New technology can bring value and efficiency to an organization, but it can also bring new security vulnerabilities.
Failing to comply with HIPAA has high stakes. Unfortunately, HIPAA compliance is not always the top priority when a company is looking to invest in technology. Who is in charge of new technology at your company? Who is in charge of security? Privacy? Do these people talk? Or do they operate in silos?
A managed care company entered a $1.7 Million settlement after an unsecured database left the PHI of 621,402 patients accessible to unauthorized parties. The company failed to perform a HIPAA security risk assessment in response to a software upgrade.
This is a common problem in the healthcare industry. Let's say your company decides to purchase 900 tablets for its health care professionals. These tablets will improve efficiency, patient care and quality of documentation. Let's also say your compliance officer isn't involved in the purchasing process, and learns of the tablets after the fact. The compliance officer brings up the need to equip the tablets with encryption technology, anti-virus software, and other security measures. Is could be too late to budget for security, after the tablets have been purchased.
What You Can Do.
- Assess and re-assess. Conduct a HIPAA Security risk assessment at least annually. Also conduct assessments when the Security rule is updated or if security guidance is issued. Most importantly, re-assess whenever you introduce new technology or otherwise update your IT environment.
- Remove silos. Structure your technology purchasing process so that your Privacy and Security Officers have a seat at the table BEFORE decisions are made. Likewise, recognize that individuals making changes to technology need to communicate changes to your Security Officer, so risk can be assessed.
Learn about other HIPAA Hazards and how you can avoid them.