How to Avoid HIPAA Disasters And Security Pitfalls

Nathan Starwalt
May 2, 2018 8:35:48 AM

The penalties for HIPAA violations are devastating. The fines alone are high enough to bankrupt most pediatric therapy clinics. According to Morgan Brown at TrueVault:

The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail time.

Source: What is the penalty for a HIPAA violation?

It's easy to forget the consequences, and get complacent, but you have to stay vigilant or you will put your clinic at risk. Here's some more information to put it in perspective:

Violation category

Fine per violation

Maximum Fine

(A) Did Not Know

$100-$50,000

$1,500,000

(B) Reasonable Cause

1,000-50,000

1,500,000

(C)(i) Willful Neglect-Corrected

10,000-50,000

1,500,000

(C)(ii) Willful Neglect-Not Corrected

50,000

1,500,000

Source: Federal Register

Those fines are pretty terrifying, right? 

The information that pediatric therapists work with everyday is sensitive, so you need to ensure proper handling. Otherwise you're leaving your clinic open to disaster.

To help with that, we've compiled a list of tips.

Pediatric Therapy EMR

But remember: even if you follow all the points here, your security isn't guaranteed. New ways to compromise data are developed every day. So no amount of tips can guarantee that a breach won’t happen to your clinic. To be truly protected, consider talking to a professional security firm.

However, there are some easy steps you can take to begin improving your security. That's what this list is for. It isn't meant to be comprehensive. It's just a starting point. Some of the points may even seem like common sense, but they're important enough to be worth a reminder.

The list is broken into three categories. The first section focuses on habits that can be formed to minimize exposure. The second section covers digital security tips that do not require a technical background to implement. Finally, important information to know closes out this list.

(Also, at the end of the post, we've included a SWOT template you can download to conduct a risk analysis of your clinic.)

Habits

  • Don’t leave computers unattended & unlocked. A quick keyboard command to lock a computer: the windows key plus L. Leaving your computer unlocked is like leaving your keys in your unlocked car!
  • Carefully review pictures that you take before posting them online. Pictures of passwords end up online all the time, and it would be easy for PHI or payment information to be compromised in a similar fashion. For instance, if someone takes a picture of one of your therapists when they’re doing documentation, you could have a problem on your hands if that picture ends up on social media and PHI is visible. Asking for date of birth address, etc. can be effective ways to make sure someone is who they say they are.
  • Polarized screens can be used to curb shoulder surfing. These can be annoying to use, but these are particularly important for computers that might handle financial information.
  • Verify identities before disclosing protected information. Accidentally disclosing the wrong information to the wrong person is something that can rarely be undone. Asking for date of birth address, etc. can be effective ways to make sure someone is who they say they are.

Digital Security

  • If you are an administrator, only give users access to the parts of the program they need to complete their jobs. It can be tempting to allow everybody access to everything for ease of use, but that would only have to backfire one time
  • Each user should have their own login and password. Sharing accounts is a bad idea for several reasons. Security notwithstanding, there are auditing risks that would coincide with this point.
  • Fusion also gives clinics the ability to lock out users after periods of inactivity. This may seem inconvenient, but this feature is only one small part of securing information.
  • Don’t keep PHI in places that aren’t secured on your computer. Easily overlooked places include the download folder for your browser.
  • social engineering, phishing, and spear phishing. Social engineering takes place when someone attempts to get sensitive information through psychological manipulation. Phishing and spear phishing attacks occur when communication is made to appear as though it is from a legitimate source. These communications will be used to convince victims to provide sensitive information.
  • Links in emails need to be examined thoroughly. It is generally a bad idea to click on links in emails you don’t know the origin of. Attackers will often make a webpage that looks very similar to legitimate page and use that page to phish for usernames and passwords. Another style of attack will send you to a legitimate page that has been modified by an attacker to leak data.
  • Don’t use an unsecure password. There are lists of commonly used passwords on the internet, check to make sure that your password is not on that list. Typically, the password needs to include a minimum of eight characters with a mix of upper and lower-case letters, numbers and special characters.
  • Requiring users to change their passwords every 3 months typically encourages people to make their passwords less secure so that they can remember them easier. If the password is secure, the only reason to change it would be if you suspect the password has been compromised.
  • Fusion employees will never ask for your password. Your password is for you only. This can be applied to everywhere on the web. There is only one person that needs to know your password, you. This applies to your financial websites, social media, etc.
  • Fusion employees will never ask you to download and run a program on your computer. The same details from the previous tip apply here as well.
  • Keep browsers up to date. Browsers are a focal point for attackers since they are the primary way to interact with web pages.
  • Flash drives should rarely be trusted. Even if you know who owned the drive, you should consider twice before plugging in the drive. Many exploits require physical access to your computer and flash drives can harbor malware.
  • Be careful when copying and pasting from web pages. Zero-width characters can be inserted into text which can cause harmful side effects. A zero-width character is when letters and numbers have been changed programmatically to not display.Malicious URLs can be rendered almost indistinguishable from legitimate URLs by using these characters.

Stay Informed

  • Run a risk analysis on your clinic. What keeps you or your boss up at night. Download our SWOT analysis template below to get started on this at your clinic.
  • Know your emergency contacts in case of a compromise. If someone was given access to your patients’ PHI, do you know who to report that to? If you were told it was the Department of Health and Human services, should you believe that?
  • Know common techniques that scammers use. Using social media to pretend to be a family member is popular. Anyone asking you to send them money through Western Union that you have never met in person before is most likely trying to defraud you.

SWOT Template for Clinic Risk Analysis

We've put together a SWOT template with some guidelines to conduct a risk analysis at your clinic. This handout will guide you as you look for areas where you can improve security and HIPAA compliance.

Security SWOT Analysis Mockup.jpg

By submitting this form, you authorize Fusion Web Clinic to contact you with more content and information.

Subscribe by Email

No Comments Yet

Let us know what you think