Technology You Need to Avoid a HIPAA Violation
Learn what you need in order to avoid a HIPAA violation
In August 2016, Illinois-based Advocate Health Care agreed to pay the largest-ever HIPAA violation fine: $5.55 million for three breaches of electronic health data that occurred over a three-month period in 2013.
Officials said the fine was intended to send a “strong message” to all businesses that handle electronic protected health information (ePHI). The message is clear: HIPAA compliance is critical, and lack of compliance is extremely costly.
But simply writing new workplace policies and educating employees is not enough to avoid a violation. Secure, dependable technology must be put in place to ensure that patient data is protected around the clock.
Costs of a HIPAA Violation
Businesses that violate HIPAA guidelines are fined anywhere from $100 to $50,000 per violation, even if the violation was an accident. If the same violation occurs with 12 months, the fine jumps up to $1,500,000.
A HIPAA violation includes virtually any scenario in which electronic health information is compromised due to a lack of compliance policies and protocols. Violations can include everything from a stolen laptop to a widespread data breach.
Technology You Must Have in Place
1) Email & Data Encryption
Healthcare providers and their partner organizations are strongly encouraged to encrypt their data, particularly if ePHI is being transferred between individuals and offices.
The HIPAA Security Rule states that encryption “must be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI.”
So, while data encryption alone is not mandatory under the Security Rule, organizations can be fined for a HIPAA violation if they knowingly fail to encrypt data after a risk assessment has shown that encryption could have prevented a breach of data.
2) Mobile Device Management
Access to sensitive data becomes even more precarious if the people within your organization are using mobile devices to communicate and share information. If a mobile device that provides unsecure access to ePHI is lost or stolen, that would be a HIPAA violation.
This is why it’s crucial to use a mobile device management solution that provides total control over employees’ mobile devices, as well as the data being accessed from them.
There are numerous technology solutions available to help ensure that the devices remain secure during data storage, access and transmission. Requiring password protection, being able to wipe data from lost or stolen devices and administering automatic lockouts are just a few ways to ensure that ePHI is not compromised.
3) Business Continuity
The HIPAA Security Rule mandates that contingency planning must be in place to prevent the compromising of data after a disaster. Such disasters could be a system failure, flooding in the server room, fire, vandalism and so on.
Under the Security Rule, a variety of safeguards are required to prevent and minimize downtime and ensure data is not damaged, including:
- Data backup plan
- Disaster recovery plan
- Emergency mode operation plan
- Testing and revision procedures
- Applications and data criticality analysis
This is where a dependable business continuity solution is imperative. Solutions like Datto go beyond the limitations of traditional backups by securing your data both locally and in the cloud, and they can also take care of your data encryption.
Datto’s Inverse Chain Technology ensures a more resilient and efficient backup solution, and data recovery is typically almost instant (as opposed to several days or weeks). Additionally, the system constantly validates backup integrity immediately after completion, ensuring that data are clean, recoverable and protected in the event of a critical disaster.
Stay in Compliance
Keep in mind this is only a short list of the technologies and measures that must be put in place for HIPAA compliance. For more information on the requirements for your organization, see this summary of the HIPAA Secure Rule from the U.S. Department of Health & Human Services.