In June of this year, University of Texas MD Anderson Cancer Center was ordered by a judge to pay more than $4 million in penalties for multiple HIPAA violations after the Office of Civil Rights (OCR) audited the cancer center.
MD Anderson’s HIPAA violations included:
- Theft of an unencrypted employee laptop
- Failure to adopt universal encryption for electronic protected health information (PHI)
- Failure to encrypt portable electronic devices
MD Anderson fought the case, certain that their PHI security was compliant. They had likely been to compliance training. They had their checklist. That didn’t matter. A judge ordered them to pay $4 million.
Why did MD Anderson believe they were HIPAA compliant? Likely because HIPAA language, in order to be applied evenly across various vendors, is consciously vague.
MD Anderson is not the first covered entity to come up short during an OCR audit and be fined millions of dollars. Rather, they are among a growing list of reputable medical facilities.
Recent OCR audits, in fact, found that 84 out of 104 medical facilities were out of compliance with HIPAA. Do you think your facility would pass a HIPAA audit today?
Common Mistakes to Avoid
Make sure email is encrypted and be wary of sending emails with sensitive patient information to vendors who are not compliant or lack encrypted email. This is not easily knowable, unfortunately. Having a compliance officer to vet and manage vendors is the best method. Other common mistakes include:
- Not having a secure network
- Weak or no firewall
- Weak password protection
- Allowing employees to take electronic devices like laptops home
- Allowing employees to take files home
How to Keep PHI Files Secure and in Line With HIPAA Compliance
Software encryption is an important part of HIPAA compliance and one of the best ways to keep your patients’ sensitive information secure.
Assess Your Vendors
The Health Information Technology for Economic and Clinical Health Act (HITECH) – part of HIPAA – means that not only do you have to be compliant, but so do your vendors. You may be using encrypted email, for example, but are your vendors?
Assess Your IT Personnel
Make sure your IT department is utilizing the very best technologies to keep PHI secure. This is a difficult task. If you do not know the ins and outs of data encryption and are not well versed in data safety, it is practically impossible to properly assess your IT. At On-Site Computer, we often step in to assess the integrity of health care IT.
HIPAA Compliance Training
Make sure employees have undergone compliance training and are following a HIPAA compliance checklist when handling sensitive patient information.
A compliance officer – in house or outsourced – can run a periodic risk and gap analyses to check the stability of your tech security.
Consider Outsourcing Your IT
According to a recent survey by Black Book, 58 percent of responding health care organizations said they plan to continue outsourcing and 34 percent planned to increase IT outsourcing over the next few years. Tellingly, 84 percent of respondents mentioned that outsourcing IT had reduced their costs and transformed their businesses.
Outsourcing helps ensure HIPAA compliance, but it also helps turn up your revenue cycle. When your work environment is more efficient, when you no longer have to worry about HIPAA compliance and IT, you are better able to serve your clients and grow your business.
At On-Site Computers, we help care facilities keep their technology HIPAA compliant. We understand how easy it is for oversights to cost hospitals and clinics millions in penalties. If you have questions about HIPAA compliance or want to learn how to better secure your patients’ confidential information, contact us online today or call us at 800-669-8513.
Mike Bowe | Published on December 18, 2018