Staying on Top of HIPAA Website Requirements HIPAA has been a part of the medical community for over 25 years, but it has become even more important as nearly every interaction with a patient leads to some form of protected health information (PHI). Whether it’s gathered on a patient’s own computer, typed in by a nurse on a laptop, or scanned in from a paper document, HIPAA-related electronic medical records and electronic health records (EMR/EHR) are created at a staggering rate. Unfortunately, that private information is also valuable to people who would use it for malicious purposes. Following HIPAA security best practices for your eCommerce medical PHI is crucial. The HIPAA Act makes it very clear: Protecting patient information is the responsibility of the healthcare-related business it is entrusted to. These businesses—legally referred to as covered entities—must put plans in place to protect all PHI in their care, whether they created it themselves or had it transferred from another entity. Hospitals, healthcare systems, private practices, and pharmacies are a few of the most common types of covered entities that need to investigate HIPAA security compliance. If you own or represent a covered entity, it’s vital to your business to invest in the best HIPAA-compliant websites, portals, and software possible. It’s also incredibly important to train staff to handle PHI correctly. Failure to do so can result in fines of millions of dollars and land you in court. Let’s take a look at the most common HIPAA compliance mistakes when it comes to EMR/EHR. How Can We Help? Clarity Ventures takes on the difficult HIPAA compliance issues that other companies won't tackle. Let us show you how we deal with the toughest problems HIPAA can cause. Get A Demo MISTAKE 1: Not Knowing Exactly What HIPAA Covers Before a covered entity can comply with HIPAA, it’s necessary to know what it is. The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is an act of Congress that dictates how electronic health information must be protected. This law affects any business that collects, stores, processes, displays, or transmits electronic information related to healthcare. Covered data includes but is not limited to: Test or lab results Diagnoses Treatments Billing Prescriptions Medical devices Health insurance Once a patient answers any health-related question and it is transformed into electronic information, the rules of HIPAA apply. It’s important to remember that a patient “owns” their information and can do with it what they wish. Patients can request their data from a covered entity and take it to another covered entity, requesting that they first then purge their PHI. Who Enforces HIPAA? HIPAA rules are enforced by the Office of Civil Rights (OCR), a division of Health and Human Services. This office can investigate any infractions regarding the PHI mentioned above, but they are more likely to target instances that affect more than 500 patients or cases that reveal gross negligence by the covered entity. HIPAA fines per record typically run from $100 to $50,000 depending on the circumstances. MISTAKE 2: Not Planning for the Future Because HIPAA compliance is mandatory and fines can be significant, HIPAA security isn’t something that can be taken lightly. Significant time must be invested to create a plan that will meet both current needs and the needs of your business in the future. Rushing into HIPAA compliance will almost certainly leave holes in the security—electronic, administrative, and physical. When it comes to protecting the EMR/EHR of patients, it’s important to work with companies that have experience in the field. This can speed up the process while also making everything more secure. Don’t just hire a lawyer; hire one that is specialized in HIPAA-related matters. If you hire a training team to make sure your staff has the information they need to remain HIPAA compliant, find a company that knows HIPAA inside and out. And when you are looking for a company to create a website, HIPAA app, portal, or to provide HIPAA compliant web hosting, trust in one that has a track record keeping their clients safe. MISTAKE 3: Failing to Assign a HIPAA Compliance Officer Violating HIPAA can be catastrophic to a business. Fines from the OCR and lawsuits for breaking state laws can total millions of dollars, and that doesn’t even address the fact that the business' reputation in the industry will take a big hit and drive customers away. That’s why it’s crucial to have a HIPAA compliance officer as part of your tech team, someone deputized to keep up to date with the ever-changing HIPAA laws. It’s important to have a HIPPA compliance officer to bring all of the aspects of HIPAA security together. They can check to make sure teams are working together when necessary, and verify all training is up to date. HIPAA laws and related state laws are always changing, so make sure you have someone who is at the center of your HIPAA defense. A HIPAA compliance officer must keep the following three aspects of the HIPAA security rule in mind at all times. Administrative safeguards — Keeping staff trained in HIPAA compliance (see Mistake 4) Technical safeguards — Ensuring the data is encrypted in transit and at rest (see Mistake 6) Physical safeguards — Protecting the physical drives that hold PHI (see Mistake 10) MISTAKE 4: Neglecting Staff Training No matter how good your technical security is, HIPAA compliance can be undone by staff. In fact, human error is one of the most common ways that HIPAA information is compromised. All employees with access to HIPAA EMR/EHR must be properly trained to recognize the most common ways that HIPAA breaches occur. Phishing Scams — Every employee must be trained to spot the signs of emails that might introduce something malicious onto work computers. They must also be aware of scams that target email accounts in an attempt to gain login credentials. Password Slippage — People too often leave their passwords written down where others can see. If someone who breaches your computer system is questioned by authorities, the exact workstation and offending employee could be revealed. Leaving PHI On Screen — Computers that can pull up PHI should only face those who have training in EMR protection. Similarly, employees should be conditioned to close any program with PHI whenever they leave a workstation, especially on days when there are non-hospital staff—painters or electricians, for example—in the building. Careless Patient Verification — It’s not unusual for two people to have the same name, and improper verification of patient identity could lead to the wrong person getting information they shouldn’t. Patient Permissions — Patients must be informed about how you will use their information. Most covered entities let patients know that internal staff will be able to access information. But does the paperwork they sign let you send that PHI to another doctor? What about a staff member from a different branch who is stepping in for the day? A lawyer specializing in HIPAA best practices should be consulted when creating such paperwork. Improper Data Reveals — What information can be relayed on a voicemail? How much PHI is too much to send via an unencrypted email? Staff must be trained on what is allowed and what isn’t; they’ll almost certainly reveal too much otherwise. While it might be easy to say, “Everyone makes mistakes,” the person who compromised the information is an employee and your entire organization is now culpable. HIPAA guidelines say that that person should have been better trained, and the task of doing so falls on the organization they work for. MISTAKE 5: Choosing the Wrong Security Partner When you’re investigating ways to protect PHI, not just any data storage provider will do. Any company can say, “Sure, we’ll create and secure a HIPAA-compliant website for you.” But standard security isn’t enough; every website must be secured to some degree, but that level must be increased considerably when it comes to HIPAA website requirements. This is also true for any financial information your HIPAA eCommerce site accepts. Be sure to search for companies that offer HIPAA eCommerce solutions that integrate with your current system and also provide the latest HIPAA-compliant website hosting available. Interview and vet multiple companies as thoroughly as possible by asking about the following points. Testimonials – Ask for testimonials, then contact the companies they have provided security for. Verify that those companies were happy with the experience and haven’t suffered security breaches. HIPAA compliance experience — If there's a winter storm, you don’t want to be a passenger in a vehicle if the driver has only driven a few times. An experienced driver has faced such road conditions before and knows what to do if something goes wrong. Similarly, a company with HIPAA experience will provide better service than one that has only handled financial data. Data security background — There aren't many companies that can provide both an excellent website or doctor portal and the level of security that PHI legally requires. Look for a provider who has experience with both. Data breach response protocols — Any company offering security should have plans in place if a cyberattack occurs. Action must be taken quickly once data has been improperly accessed, whether it’s due to a bot or a human hacker. Ask about their plans if something goes wrong. In addition, entering into a business associate agreement (BAA) with your HIPAA-compliant cloud storage is an excellent way to mitigate some of the risks associated with HIPAA-covered data. The term BAA is specific to HIPAA eCommerce and PHI data storage. It is a contract between a covered entity and a business that is protecting the covered entity's electric data in the Cloud. Basically, the data storage business agrees to accept liability for any negligence that leads to PHI data loss. It’s important to remember that breaking HIPAA compliance rules can come with both financial and criminal charges, which makes getting a BAA even more important. MISTAKE 6: Failing to Technically Secure Data The HIPAA rule dictates that PHI must be protected in the three ways we mentioned above: administrative, technical, and physical. When most people think of HIPAA security, the technical aspect is the part that presents the most concern and is the hardest to understand. Any site that can be accessed from the web—patient/doctor portals, appointment scheduling, bill pay sites—is attacked moments after it goes live. In many cases, these new sites are attacked before search engines like Google even know they’re there. These attacks are first performed by bots, and if any vulnerabilities are found, a human hacker will step in and try to steal HIPAA-covered information. These attacks never stop; one bot might give up, but another bot might attack minutes later. In general, the data you are protecting is categorized in one of two ways: Data at rest — This is any data that is either in a local server room or in the Cloud. Data at rest is not currently being accessed by anyone on your staff. Data at rest is encrypted if the data storage device is attacked directly. Data in transit — This is data that is moving from one location to another. The most common scenario is when a staff member wants to access PHI that is stored on a local server or in the Cloud. It might also be data transferred via email, chat, or over a HIPAA-compliant mobile app. It goes without saying that data must be rigorously protected with secure data encryption. Data tokenization is another way to protect data so that the data is unreadable even if it is stolen. Layers of protection can be utilized so that, even if someone has the key to a data “vault,” the vault is hidden from them. And if by some chance they find the vault, the information in the vault is useless. These layers of protection are put in place to ensure that only people who should have access to EMR/EHR PHI are allowed to see it. This is often made possible via multi-factor authentication. A person might have to have a pre-allowed device, and they might only be able to access through a whitelisted IP address. Further authentication can include passwords, access codes via text, or answering security phrases. ECommerce and Security Solutions Clarity specializes in keeping data secure while still providing top-tier integration for eCommerce websites, portals, mobile apps, and more. Let us show you what we can do. Schedule A Demo MISTAKE 7: Not Keeping Up-to-Date When creating a HIPAA compliant website and securing the web hosting that accompanies it, it’s not a “one-and-done" situation. You can’t simply hire someone to perform your EHR/EMR integration and then think that all your security issues are taken care of for the life of the platform. While your HIPAA information might be safe on Day 1, it gets less and less secure as time passes. The primary reason is that the method of attacks on information is never static. A newly launched site might be able to handle attacks at first, but hackers never stop finding new ways to exploit defenses. They—and the bots they create—are constantly looking for ways to gather the data you’re trying to protect. Security updates to HIPAA websites and patient/doctor portals can be done on a monthly, weekly, or even daily basis, often determined by keeping tabs on attacks that are occurring on similar sites. MISTAKE 8: Not Testing the System Even if you have a HIPAA compliance officer and are keeping everything up to date thanks to your tech team, it’s vital to have your sales portals, HIPAA website, and web hosting tested. This ensures that everything has the proper security measures in place to keep PHI safe. This is often known as “white-hat hacking,” programmers who try to breach layers of defense in order to identify weaknesses so that holes can be patched. In most cases, a white-hat hacker will not get so far through the defenses as to obtain information; they simply record the weak points and then report back to admins so that defenses can be bolstered. MISTAKE 9: Not Following HIPAA Logging Requirements HIPAA rules dictate that stringent logs must be kept for all PHI. These logs keep track of: Who accessed the data? When was the data accessed? From what device was the data accessed? Was the data changed? What did the data look like before it was changed? This information can help you track down any problems that occur with PHI, locating problems that occur from both innocent employee mistakes and intentional maleficence. All of this data must be handed over in the case of a HIPAA audit. If a breach occurs, HIPAA needs to know how the breach happened so that it doesn’t happen again. It also helps them determine the level of neglect that occurred. MISTAKE 10: Neglecting Physical Data Security This falls under the HIPAA security rule that applies to physical safeguards. Protecting the physical aspects of data—hard drives, flash drives, magnetic tape backups—is another important part of HIPAA security best practices that can’t be ignored. This covers something as simple as a desktop computer or as complex as a server room. Anything that stores data must be physically protected if it has PHI or easy access to PHI in the Cloud. When you’re making a plan for HIPAA compliance, consult with a company that can provide guidance regarding HIPAA safeguards pertaining to data storage devices. They can also help you plan who should have access to each piece of hardware while keeping it secure from anyone—including employees—who should not interact with it. MISTAKE 11: Improper Disposal of Data Storage There will come a time when your on-site devices need to be replaced—computers become obsolete, laptops fail to boot, tablets are dropped. The information on these devices is often backed up in the Cloud, but it might also remain on the physical device in your office. That data must be properly sanitized before you dispose of the hardware in any way. Sanitation methods differ depending on the device. To be completely thorough, most data protection companies suggest using professional software to overwrite data multiple times with random data. Shredding, pulverizing, or incinerating the media storage devices makes the process even more secure. MISTAKE 12: Ignoring State Laws As we discussed at the beginning of this article, the Office of Civil Rights is in charge of investigating HIPAA violations and imposing fines. These fines come directly from the government entity and do not involve patients who have had their data compromised (though patients can file complaints). In other words, patients cannot sue you for mishandling their EMR/EHR data. What they can do is sue you at the state level for breaking laws that are connected to or inspired by HIPAA. Many states enact laws that work hand-in-hand with HIPAA rules, sometimes going beyond any penalties you might fear from the OCR. HIPAA fines alone can be catastrophic to a business, but additional lawsuits could shut its doors for good. Clarity Can Help Clarity has helped hundreds of clients with their healthcare needs, providing and integrating patient portals, doctor portals, eCommerce software, websites, and HIPAA-compliant web hosting. We have plans in place to help guide you through the technical process so that your PHI remains secure and you stay within HIPAA security best practices. We’d love to show you what we’ve done for our clients and tackle any unique problems you might have. Contact us today for a demo and to get a quote. HIPAA Compliance Can't Be Ignored Clarity can provide you with HIPAA-compliant websites, web hosting, and patient/doctor portals that offer the latest security. We can also help find you the HIPAA-compliant server that will best meet your needs. We'll help you create a plan that keeps PHI safe. Schedule A Demo