Often in life, situations arise where you find yourself at a crossroads between risk and reward. In organizations that must adhere to HIPAA regulations, these risk versus reward scenarios pop up regularly.
As an IT compliance professional, I will show you a couple of examples of how risk versus reward pertains to IT issues in HIPAA regulated organizations and how they affect almost everyone in the organization.
Our experience in performing security risk assessments has shown us the most common security issues, and HIPAA violations are the result of choosing either convenience over security or cost over value. In many cases, it’s a lack of detailed knowledge of HIPAA regulations. In the eyes of regulators, “ignorance of the law excuses no one.”
Convenience Over Security
Efficiency in any organization is essential not only to enhance a company’s bottom line but also to improve service delivery to its clients or patients. Providers must always have access to their EMR to do their job. Many EMR companies have mobile apps available, or web versions that can be accessed from anywhere at any time. This is very convenient! Providers can review their patients’ medical records and enter notes while they’re in the exam room with the patient, in their office, or even on the toilet (hey, no judgment here, one study showed that more than 38% of people have confessed to reading and sending emails while on the toilet). One problem with this great convenience is if it takes place on a non-company owned or controlled device such as a personal cell phone. Is the device passcode protected? Is it encrypted? Does it have some malware on it? Is this provider a parent who handed their phone off to their toddler to watch a video? What if the toddler managed to access and unintentionally edit a patent record from an unclosed EMR session?
Much of this can be avoided by using a company-owned secured device AND instituting a companywide Acceptable Use Policy (AUP), the latter of which should be in your organization’s Written Information Security Policy. You do have one of those, right? Company controlled devices should be locked down, with policies in place to ensure that mobile devices are encrypted, password-protected, and can be remotely wiped if necessary. Anyone with basic HIPAA training knows that a lost or stolen device is considered a reportable breach. What many people don’t know is that a lost or stolen ENCRYPTED device is NOT a reportable breach. As a general practice, we encrypt all devices on our clients’ networks.
Cost Over Value
When comparing a product or service, the cost is typically one of (hopefully) many factors being considered in the purchase. When comparing many of the same products or services, with all else being equal, the cost can be the deciding factor with little or no negative consequence. When considering similar products or services with differences in features, capabilities, coverages, etc., the value should be higher on the list of considerations than cost. In this case, the value compares the sum of the useful features, capabilities, and coverages for the given cost to those of similar products or services.
Let’s consider, for instance, the locks you installed on the doors of your office to meet part of the physical safeguards required by the Security Rule.
The Security Rule portion of HIPAA defines physical safeguards: “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards and unauthorized intrusion.”
It’s important to allow only authorized personnel or folks who are accompanied by authorized personnel into areas that contain equipment with access to or containing ePHI. This doesn’t just mean your network closet; this means anywhere there is a computer connected to your network. Are those locks mechanical or electronic? If they’re mechanical, how many keys are there? Where are all the keys, and specifically who has them? Are they keys that can be copied at the local hardware store? If the locks are keypad based, do you have only one code that everyone shares, or does each person have an access code? Do you keep this in a log and make sure it’s updated, and all the locks are modified each time there’s a personnel change?
For a small, 5 – 10 person operation with only one location, you could probably get by just fine with that. Still, beyond that, the cost savings of going with mechanical or individual electronic locks are lost when compared to the value of a physical access control system. Physical access control systems allow electronic locks to be installed and controlled from a single system. When you hire a new employee, they’re issued their own code or key fob and granted access to all or only particular doors from a central system. If that employee resigns or is terminated, their access code and/or key fob is disabled, and they no longer have access. Sure, the cost difference is a few thousand dollars, but a disgruntled employee could easily cause tens of thousands of dollars in damage or more if they cause an ePHI breach.
These are only two of a plethora of situations where risk versus reward decisions come into play in any regulated operation. As cyber-security and HIPAA compliance experts, we look at everything as risk versus reward. Are the conveniences of this worth the security risk of that? Does the cost savings of this outweigh the value of that? Careful consideration must be taken when evaluating these decisions.
If you need help with your organization’s IT and cyber-security management, and HIPAA compliance, give us a call (561) 743-1521 or send us a message and we’ll be happy to help.