Recently, a Massachusetts hospital was fined $218k for violating HIPAA requirements and using a cloud-based file sharing service. Even though there was no actual breach, the method used for sharing the electronic protected health information by the hospital staff was considered risky enough to warrant a fine. $26.4 million fines have been imposed by the OCR till date for HIPAA privacy, security and breach notification violations.
OCR Director Jocelyn Samuels recently said, “Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications”. Healthcare organization has to regularly exchange sensitive patient data with other parties – they need to ensure that this is done in a safe and secure manner so as to protect patient privacy as well as comply with HIPAA requirements.
How can healthcare organization ensure that the data is exchanged in a secure manner?
- Encryption: Data encryption is a must-have for end-to-end security. Remember a secure file transfer system make certain that files are encrypted in transit and at rest. So even if the system is hacked and data is potentially accessed, all files will still be encrypted.
- Data Storage: Under the HIPAA Omnibus rule, the cloud providers that store PHI are now considered “business associates”, however, make sure you know where your data is housed, who is managing the data centers and who all have access.
- On-the-Go File Transfer: As per the study conducted by IDC Healthcare Insights, on an average clinicians use 6.4 different mobile devices in a day. Hence, ensure file transfer security across all the devices (iPad, Tablets, Smartphones), not just the ones installed in an examination room.
- Authentication: User authentication is critical for data security as it makes certain that only the recipient can download the file since they need to provide their credentials. To discourage individuals from sharing usernames and passwords, always go for automated user authentication through integration with Active Directory.
- Data Management: Avoid unnecessary exposure by automatically removing files from the system after a certain number of days or downloads. Make sure that any sensitive files are only on the system for as long as they need to be.
- Anti-malware: There is an inherent risk of introducing malware into the network while exchanging files that could cause potential data breaches. Ensure your file transfer systems have anti-malware protection to carefully scan files before they are uploaded to the system to avoid any inconvenience.
For more insights on new HIPAA rules and regulations, check out ProfEdOnDemand’s informative audio conferences and webinars.