If Your Healthcare Organization Creates, Stores or Transmits ePHI, Read This!

We at eFax Corporate are planning in 2016 to bring you many webinars and other educational materials on ePHI, HIPAA, data security and other important healthcare topics.

Before we enter the New Year, though, we wanted to provide you with the following primer on avoiding several of the most common compliance pitfalls.

With the HHS Office of Civil Rights planning to begin its wide-reaching Phase 2 Audits in early 2016, we wanted you to share the following insights and suggestions—as well as provide some great sites where you can begin your own HIPAA compliance research. Please check back here regularly for details on our upcoming healthcare IT webinars.

Avoid These Five Common Compliance Pitfalls

It’s been a year of great challenge for healthcare organizations in terms of keeping electronic Protected Health Information (ePHI) safe against cyber criminals. For instance, ePHI breaches in the first half of 2015 alone soared to record levels — with more than 90 million records reportedly breached. This alarming trend, combined with the results of the Phase I Audit Program, have prompted the Office of Civil Rights to confirm its intention to conduct Phase 2 HIPAA Compliance Audits early in 2016, with focus on privacy, security and how well CEs comply with breach-notification requirements.

If your organization is looking at a conducting a Risk Assessment to better prepare for potential Phase 2 Audits, here are five common pitfalls you should avoid in your current HIPAA privacy and security practices:

Failing to implement and document data-security and privacy policies and procedures. The HIPAA Security Rule, for example, establishes broad administrative, physical and technical safeguards for ePHI that are either “addressable” or “required” standards, each with unique implementation specifications. Not having any documented process for how your organization manages toward these standards could certainly be a red flag for potential auditors.

Exposing ePHI to non-authorized personnel. A recent article in HealthcareITSecurity news discussed several HIPAA violations that were related to employees, associates, cyber hacking, and lost or stolen devices. All of these breaches, intentional or not, exposed or enabled access to ePHI by unintended personnel — resulting in several HIPAA investigations. Had stronger training, access controls and security measures been in place, many of these breaches could have been prevented.

Losing electronic devices, or having them stolen. With so many mobile devices in healthcare accessing ePHI, encryption should always be treated as a required standard. If an employee on travel or at a restaurant loses a device, having strong defenses in place to protect that data — such as the NIST-recommended AES 256-bit encryption standard for transmissions — can help mitigate these risks.

Failing to conduct a Risk Analysis. Conducting a Risk Analysis with a qualified third-party provider is one good way to understand potential vulnerabilities and technology gaps with respect to HIPAA. For example, does your network protect against next-generation technologies like malware and or malicious penetration attacks? Have you already identified all ePHI that you create, receive, maintain or transmit so that the same data can be protected? You can consult the Security Management Process standard in the Security Rule for more info.

Ineffective Bring-Your-Own-Device (BYOD) policies. BYOD environments can expose significant security risks for any Covered Entity or Business Associate. For example, a study from the Ponemon Institute states that 40% of firms cite mismanagement of mobile devices as the point of failure in HIPAA regulatory violations.  Implementation of strong BYOD policies and technology tools are integral to achieving security and compliance. For example, is ePHI on all devices encrypted? If the device is lost or stolen, do you have Mobile Device Management (MDM) tools in place that are robust enough to locate and remote wipe the device’s data? For more about BYOD Best Practices in Healthcare, read our Infographics and Blog posts, or visit our Healthcare Page.

eFax Corporate offers solutions for Healthcare providers that can enhance HIPAA compliance and help your organization avoid many of the pitfalls discussed above, including encrypted and secure faxing with eFax Secure™, eFax Corporate and eFax Developer™ with fax API. What’s also great is that with any of our cloud fax services, your organization can also eliminate dated fax infrastructure – saving your organization time and money as well.