A HIPAA risk assessment helps you identify potential issues and the steps you can take on behalf of your healthcare clients to reduce the risk of a data breach. But is it enough, does the statute and the assessment framework cover all of the potential threats? The answer is no.
A reader commented on a recent blog post, stating that “HIPAA consulting is about avoiding fines" whereas "security consulting, separate from HIPAA, is about keeping your data from being exposed.” As a managed IT services provider, it’s up to you to think beyond HIPAA compliance measures and ensure your healthcare clients and their data are truly protected.
Here are 5 recommendations you can share that not only help prevent a data breach, but demonstrate your value and reinforce your role as your clients' trusted IT advisor:
1. Transmission and Data Encryption
According to the AAFP, the American Academy of Family Physicians, the HIPAA security standards DO NOT require e-mails, or any other transmission from a doctor’s office, to be encrypted. The standards DO require a practice to assess whether its unencrypted transmissions of health information are at risk of being accessed by unauthorized entities and if so, are encouraged to use some form of encryption.
This is a great example of where HIPAA falls short. Examples of such data transmissions include patient billing and administrative information exchanged with payers and health plans; utilization and case management data, including authorizations and referrals that are exchanged with payers, hospitals and utilization management organizations; and word-processing files used in transcription and other kinds of patient reports that are transferred electronically. This is a great opportunity to position yourself as a security resource, educate your clients on the importance of data encryption (both in transit and at rest) and outline the different options that are available.
2. The Paperless Route
Many healthcare providers still rely on the postal service to deliver patient’s test results. In my neighborhood, mail is delivered to the wrong house all the time, so the risk of personal information ending up in the wrong hands is real. If your clients rely on snail mail, evaluate options for making patient’s test results available electronically using secure passwords and encryption, and recommend a solution that fits their needs.
3. Data-Storing Devices Clients Forget About
People recognize that data is stored on computer hard drives, but many medical providers don’t know that the same is true of printers, copy machines and a host of other devices that they use in the daily operation of their practice. Educate your clients on the exposure hazard, and create a schedule for wiping these devices on a regular basis to reduce risk. In addition, if clients are upgrading and planning to destroy, donate, or recycle old equipment, assist them with “sterilizing” the devices and ensuring that they are free of patient information.
4. Gone Without a Trace
How do your clients handle the destruction of paper-based registration forms, old records, notes, etc.? Are there shredders on site? How is the output handled and destroyed? Work with your clients to ensure they have the right protocols in place and the equipment they need to effectively destroy sensitive materials.
5. Train, Train, Train Your Clients
Office staff must take their role in protecting patients’ privacy very, very seriously. According to AAFP, most security breeches occur when people working in a practice exercise faulty judgment or fail to follow procedures in which they’ve been trained. Work with the office manager to periodically test staffers and determine their adherence to data and security protocols, resiliency to social engineering tactics, etc.
Continuum offers a HIPAA Assessment Tool, which allows you to expand your service portfolio, generate additional revenue and most importantly, help your clients survive an audit. To learn more about this tool and how to use it to boost your bottom line, check out our recent webinar:
