We all know that HIPAA risks can in many shapes and sizes. But as the workday gets busy, it becomes easier and easier for breaches to happen–even when it’s an accident. More specifically, software-related HIPAA risks are one common stumbling block. When ePHI information is compromised, it can result in a costly fine.
Here’s what you need to know about software-related HIPAA risks.
The first step in verifying your ePHI is properly protected is to conduct a thorough risk analysis. HHS has released an online resource that helps small to mid-sized organizations assess their risks so the weak points can be identified and remedied.
A typical risk analysis should look something like this:
- Scope: Evaluate risks to the integrity of ePHI. This includes all electronic media used to create, collect, or transmit electronic patient information – and all devices used in these processes.
- Data Storage: Identify where data is being stored, collected, or transmitted. This includes any 3rd party providers–so ensure those outlets are following protocols as well.
- Document Vulnerabilities: When you can pinpoint and document the process you’ve followed to correct any potential leaks of ePHI, you can show the measures you’ve taken to keep patient data safe.
- Evaluate Overall Security: Whether it’s encryption, two-factor authentication, or some other security methods put in place by your hosting provider, be sure your strategy is thorough.
The Penalties to Software-Related HIPAA Violations
Even something as small as having a semi-exposed computer screen displaying patient information at your front desk can mean serious trouble. One of the more recent violations was a $150,000 settlement from Anchorage Community Mental Health Services, Inc. when more than 2,700 ePHI records were compromised due to a software-related violation.
In the past two years alone, more than $11.7 million in fines have been parceled out to organizations who aren’t staying on top of their patient information.
If you’re still using old software that needs patched or updated, now is the time to make the switch. Though it may be costly, Phase 2 HIPAA audits are on the horizon–and you can’t afford to stay with old systems.
As you transition to a new system, ensure all staff members receive proper training on a regular basis so your entire team is on the same page. Education is one of the best ways to stay on top of HIPAA violations because when employees know what to look for, they can be proactive about minimizing risk.
Conduct risk analyses regularly as well as whenever a new system or software is implemented.
What do you do to stay on top of HIPAA risks?