Cyber security has become increasingly important, particularly as our society has made shifts to accommodate changes during the COVID-19 global pandemic. One of those major changes is telemedicine and the increasing number of online medical records. It has become increasingly more important, especially now, to ensure patients’ medical security and to remain in compliance with HIPAA.
What does HIPAA mean?
HIPPA stands for the Health Insurance Portability and Accountability Act of 1996. Congress understood that with technological advances in electronic health records comes the risk of eroding health information privacy. This law required Health and Human Services to “adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security.” To sum it up, HIPAA protects individually identifiable health information that includes: health plans, health care clearinghouses, and health care providers that perform health care electronically, such as through telemedicine. Telemedicine, or telehealth, has become increasingly common due to the global pandemic. It’s now more important than ever to ensure medical websites and databases are HIPAA compliant.
What does it mean to be HIPAA compliant?
Health and Human Services (HHS) outline general security rules for HIPAA compliance. These rules require reasonable and appropriate safeguards for protecting electronic private health information (e-PHI) in the following areas: physical, administrative, and technical. HHS requires all entities to:
- Ensure confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
If entities fail to comply with HIPAA, they are subject to civil money penalties and procedure hearings.
What happens if there is a breach of security?
Health and Human Services define a breach as, “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” Immediately after a breach, entities must respond by deploying mitigation procedures, reporting any crime to law enforcement agencies, reporting the threat to the appropriate federal agencies, then conducting a risk assessment to determine the following:
- How much of the protected health information was involved in the breach?
- What types of identifiers were breached?
- How likely are the breached identifiers will be re-identified?
- Who was the unauthorized person that used the protected health information?
- Was the protected information acquired or viewed?
- How has the risk to the protected information been mitigated?
If an entity determines there is a breach, they must report it to the affected individuals no later than 60 days after the breach has occurred. If the breach affects 500 or more people, the breach must be reported to HHS’s Office of Civil Rights and the media as soon as possible (but no later than 60 days after the breach). If the breach affects less than 500 people, the entity still must report it to the Office of Civil Rights (no later than 60 days after the calendar year of the breach). Even if there is not a breach, the entity must document every piece of information gathered during the risk assessment, especially how it determined no breach occurred.
How can you ensure your website is HIPAA compliant?
If there is a security breach with HIPAA-protected information or even a suspected breach, it can be a headache, to say the least. So what are some ways you can prevent a HIPAA security breach? The answer is simple, take cybersecurity precautions for your business. Be proactive instead of reactive.
- Ensure your employees are properly trained. The human firewall is often the most important defense you have against a security breach.
- Have firewalls in place. Nothing gets in that is not approved and your data and applications are safe from potential threats.
- SSLs (Secure Sockets Layer) encrypts your data to make sure third parties can’t see what you are sending or viewing.
- Install antivirus and malware software and be sure it is up to date. New viruses are created every day. If you are using outdated software, you may miss a threat.
- Keep your operating systems and applications up to date to avoid weaknesses and cyberattacks.
- Monitor your network’s security to know when any suspicious activity occurs. You can then act quickly to mitigate the risk.
You can download our cybersecurity checklist to see how your website measures up. If you notice any gaps in your cybersecurity, reach out to us. We specialize in cybersecurity for businesses and are here to help protect your business from cyberattacks and HIPAA breaches.