You might think that by now, most healthcare providers have the basics of compliance with the Health Insurance Portability and Accountability Act (HIPAA) down pat. But think again, because according to the Health and Human Services Office of Civil Rights (OCR), many are still making some pretty basic violations and mistakes on this front. The agency recently announced that the five most common such violations and mistakes encompass:
- Improper handling of business associates, including failure to implement a HIPAA Business Associate Agreement. As an MSP, your organization is considered a business associate of any of your healthcare provider clients. Moreover, as a trusted advisor to healthcare clients, it’s incumbent on you to ensure that they have a HIPAA Business Associate Agreement in place with any entity that is considered one of their business associates because its services involve the disclosure of individually identifiable health information, or if that information can be disclosed in its dealings with its own business associates. For example, the contract must describe the permitted and required uses of protected health information by the business associate; mandate that it not use or further disclose the protected health information other than as permitted or required by its contract or the law; and require that appropriate safeguards be harnessed to prevent a use or disclosure of the protected health information other than as covered in the contract. The document should also clearly state that if the “covered entity” (i.e., the healthcare provider) is aware of a material breach or violation of the contract or agreement by a business associate of the contract or agreement, it must take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, proceed with terminating the contract or arrangement. Moreover, the contract should stipulate that if termination is not feasible, the “covered entity” is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Finally, the contract should guarantee the covered entity satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. These satisfactory assurances must be in writing rather than verbal.
- Risk management and risk analysis “failures.”Such failures include not only neglecting to conduct a thorough inventory of electronic private health information (ePHI) within the organization, but also going against what some consider OCR’s primary mantra: “encrypt, encrypt, encrypt.” According to OCR, business associates have in some years been responsible for 25 percent of healthcare data breaches. Encryption is therefore a must on the MSP side and on the client side, with the former—that’s you—ensuring that it happens.
- Poor overall data security. This, OCR said, includes failure to properly encrypt data at rest and to adequately patch software. It also encompasses improper data transmission security. Some experts have pointed out that the failure to patch software may stem from the fact that the term “patching” does not appear in the HIPAA regulations. However, it is not a viable excuse for ignoring the need to update software with patches.
- Weak internal controls. Improperly implemented access controls rank at the top of the list here, followed by “sloppy” employee termination procedures and the lack of an internal audit program. Be mindful of your own organization’s employee termination procedures, and ensure that you have in place tight access controls and a comprehensive program for internal audits. Recommend that healthcare provider clients adjust employee termination procedures, and assist them with their internal audit program as well as with properly managed deployment of access controls.
- Data management problems. In the OCR’s view, lack of rigorous backup procedures, failure to create a robust data recovery plan, and or improper data disposal processes come under this umbrella. Given the increased incidence of ransomware attacks, solving such data management problems has—or should—become a higher priority for MSPs in their role as business associates and as advisors to entities covered under the HIPAA regulations.
The HIPAA regulations are likely to be revised and expanded in the near and far future as new threats to the integrity of health data arise, opening doors for more compliance snafus. Addressing common mistakes now, rather than later, will mean an easier time for MSP business associates and healthcare providers alike.