HIPPA compliance isn’t just for hospitals, doctors or surgical centers. It can also impact you if you serve any of these markets. Understanding what your responsibilities are when it comes to HIPPA compliance will keep you off the Department of Health and Human Services’ “Wall of Shame.”
We interviewed Nelson Gomes for this week’s post. Nelson is President of Priority One Group, an IT services company that specializes in medical practices and surgical centers and keeping them– and their vendors– compliant with HIPPA requirements.
When asked what the number one issue he sees with healthcare practices, Gomes says that some healthcare providers don’t understand the magnitude and ramifications of non-compliance. Unfortunately (or fortunately) the Department of Health and Human Service (HHS) wields a heavy hand in penalties if they find you in violation.
In HIPPA terminology, any “Covered Entity” meaning, hospital, doctor, surgical center, etc. that has access to Personal Health Information (PHI) must take necessary measures to ensure that data is secure and meets HIPAA requirements. This also extends to “Business Associates” who serve and support the Covered Entities and who may come into contact with PHI.
Gomes cautions, however, just because a Business Associate signs off on a form, ultimately it is the Covered Entity who is responsible if there are any breaches. One thing that he finds is that Covered Entities wrongly assume that the liability falls primarily with their IT providers. It doesn’t. He also cautions that just because you have a managed service provider working for you, doesn’t necessarily mean they are knowledgeable in HIPPA requirements or are addressing all the possible threats which could cause a violations.
If you are in this field, or are considered a Business Associate to one of these entities, it is very important that you engage a firm that knows what they are doing in this area.
We also asked Gomes what were common issues his team sees when working with clients that can cause breaches or violations:
- Sharing passwords or using the same user account to access systems
- Being lax in ensuring all the systems are being updated and patched through the latest updates.
- Emailing protected health information (PHI) without encrypting the emails.
- Saving PHI on un-ecrypted hard-drives.
- Not checking for outside vulnerabilities and breaches.
- Not having written security policies in place or following them.
What happens if you discover a HIPPA violation? Gomes says that the violation needs to be disclosed to the Department of Health and Human Services, and penalties can add up to thousands of dollars per violation per day. You don’t want to end up on the HHS violations website, otherwise known as the HIPPA “Wall of Shame.”
If you aren’t taking precautionary measures– or can at least show that you have a plan in place– the HHS has been known to come down hard on covered entities and their Business Associates. Gomes recommends and implements the following with his clients:
- A risk assessment every year, which includes going through a series of questions on your policies and providing proof that you are following them. (For example if you say you have a password policy, you need to show the policy.)
- Understanding the gaps and laying out the plan to remediate them
- Vulnerability scan once a quarter, at least
- Penetration testing yearly to test exposure to outside breaches.
In addition, Gomes’ recommends that his clients follow the same standards to which he holds his firm:
- Test staff on their knowledge of HIPPA compliance and suspend them until they pass
- Have a designated Compliance Officer in house who is familiar with HIPPA compliance issues
- Get validation from an outside party to make sure you are in compliance and following the guidelines.
HIPPA violations are expensive, and can shut down your company or severely damage your reputation. Even if you serve Covered Entities or come into contact with PHI, you may have exposure. So take advice from your own doctor- an ounce of prevention is worth a pound of cure, get a handle on HIPPA compliance, your exposure and what you need to do to fix it.