How Many Companies are Violating HIPAA and Don't Even Know it
Wed Apr 05, 2017 | Lasers Resource
The Health Insurance Portability and Accountability Act (HIPAA) is something we all know a bit about, but what if you are violating HIPAA and don’t even know it? Are you sure you have all the requirements met and are practicing within the guidelines?
Violations of HIPAA can include monetary and legal, $100-$50,000 or more plus 1 year in prison per violation. Sometimes it can become a criminal violation with up to 1-10 years in prison and $250,000 fine per violation.
The US Department of Health and Human Services (HHS) has published the HIPAA Security Rule, which established a national set of security standards for electronic Protect Health Information (PHI, e-PHI), along with the HIPAA Privacy Rule. I will be focusing on the Security Rule, but it is a good idea to do a quick refresher on the Privacy Rule.
HIPAA Security Rule
There is a very important section in the Security Rule titled “Risk Analysis and Management”. HHS.gov has defined this as:
The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately here because, by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.
- A risk analysis process includes, but is not limited to, the following activities:
- Evaluate the likelihood and impact of potential risks to e-PHI,
- Implement appropriate security measures to address the risks identified in the risk analysis,
- Document the chosen security measures and, where required, the rationale for adopting those measures, and
- Maintain continuous, reasonable, and appropriate security protections.
Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.
The rule also breaks this into three sections:
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
Where a lot of companies may be in violation falls within the Administrative Safeguards.
Information Access Management
HHS.gov defines this as:
Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access).
All your printers and copiers are within work stations or behind locked doors, away from where just anyone off the street can walk up and grab documents. But the Information Access Management section goes way beyond keeping information safe from the public.
Let’s say we all work in a hospital together. I, in marketing, can walk around the grounds freely; people know me and I have some buddies in the nurse station. While I’m there waiting for a friend to show up, a fax comes in; being nosy, I take a quick peek. Although I am an employee, the hospital did not follow the Security Rule and allow only authorized access to the PHI. It is not appropriate for someone in marketing to see that information based on the role they play in the company and the hospital has no record of me seeing this information.
This is a violation.
The full description of Data Safeguard in The HHS Summary of the HIPAA Privacy Rule is:
Data Safeguards. A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.70 For example, such safeguards might include shredding documents containing protected health information before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes.
How can Managed Print Services (MPS) Help?
An MPS partner can offer many options to help you stay in line with HIPAA and all of its regulations. There are the physical things like tray locks, which secure any paper you have in the input trays, like Rx sheets or insurance claim forms (not necessarily a HIPAA issue, but good to have protected). There is also a software called Secure Rx that takes away any specialty paper for prescriptions, eliminating chain of custody concerns.
There are a lot of solutions that work great for government and industry regulations. First, printers and copiers are a risk to your data and network. It is actually pretty easy to hack into one of these (yes, even if they are behind your firewall) and then get into your computers and servers. There are a lot of security solutions you could put in place that will encrypt your copier’s hard drive. This is important because a digital image of every page printed is saved on the hard drive. Imagine you get rid of an old copier, along with thousands of patients’ information stored within.
There are real time security monitoring and protection solutions that will automatically find, report, and fix any threats they find. HP has JetAdvantage Security Manager and a lot of onboard policies on their hardware and Xerox partnered with Cisco and McAfee to protect your data and network. Print jobs can be picked up as they make their way to the printer. A ‘man-in-the-middle’ attack is when someone grabs your print job in transit, gets a copy, and then sends the job to the printer, normally without anyone knowing this has happened. An MPS partner can configure an encrypted print stream to prevent anyone from seeing the information in a print job if intercepted.
Knowing who has access to PHI and what users are doing with it is incredibly important. With a reporting tool, like HP Insights, you can see who is printing, and possibly sharing, what documents.
Faxing is still used heavily in the medical industry. This is great because the data is encrypted automatically, it is point to point communication (no way for someone to sneak in and grab your data in transit), and has great reporting features. Faxing can be configured to your email client, so your users can fax right from their desktops.
Remember me, the nosy marketing guy that is lifting patient information when no one is looking? An MPS partner can provide you with a pull print solution. With pull print, jobs get stored in a centralized, normally cloud based, print driver. These jobs do not get printed at a device until a user is at the printer or copier and authenticates. This eliminates anyone from seeing something they shouldn’t, gives your users the benefit of walking up to any device and getting their prints (no more needing to hunt through hundreds of print drivers to find the one they need), and provides the best form of reporting because users must authenticate.
All of these practices can help make sure that you are in line with HIPAA and all the demands that go along with it. Most of these do come with a monthly fee, pull print included, but fractions of a penny per page is a lot less than hundreds of thousands of dollars, bad PR, and possible jail time because of a breach.
Subscribe to Our Blog
Enter your email address to subscribe to this blog and receive notifications of new posts by email.