According to reports, healthcare companies have had a difficult time fully complying with HIPAA since the regulation is seen to be difficult and burdensome.
Due to this, it is of the utmost importance to stress the significance of guarding confidential health information against criminals such as hackers and thieves. In addition to the significance of the information you are tasked with preserving, HIPAA violations may result in significant financial losses for a business.
Protected health information, or PHI, is defined under the HIPAA privacy rule as any data in a person’s medical record that may be used to identify them and is held by a covered organization. In order to maintain compliance with HIPAA and the Privacy Rule, each of the 18 unique identifiers must be handled with the proper level of security at all times.
Personal Health Information Protection Act Details
According to the definition provided by the Personal Health Information Protection Act, 2004, section 3, the Regional Municipality of Peel, also known as the Region of Peel, is home to four health information custodians (PHIPA). They are composed of:
- Medical Officer of Health
- Chief of Public Health
- Director of Paramedic Services
- Director of Long-Term Care
- Director of Senior Services Development for the Region of Peel
According to the Personal Health Information Protection Act (PHIPA), Health Information Custodians are responsible for ensuring that personal health information is collected, utilized, stored, and transferred in a manner that maintains both the privacy of individuals and the confidentiality of the information in question. This duty falls under the purview of the Health Information Custodian.
It is vital for our customers, patients, and residents to have a clear understanding of the many forms of personal health information that we collect, how we use and protect that information, and who we share it with.
The Act is divided into nine parts, and each of these sections handles a different topic than the others. The following are some of the topics that will be covered: “interpretation and application,” “practices for protecting personal health information,” “consent regarding personal health information,” “collection, use, and disclosure of personal health information,” “access to records of personal health information and correction,” “administration and enforcement,” “general,” “complementary amendments,” “commencing,” and “short title.”
The Act does not mandate that those who are in charge of maintaining health information must completely give up their existing information practices. It is expected of healthcare practitioners to follow professional norms of practice that preserve patients’ privacy.
Since the Act is not likely to conflict with the pre-existing norms of practice in many respects, those working in the healthcare industry should continue to adhere to such regulations. In situations where there is a disagreement between the Act and a professional code and if the Act prohibits a practice that the professional code would authorize, healthcare practitioners, are compelled by law to comply with the Act.
The Act will, in most cases, require existing information processes of health information custodians to be modified in order to comply with its requirements. It is essential to keep in mind that the Act was enacted with the intention of enhancing privacy while minimizing the disruption caused to the connection between patients and their healthcare providers.
What are The Most Common Causes of PHI Breaches?
It is easy to place blame on malicious hackers and outdated technology when a data breach occurs; however, the vast majority of HIPAA violations are the result of human error rather than technical error.
According to research that was conducted not long ago by the Health Information Trust Alliance (HITRUST), the majority of HIPAA violations are caused by the theft or loss of portable media devices like laptops and other types of electronic storage devices. Theft is responsible for 54 percent of all security breaches, making it by far the most prevalent source of such breaches, while loss is responsible for 12 percent of all records:
- Theft – 54%
- Loss – 12%
- 11% of incidents involved unauthorized disclosure or access
- Hack – 6%
- Inaccurate mailing: 6%
- 5% of the disposals were ineffective
- 3% error/omission
- Malware accounts for 2%
- 1% is a mystery
Lost money to online fraud? We will recover your funds !
1. Theft of Information
According to the United States Department of Health and Human Services, the most common cause of a HIPAA violation is still theft.
The government considers anything to be stolen if it is “equipment carrying electronically protected health information or paper records,” and this is how it defines theft. Unfortunately, because of the perceived value of computers and mobile devices, criminals continue to target these items as desirable acquisitions.
One of the most effective ways to protect a healthcare organization from the risk of a HIPAA violation brought on by lost or stolen technology is to encrypt the data that is stored on all of the devices in use and to mandate the use of a password. If a computer is stolen in this way, the information that is stored on it will be encrypted, rendering it useless to the thief. As a direct consequence of this, the covered organization is excluded from the need to notify a data breach (as long as all the rules of HIPAA data encryption are followed).
One more astute tactic is to devise a way to prevent the electronic device from ever being stolen in the first place. When designing a plan for the protection of sensitive data, “physical security,” an aspect that is far too often overlooked, falls under this category. Utilize this SANS resource to learn more about the topic of physical security.
When employing stationary equipment, the same safety precautions should be used. A desktop computer that has been left unattended is just as susceptible to hacking as a portable device that has been taken.
Additional precautions that should be considered when securing a stationary device include storing the device in a location where only individuals who have been granted permission to use the computer may access it and having security make frequent rounds to check on the device to ensure that it is still secure.
If you believe that your PHI is at risk, reach out to the Global Payback experts and we will help you out!
2. Unauthorized Disclosure
The category of unauthorized access and disclosure that acts as the “catch-all” category in the Department’s notice includes human error, snooping, and accidental disclosure to a third party as examples of the types of activities that fall under its purview.
When workers of a healthcare institution go through encrypted data in pursuit of personally identifiable information that they are not authorized to access for any reason, the company opens itself up to a large HIPAA liability.
Spying is taken very seriously by the government, and anyone found guilty of this offense might face severe penalties.
You might begin teaching new employees the risks and consequences of spying as soon as they are hired, which is one technique for avoiding snooping at the workplace of your customer. Establish rigorous guidelines that clearly define the consequences of spying, such as the potential loss of one’s employment or even firing.
Make sure that staff has the exact amount of access they need to do their jobs. If there is no opportunity for temptation in the workplace, then there will be no need for workers to snoop on one another.
Create bogus medical records for famous people and keep track of who looks at them. Your client may now have a better idea of the extent to which they are being spied on inside their company based on this information.
HIPAA breaches caused by spying are not something that should be taken lightly by either you, your client, or the staff of your client. Third-party disclosure is a subset of unauthorized access as well.
When a healthcare organization contracts out work to another company, that company runs the risk of violating HIPAA standards, which might lead to the information being disclosed to a third party.
Even in the event that an employee of the healthcare institution is not found to be directly responsible for the data breach, the company still stands to incur significant HIPAA violation fines if it fails to protect patient information in an acceptable manner.
If the healthcare organization doesn’t have a Business Associate Agreement (BAA) in place at the time of service and the business hired breaches HIPAA rules, the healthcare organization will be accountable for paying the fines. This is accurate.
Therefore, according to HIPAA, the healthcare provider is liable for any exposed patient information if your client hires a billing company and one of the hired company’s employees has their laptop stolen. This scenario could occur if one of your client’s employees has their laptop stolen from their place of employment.
In a scenario such as this one, the best way to safeguard your client is to work up a BAA (Business Associate Agreement) with the company that they are doing business with. A BAA lays out in great detail the information that a business associate is permitted to view as well as their responsibilities in the event that there is a violation in the agreement.
Human error is to blame for a significant portion of the HIPAA violations that occur, whether it be the accidental deletion of a file, the failure to properly dispose of a document, or the opening of a phishing email by accident.
One strategy for a healthcare institution to lessen the effect of a data breach is by providing training and regular reminders to employees about the need of maintaining patient confidentiality (and a HIPAA violation fee). Alongside the trash cans and recycling bins, display signs remind employees to shred sensitive health records or otherwise dispose of them in an appropriate manner.
Hold training sessions that focus on important security weaknesses, like email phishing. By following appropriate processes for creating and using passwords and by logging off the computer when use is complete. Even in situations when names and other identifying facts are concealed, your client might still get into problems as a result of their use of social media.
Establish guidelines that prohibit employees from disclosing any information online about patients who are under the care of your business.
Hacking and IT disasters might cause HIPAA-related problems for healthcare establishments.
ePHI is impermissibly accessible through technical intrusions to the covered entity’s or business associate’s systems, servers, desktops, laptops, mobile devices, etc., including malware or malicious hacking. Ransomware has cost hospitals thousands of dollars for captured data. The Hollywood Presbyterian Medical Center was attacked in February.
Hackers demanded a $17,000 payment for patient data. The hospital was offline for a week. Emphasizing user care in staff training sessions may help prevent ransomware attacks from succeeding.
Personal Health information might be used to get prescription medicines, obtain medical treatment, or make false claims for medical expenses.
These actions may result in widespread chaos over a protracted period of time for the individuals whose information has been seized. Because a breach of PHI might put patients and healthcare systems at grave risk, this information must be safeguarded.