6 HIPAA Compliance mistakes that are too costly to ignore

HIPAA Compliance is once of those things that often may seem like the Loch Ness Monster – you’ve heard of it, you may even know someone who has claimed to have seen it, but youv’e never seen it yourself. There is a lot of information available online about becoming HIPAA compliant and it often seems like it is an impossible task.

HIPAA Compliance Mistake #1 – Not performing a risk analysis

This is the number one mistake that Covered Entities and Business Associates make with their HIPAA compliance. This is a requirement under the HIPAA Security Rule.

45 CFR 164.308 – Administrative safeguards

(A)Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

The risk analysis is the starting point for all HIPAA compliance. If you don’t know what to protect and where you are at risk, you can’t properly protect it.

Your risk analysis will be your guide to HIPAA compliance. Once you find the areas where you are at risk, you can begin to remediate the issues that you discover. After you have finished, perform another risk analysis so that you document that you resolved all of the issues.

Not performing a risk analysis can be a very costly mistake for practices to make. North Memorial Health Care of Minnesota was fined $1.55 million for failing to perform a risk analysis and for not having Business Associate Agreements.

HIPAA Compliance Mistake #2 – Not training practice staff

Training is often overlooked within practices and business associates alike. Many think they already understand HIPAA and don’t really need to train. Training is a mandatory requirement of HIPAA under the Security Rule.

45 CFR 164.530 – Administrative requirements

(2)Implementation specifications: Training.

(i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows:

(A) To each member of the covered entity’s workforce by no later than the compliance date for the covered entity;

(B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce; and

(C) To each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.

(ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section.

Training should be frequent and documented to show that staff was indeed trained. Training also needs to be specific to the threats you will face in your situation.

HIPAA Compliance Mistake #3 – Not watching things

Having a security system without it being monitored doesn’t make a lot of sense does it? The same holds true for HIPAA compliance. Having firewalls, malware protection, system logs, doesn’t matter if no one is monitoring them. Firewalls can show if attacks are occurring or if large amounts of data are leaving a network. This would indicate a possible breach and theft of patient data. System logs and EMR logs would show attempted login to accounts. This is how many attackers work. They attempt to log into a system with various passwords until they succeed. Each failure is noted in a log file. If these are caught early enough, then a site can take action. But if no one is watching these logs for these types of events, then they will go unnoticed and the attack will eventually succeed.

In addition, watching EMR logs can help spot when an insider attempts to access records that they shouldn’t have access to. Insiders account for the largest amount of breaches.

HIPAA Compliance Mistake #4 – Not keeping computers and software up to date

Compliance isn’t something you achieve and then stay that way. That simply isn’t possible. compliance can be achieved for a moment in time but it must be maintained. One of the ways this happens is keeping your computers and all software up to date. This is especially true with Windows and your EMR software. HIPAA requires that Covered Entities and Business Associates use only software that is supported by vendors. This means that when Microsoft discontinues support for a particular operating system, like Windows 7 on January 14, 2020, if a practice continues using it, they are not HIPAA compliant.

The same holds true for EMR software. Most vendors will support one or two previous versions. But if you are using one that is older than that and is no longer supported, then you cannot be HIPAA compliant.

Finally, software vendors release updates and patches to their products regularly. These need to be installed to keep the software compliant but also to keep then safe. These updates usually address various software bugs and security holes found in the software. Patching these keeps your data safe from attackers. Regular patching is a requirement under HIPAA regulations. HHS released guidance on patch management recently to show how important this is.

HIPAA Compliance Mistake #5 – Thinking insurance will cover you in a breach

This is a common belief that practices can get breach insurance that will cover them in a HIPAA compliance investigation. While its absolutely true that this insurance does exist, all of them will require that the practice perform its due diligence. This means

  • Performing a risk assessment
  • Remediating any of the issues the assessment uncovers
  • Making sure your training is up to standard
  • Having up to date software and equipment

Sound familiar? Insurance companies want you to be HIPAA compliant. The insurance is there in case something happens AFTER you have already done everything you were supposed to do. When performing your yearly insurance updates, one of the questions asked for cyber insurance is whether or not you performed a risk assessment. If a yes answer is indicated but it wasn’t performed, this would be just cause for the insurer to deny the claim.

Take the case of Cottage Health Care. They had a breach in and then filed the claim on their insurance. They indicated to the insurance company on previous documents that they had performed their risk assessments. In doing its own investigation, the insurance company found that the risk assessment had not been done. This led them to decline the claim. If you don’t do the things you are supposed to do, insurance will not cover you.

HIPAA Compliance Mistake #6 – Not having Business Associate Agreements

All Covered Entities are required to have Business Associate Agreements (BAAs) with any third party that has access to their Protected Health Information (PHI). If you don’t have these, then you can’t be HIPAA compliant. This is very often overlooked with small practices. They are needed for a variety of situations such as:

  • Outside billing services
  • Accountants if the accountant is performing collections
  • Collection services
  • IT services
  • EMR vendors

An agreement is needed for each of these and should be kept in your documentation. A good idea is to also revisit them yearly to make sure they are current and correct. You can also make sure that if you changed vendors, you removed all of their access to your PHI.

Summary

Each of these mistakes can be very costly to a practice. Not only in terms of fines and lawsuits, but also in terms of lost patient trust. This can have a long term impact on any practice that is very hard to recover from.

Address each of these and you will have gone a long way into achieving HIPAA compliance.