the Workforce
Information security and privacy education is more important than ever because new gadgets and technologies enable more healthcare workers to collect and share data.
In September 2015, Cancer Care Group agreed to settle HIPAA violations by paying a $750,000 fine and adopting a "robust corrective action plan to correct deficiencies in its HIPAA compliance program." One of the major requirements for Cancer Care Group was to review and revise its training program, because the breach was caused by an easily preventable employee action (leaving a laptop with clear text files of 55,000 patients in an unsecured car).
Training needs to be more than once a year, and as soon as, or prior to, the start of employment. There also need to be ongoing awareness communications and activities, as required by HIPAA.
Every organization of every size needs to invest some time and resources into regular training and ongoing awareness communications. Besides being a wise business decision, it's also a requirement in most data protection laws and regulations to provide such education.