With hefty HIPAA fines on the line, protecting sensitive patient information isn’t a joke. The Omnibus rule, which was enacted in 2013, requires both the healthcare provider and any vendor who comes in contact with electronic protected health information (ePHI) to be HIPAA compliant. That means as an IT service provider you could be on the hook if something were to happen to one of your customers.
To ensure that you and your customers are compliant with today’s industry standards, take a look at these common HIPAA violations that you might have overlooked.
While every business (even healthcare providers) likes good reviews, testimonials are something that might be putting your SMB customer at risk! Unless the SMB has signed authorization from the patient to post the testimonial, it could result in a $25,000 HIPAA fine. While a patient may happily give a testimonial based on the excellent service they have received at, for example, your customer’s physical therapy office, their name, photo, and the testimonial itself cannot be published on the company website without proper written consent because it violates the individual’s PHI.
This includes anything an SMB’s employees publish on their social media as well, including pictures of procedures, patient stories, or even a picture with a patient’s chart in the background—all which can land your customer with a hefty fine. Of course, this isn’t limited to digital PHI being discussed. Any communication about patients with coworkers or family members could put the organization at risk.
Lost or stolen devices
As an MSP, it’s your job to ensure that all devices on a customer’s network are protected, including tablets, phones, and laptops—especially if they’re used to access ePHI. To eliminate security issues pertaining to ePHI, encourage your SMB customers to adopt a secure email and text messaging solution that allows them to send encrypted messages when communicating about patients.
When checking in with your SMB clients, ensure that you’re protecting all devices that are accessing the network. After all, it only takes one lost, stolen, or compromised device for your client to be breached. Recently, a Dallas hospital had to pay a $3.2 million HIPAA fine after an unencrypted and non-password-protected BlackBerry and laptop went missing. This jeopardized the ePHI of 6,200 individuals. While the Dallas hospital paid the cost of this breach, the IT provider could have been held liable as well.
One example of an IT provider being held liable happened last year when Catholic Health Care Services (CHCS), a management and IT service provider, had to pay a $650,000 fine for a HIPAA breach. After an investigation to see where the breach originated, the federal health authorities determined that an unencrypted, non-password-protected iPhone was the root cause.
Inadequate cybersecurity measures
Are you putting the right security measures in place for you SMB customers? Failure to implement the correct security procedures and measures to mitigate a cybersecurity attack can put both you and your SMB customer at risk for violating HIPAA compliance. In fact, a phishing attack that granted access to ePHI of more than 3,200 patients recently led to a $400,000 HIPAA fine, and the affected healthcare network must now adhere to a corrective action plan.
While the healthcare vertical can be profitable for your MSP, failure to safeguard healthcare records against security risks can be costly. Recently, CardioNet, a wireless healthcare service provider, was fined $2.5 million for failing to implement security procedures designed to “prevent, detect, contain, and correct security violations,” according to the Office of Civil Rights (OCR). The company manufactures wireless devices that provide cardiac monitoring and analysis, and the breach of 1,300 patient records was traced back to a stolen laptop—without encrypted records.
HIPAA compliance isn’t a joke, and the OCR is cracking down on violations. Protecting ePHI is extremely important, and your MSP could be held liable if HIPAA regulations are violated. So it’s well worth reviewing these types of violations with your customers in the healthcare industry to make sure they and their staff all fully understand the rules—and the potential consequences for being too lax about them.