Your hidden exposure in managing risk for HIPAA compliance
In our fourth issue of our blog series on HIPAA compliance, we look at the major risk you might not consider when addressing HIPAA compliance. You can read the third installment about the level of encryption security required by HIPAA here, our second installment about the OCR’s Phase 2 audit program and it’s implications for cloud services users here, and our first installment about the importance of risk management to ensure compliance here.
So far, in this series of blogs about HIPAA, we’ve covered important elements of compliance such as encryption of PHI, NIST recommendations about AES encryption, the need for ongoing risk assessment, and increased visibility into proper BAAs for third party service providers through OCR’s Phase 2 HIPAA audit program.
These are all important topics, but there’s one major trend around HIPAA compliance that you shouldn’t overlook. The vast majority of enforcement actions, based on published resolution agreements, have been the result of audits triggered by breaches or potential loss of patient information.
This means that your need to disclose the current state of your compliance efforts may, in most cases, be driven by a lost laptop or mobile device, an errant click on a malware attachment to an email, or a phishing attack. These are entirely unpredictable events that are extremely difficult to protect against, and the odds are heavily stacked against your ability to avoid every single one of these incidents.
The bottom line, then, is that if you are assessing your chance of getting audited based on the likelihood of being selected by HHS, you need to realize that the much bigger risk is a security or privacy incident that triggers an audit.
Resources for educating employees about security threats
Here are some resources that you might find helpful in educating your employees about these security and privacy risks:
- Comprehensive report on the threat of ransomware
- Optimizing security practices among employees
- Email security guide for users
If you haven’t yet moved your IT services to the cloud, visit our website for a look at Intermedia’s solutions for healthcare. We have a comprehensive bundle of services designed to help you comply with HIPAA and maximize your IT resources.