Are you doing enough to protect your patient files from unauthorized access? The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities to take certain steps to reduce the risk of disclosure. Unfortunately, many covered entities overlook some of the requirements in the Security Rule, placing them at risk for fines and corrective actions.
In October, for instance, St. Joseph Health, a medical delivery system operating in California, Texas and New Mexico, agreed to pay more than $2.1 million to settle allegations that it violated the HIPAA Security Rule. The incident in question goes back to February 2012, during which St. Joseph Health allowed sensitive patient files to be accessible on the Internet.
How did this costly incident occur? According to a statement issued by the Office for Civil Rights (OCR), St. Joseph Health purchased a server to store patient files. The server, however, had been set up with a file sharing application, automatically uploading the files to the cloud where they could be accessed by anyone with an active Internet connection. This resulted in the disclosure of Electronic Protected Health Information (ePHI) from some 31,800 individuals, including their names, health status, diagnosis, and demographic information.
There's no rule stating that covered entities cannot use their own servers. If you're going to store ePHI on it, though, you need to ensure it's secure and not visible to the public.
It's also important to note that Business Associates Agreements (BAAs) are required when using a third party to handle ePHI. Cloud computing service providers have become an increasingly common sight among healthcare practitioners. Rather than storing data locally, healthcare practitioners are choosing to store it on the cloud. When a third party performs this service, however, a BAA must be used. Failure to create and maintain BAAs is one of the most common HIPAA violations, costing covered entities big bucks.
Encryption, while listed as an addressable specification in the HIPAA Security Rule, is a helpful solution to protect ePHI from disclosure. When files are encrypted, they can not be read without the appropriate decrypt key.
Furthermore, the HIPAA Security Rule requires covered entities to implement a combination of physical, technical and administrative safeguards to protect ePHI. Physical safeguards are tangible measures that protect against disclosure; technical safeguards are intangible “digital” measures that protect against disclosure; and administrative safeguards are practices and policies that protect against disclosure.