When it comes to HIPAA security, are you sure your practice has it right? Many practices think they’ve got HIPAA-Compliance down to a science, but in reality, that’s just not the case. Why? With HIPAA, the devil is truly in the details. Almost all practices know how to guard against obvious HIPAA violations, but it’s the little ones that trip them up, opening up their practice to audits, fines, and upset patients. Keep reading for five common HIPAA myths you might harboring, and the facts behind them:
Myth #1: Using iMessage to text with patients is HIPAA compliant because it is encrypted.
Fact: Yes, iMessage is encrypted, but encryption isn’t the only HIPAA standard your text messaging platform must meet to be considered HIPAA compliant. Texts sent via iMessages are stored on Apple’s servers for a period of time, and that means they could be accessed by a third party (via a data breach, for example). Plus, messages could be stored in the iCloud, which also doesn’t meet HIPAA standards. And you won’t be getting a business associate agreement from Apple—they don’t sign them—their terms and conditions even say so.
Myth #2: Small practices don’t need to worry about data breaches.
Fact: Small, independent practices sometimes think that they’ll never be targeted for a data breach simply because of their size. What would a hacker want with them? However, most data breaches aren’t caused by malicious hackers—they’re accidental. For example, an employee loses a smartphone with stored PHI, or someone’s laptop is stolen. To avoid these problems, have a very clear mobile device policy, including prompt reporting of lost devices and authorization of remote-wipe options in the case of lost devices.
Myth #3: You can email a patient without worrying about HIPAA compliance, as long as you have the patient’s permission.
Fact: Yes, iMessage is encrypted, but encryption isn’t the only HIPAA standard your text messaging platform must meet to be considered HIPAA compliant. Texts sent via iMessages are stored on Apple’s servers for a period of time, and that means they could be accessed by a third party (via a data breach, for example). Plus, messages could be stored in the iCloud, which also doesn’t meet HIPAA standards. And you won’t be getting a business associate agreement from Apple—they don’t sign them—their terms and conditions even say so.
Myth #4: As long as social media posts don’t picture a patient without their permission, you don’t have to worry about HIPAA compliance.
Fact: While accidentally picturing patients without their permission on social media is the most obvious route to a HIPAA violation, it’s not the only one. For example, say a practice posted an image of a new, cutting-edge piece of equipment. On the table next to the equipment, in the corner of the post, was a paper including a label bearing a patient name. The name was only readable if viewers zoomed in, but that’s a HIPAA violation nonetheless.
Myth #5: As long as a PHI hasn’t actually been compromised, your practice won’t get fined.
Fact: Your practice can be fined for large breaches, small breaches, and anything in between. But more importantly, the HHS OCR (Office for Civil Rights—where HIPAA complaints are investigated) can find you for even the potential of a breach. For example, if, during a HIPAA audit, the auditor finds that you’ve repeatedly failed to perform HIPAA-required risk analysis activities, you could be liable for a financial penalty, even though no PHI had actually been exposed.
Recommended Viewing:
https://www.profedondemand.com/healthcare-compliance-and-hipaa/2018-hipaa-breach-reporting.html
