HIPAA Compliance – How to Avoid the “Wall of Shame”
If you’ve never heard of the HIPAA “Wall of Shame,” that may be a good thing (since that likely means you’re not on it). But whether you know about it or not, this list is real—and so is your risk of landing on it if your healthcare organization doesn’t have an effective HIPAA compliance program.
What is HIPAA’s Wall of Shame?
Under HIPAA’s HITECH Act, the Secretary for the U.S. Health and Human Services (HHS) must post a list of data breaches that affect 500 or more individuals. While this list is officially called the Breach Notification Portal, its more commonly known in the healthcare industry as the “Wall of Shame”.
The Wall of Shame started in October 2009 on the HHS Office for Civil Rights (OCR) website; the agency overhauled it in 2017 for greater access and transparency.
Searchable information includes the organization name, state, covered entity (CE) type (e.g., healthcare plan, healthcare provider, healthcare clearinghouse or business associate), number of affected individuals, breach submission date, type of breach and location of breach (e.g., email, laptop, network server, desktop). And once you’ve had a HIPAA breach, the name of your organization is permanently listed on the Wall of Shame.
Aside from the public embarrassment and crippled reputation, the financial consequences for violating HIPAA can be extreme, too. Just look at this collection of large-scale HIPAA settlements, fines and penalties in recent years. Or read these staggering healthcare data breach statistics.
Our bottom line advice: Take HIPAA compliance seriously and avoid HIPAA violations at all costs.
Here are some tips to prevent HIPAA security breaches:
Know what electronic personal health information (ePHI) you have.
Define what classifies as ePHI (any health information that is personally identifiable). Educate your team on how you process it, where it’s stored, and what processes are in place to manage it.
Make security your top priority.
Make sure you have airtight security for phishing, ransomware, spoofing attacks, encrypted email and automated data loss prevention, which blocks employees from transmitting sensitive data outside your corporate network.
Bring in outside support for IT security.
Achieving HIPAA compliance isn’t easy. Consider relying on an IT partner with strong HIPAA compliance experience and proven technical solutions to help ensure your success.
Pay attention to access.
Healthcare professionals must only have access to data that’s relevant for their role. Create Access Control Lists on your organization’s computers to help enforce log-off and lock-screen timeouts.
Take time for mandatory (and recurring) training.
There are a lot of misconceptions about HIPAA violations. Health professionals must be trained on what constitutes ePHI, the specific technical solutions in place to manage ePHI, what to do in case of a breach, and how to minimize the cybersecurity risks inherent to cloud computing, IoT devices, viruses, ransomware, and data breaches.
Make sure security support is easily accessible.
Ensure your staff knows where to go if they have security questions or technology concerns. Your managed IT services provider can be invaluable here.
Have an incident response plan.
In the event of disaster, your organization must be able to ensure business continuity. This includes a backup schedule to protect ePHI, and a fail-over plan for how to process and maintain security of ePHI data if something goes wrong.
Stay current with your HIPAA policy and procedures.
As a part of training all employees should be familiar and have access to these P&Ps.
Have well qualified Security and Privacy Officers identified.
These Officers maintain and ensure your company is staying current with changes in both Federal HIPAA laws and State HIPAA laws.
Are your HIPAA compliance efforts enough to keep you off the Wall of Shame?
If you’re not sure, there’s no better time to explore solutions. With so many hacking and cyber-theft events occurring each year, it has become even more challenging to protect the privacy and personal health information of every individual.
If you need guidance from a HIPAA compliance IT expert, contact us today.