The Department of Health and Human Services (HHS) separates Health Insurance Portability and Accountability Act (HIPAA) breaches into one of two categories: small breaches affecting fewer than 500 individuals, and large breaches affecting 500 or more individuals. While large HIPAA breaches carry bigger penalties, they aren't as commonplace as small breaches. So if you're a doctor, dentist or any other covered entity, you should take a proactive approach towards minimizing the risk of small HIPAA breaches.
Know Who's a Business Associate and Who's Not
Covered entities are often confused regarding who's a business associate and who's not, which often leads to HIPAA breaches later down the road. If a third party with whom your practice does business has access to Protected Health Information (PHI), that third party is considered a business associate. And as you may already know, covered entities must use a Business Associate Agreement (BAA) in scenarios such as this.
Assuming you store personally identifiable information in digital format, you should encrypt this data to reduce the risk of a HIPAA breach. Unencrypted devices are often the root cause of data breaches, resulting in the disclosure of millions of healthcare patients. Thankfully, encryption is relatively easy to implement, making it an excellent safeguard to protect against HIPAA breaches, big and small.
Change Usernames and Passwords
Covered entities should get into the habit of changing their usernames and passwords on a regular basis – something that's often overlooked, especially by smaller healthcare practices. While it may seem harmless enough, failure to change your passwords could result in the disclosure of PHI. The longer a combination is used, the greater the risk of an unauthorized individual identifying and using the combination.
Use Caution When Disposing of Paper PHI
Most covered entities today prefer EPHI over PHI. However, that doesn't necessarily mean that paper PHI is obsolete. If you still use paper PHI, though, you should use caution when disposing of it. Simply tossing it in the trash can isn't enough to protect against HIPAA breaches. There have been countless cases of “dumpster diving,” in which nefarious individuals recovered paper health files from a practice's dumpster. To prevent this from happening, make sure all paper PHI is completely destroyed before disposing of it.
These are just a few tips to help protect against small HIPAA breaches. The most important thing you can do, however, is to conduct your own internal security audits, looking for weaknesses and areas in which improvements can be made.