Top Five Compliance Mistakes in Healthcare IT
As we’ve said before, HIPAA compliance has puzzled more than a few healthcare IT teams. Unlike other regulatory organizations, HIPAA regulations are more vague than prescriptive. So it’s not surprising that in trying to attain compliance and safeguard their protected health information (PHI), healthcare organizations often make compliance blunders that put their data and reputation at risk.
Below are the ones I see over and over. Do any of these mistakes sound familiar? Don’t worry – it’s never too late to start practicing smart and simplified compliance.
1) The organization doesn’t understand its compliance scope.
HIPAA extends into every corner of the healthcare organization. While many IT teams focus on the Security Rule, organizations must also meet all of the requirements in the Breach Notification and Privacy Rules which significantly expands the scope of compliance. Becoming HIPAA compliant involves departments from the patient billing office to the emergency room front desk to human resources. Even marketing teams need to comply with FTC regulations.
Another security gap: many IT teams fail to secure devices like drug delivery pumps or lab refrigerators that are wirelessly linked to the network. Many employees use their own mobile devices to access the infrastructure, another potential vulnerability in the event of loss or theft. To truly become HIPAA compliant, teams must identify and secure every device, component, person and process connected to their data.
2) The organization puts compliance before security.
Teams worried about the fines and repercussions of a failed audit often prioritize compliance over security. While this might sound logical, it’s actually a recipe for disaster.
Why? Because HIPAA compliance is not well defined and essentially based on self-certification, many organizations take a minimal approach and don’t fully consider all of the threats, and the changing threats of the security landscape into account. Only a strong security posture in which all the controls work together will stop breaches and protect data. Teams should focus on achieving adequate security first, and then work through their compliance program to be sure they’re meeting specific HIPAA standards.
3) The organization doesn’t conduct risk assessments.
HIPAA’s Security Rule clearly requires organizations to conduct thorough risk analyses. Yet when the Office of Civil Rights (OCR) conducted a series of audits in 2012, they found a pattern of insufficient assessments or a complete lack altogether.
The benefits of a risk assessment can’t be overstated. Not only will teams identify vulnerabilities and assign risk levels, they’ll be able to allocate their resources more effectively in implementing adequate safeguards. In addition, risk assessment should be baked into an organizations processes to ensure that security is considered for all significant changes to the environment.
4) The organization is using an insecure provider.
Look at a few cloud provider websites, and you’ll see claims like “guaranteed 100% HIPAA compliant.” These vendors imply that they can help healthcare IT teams meet a defined checklist of criteria when the reality of HIPAA compliance is far more nuanced.
The truth is that many of these providers – referred to as Business Associates (BAs) by HIPAA – can’t provide the security required for true HIPAA compliance. They rarely take the time to understand the customer’s needs and risks and refuse to provide detailed information about their security controls. To avoid breaches and failed audits, teams must work with providers that have in-house security expertise – and business associate agreements must transparently spell out all compliance responsibilities.
5) The organization is duplicating its compliance efforts.
When it comes to healthcare IT, many teams focus so intensely on HIPAA that they don’t consider how often their other regulatory needs overlap. Most organizations deal with Payment Card Industry (PCI) compliance as well, but the two tasks are often treated as separate initiatives and assigned to different departments. As a result, the organization needlessly buys the same tools and creates documentation already created by someone else. The reality is that HIPAA and PCI have many commonalities – and smart teams will streamline their efforts to save time and money.
If you’re struggling to understand HIPAA compliance or protect your PHI in the cloud, remember that you’re not alone. Few healthcare IT teams have the in-depth expertise required to navigate the security and compliance landscape without a few bumps along the way. But with the right approach and the right provider, you can lighten your compliance burden – and strengthen your security posture at the same time.