In case you don’t know, HIPAA is a law that was passed in 1996. It is a significant and wide-ranging law that covers the protection of healthcare information. This would include patient records, financial information, administrative documents, etc. Needless to say, medical records can contain some very personal information, and it is very important to keep those records safe. That is why they added enforcement provisions to the law in 2006, allowing the Department of Health And Human Services to fine or even imprison those who do not comply. Needless to say, that makes it very important to prevent any sort of HIPAA breach.
How Does A HIPAA Breach Commonly Happen?
Unfortunately, these sorts of violations are all too common. Here are some of the things that most frequently cause HIPAA breaches to occur:
- Failure to do risk assessments regarding confidential data
- Non-Authorized access of protected health information
- Allowing vendors to access protected health information without a HIPAA-compliant contract in place
- Retaining confidential data that is no longer needed, or destroying it in a non-secure way
- Failure to take action to secure protected information
- Accidental public posting of confidential information
- Failure to train all relevant personnel on HIPAA procedures
- Not keeping proper logs regarding access to protected health information
- Non-secure storage or transfer of protected health records
- Refusing to give people full access to their own healthcare information
- Failure to report a breach or incident
As you can see, these are broad categories, each of which could include many specific types of violations. It all comes down to one thing: If regulators believe that you have failed to take adequate precautions to protect confidential medical records, you will probably be looking at a large fine.
Average Cost Of A HIPAA Breach
On the subject of fines, let’s talk about the approximate size of those HIPAA fines. First of all, these fines are divided into four “tiers,” depending on the severity of the violation:
- Tier 1: The offender was unaware of the problem and could not have reasonably prevented the breach.
- Tier 2: The offender was not aware of the problem, but should have been aware of the problem. A tier 2 violation also requires that the breach could not have reasonably been avoided.
- Tier 3: The offender knowingly violated HIPAA rules, but took some action to correct the problem.
- Tier 4: The offender knowingly and willfully violated HIPAA rules and made no attempt to correct the problem.
Obviously, tier 4 violations will incur the highest fines, while tier 1 violations will incur the lowest fines. Here is the scale that will be used when assessing the amount:
- Tier 1 Fine: $100-$50,000
- Tier 2 Fine: $1000-$50,000
- Tier 3 Fine: $10,000-$50,000
- Tier 4 Fine: $50,000 and up
As you can see, regulators have a lot of discretion when it comes to deciding the amount of your fine. That is why it pays to go the extra mile and avoid such expensive violations.
How To Protect HIPAA Information
Let’s talk about how you can prevent a HIPAA breach from occurring. There are certain things you can do that will make such an event far less likely, so let’s look at some of those precautions in detail.
HIPAA Breach Prevention Best Practices
For one thing, you want to make sure that you are using strong encryption to protect your confidential files. This encryption must be used both at rest and in transit. If you don’t understand encryption very well, just understand that protecting stored data is a little different than protecting network data while it’s in use.
Protecting stored data files with encryption is fairly simple. You use a reputable encryption program to “scramble” the contents of the file. From there, it’s just a matter of protecting the password from all unauthorized eyes. This password functions as a decryption key, meaning that it is functionally impossible for anyone to decrypt the data without the password.
That being said, it won’t do any good if you use a weak password. There are programs that can easily crack passwords, but they only work well on short and simple ones. A good password should have about 20 characters, should contain both upper and lowercase letters, and should contain numbers and symbols as well. In general, long and random strings are much harder to crack.
Encrypting data in transit is another matter. This requires the use of a VPN network or something similar. A network like this creates an encrypted “tunnel” between you and the sites you visit. When combined with native HTTPS encryption, this kind of thing makes it much harder for anyone to gain unauthorized access. Even if they do, the use of a well-configured VPN can be used to show that you took significant action to protect those confidential records.
It is also very important to limit access to protected health information (which is commonly called PHI for short). Such records should only be viewed on a “need-to-know” basis. In other words, only those employees who need the information should be allowed access to that privileged data. This minimizes the number of people that have to be trusted and makes any potential cyber-attack harder to plan.
It is important to remember that a HIPAA breach can be an extraordinarily expensive problem. That is why you should not hesitate to tackle these issues immediately. Small businesses particularly cannot afford the price of these fines, so quick action makes a lot of difference. Of course, you can also look for an expert company that will help you handle HIPAA compliance, as that does tend to make things a lot easier. If you would like to know more, you can call PCH Technologies at (856) 754-7500.