Data breaches, unencrypted devices and safeguarding protected health information aren't the only HIPAA elements hospitals and healthcare organizations should be concerned about.
David Vaughn of Vaughn & Associates in Baton Rouge, La., a healthcare-centered law firm, discussed HIPAA compliance at the American Society of Interventional Pain Physicians' annual meeting, reported by Fierce Practice Management.
In his presentation, Mr. Vaughn said half of the penalty amounts in HIPAA cases were related to the organizations' failure to develop written HIPAA policies, procedures and risk assessments and not the actual breach itself, according to the report.
Here are six best HIPAA practices to follow that could help reduce the penalty should a data breach occur.
1. Include an indemnity clause in business associate agreements. If a business associate is responsible for a breach, an indemnity clause holds that business associate responsible for paying any fines. If a business associate won't sign an agreement with an indemnity clause, Mr. Vaughn said to find someone who will because it could save the hospital hundreds of thousands of dollars, according to the report.
2. Secure cyberliability insurance. Healthcare organizations should obtain cyberliability protection for themselves as well as for business associates due to the risk of vendors that handle protected health information going out of business.
3. Encrypt anything and everything housing protected health information. While this is not required, it ensures every device that could potentially be stolen is safeguarded, including cell phones, tablets and workstations. Additionally, if encrypted hardware is stolen, organizations don't have to report the breach of unsecured equipment to the federal government.
4. Draft policies regarding employees taking records from the office. According to the report, Mr. Vaughn suggested developing policies explicitly outlining how long employees can leave the office with records, how long they can be left in a car and what type of protection they must have when leaving the office (ie., in a locked briefcase).
5. Develop policies regarding removable devices. Create policies that clearly state who is authorized to take removable devices containing protected health information outside the office, as well as what circumstances doing so would be permissible. Mr. Vaughn suggested eliminating the use of thumb drives entirely, as "it's just too easy to walk off with them. And because they're so small, they could easily get lost," according to the report.
6. Conduct risk assessments. In addition to an initial risk assessment, conduct them regularly to ensure continued compliance. Additionally, Mr. Vaughn recommended hiring a third-party expert to conduct the assessment to ensure all corners have been thoroughly inspected, according to the report.
More Articles on HIPAA:
7 Myths of HIPAA Security Risk Analysis
7 Most Common Security Tools to Prevent Unauthorized Access
Minimum, Maximum Civil Penalties for HIPAA Violations