March 17, 2021
Clinical Practice Today: Major HIPAA Threats for Medical Practices
Being unprepared for threats to patients’ protected health information is a violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Privacy breaches trigger government audits, which can result in fines if practices fail to show due diligence. The most common weak points to guard against include:
COVID-19 precautions have shifted care delivery online and into cloud computing, prompting a sharp rise in cybercrime. One security firm found attempts to bypass legacy safeguards increased by 260% between January and September 2020, with health care as the leading target.
Jason Karn, the chief compliance officer for consulting firm Total HIPAA, says a lack of cybercrime preparedness is the No. 1 privacy violation he sees among practices. Legacy computer systems are the main cause. Even the best firewall software will function poorly on such systems, he says. “For example, I warn my clients that they can’t use Windows 7 anymore.”
Any breach involving more than 500 patients triggers a government investigation. Practices can avoid a fine by documenting that correct policies and procedures were in place, notes Karn. Regulators will be looking for evidence of risk assessments and training logs, so maintaining records is essential.
Training should emphasize how to prevent phishing attacks by avoiding clickable links delivered via email, texts, pop-up ads, or on-page ads. The same study by the security firm found that 84% of attempted cybercrime in the health care sector involved phishing threats.
Another risk associated with the pandemic is increased interest in who has the disease. Rigorous access controls and accurate IT logs can deter prying, Karn says. Additionally, a formal policy should exist for terminating former employees’ access to patient records. IT audits usually uncover these violations, he adds.
Noncompliance with the Right of Access Initiative
Recently revamped HIPAA guidelines strengthen patients’ rights to access their records. Although this initiative has resulted in numerous fines for noncompliance, Karn notes that many physicians are not aware of this policy.
Importantly, the guidelines allow patients to choose their preferred format for receiving records, including transferring records to health care apps. Many providers often rely too heavily on outdated record-keeping methods such as paper, CDs, and faxes, according to Cristin Gardner, vice president of product at Life Image, a global medical evidence network.
“There’s some wiggle room,” she says. “If you can’t meet the format, you can have a conversation with the patient about alternative options.” But both the government and patients are applying pressure for greater digital connectivity, she adds.
Originally published in Clinical Practice Today, a Duke Health publication, February 2021.