Although the Department of Health and Human Services reduced the maximum HIPAA violation penalties, violations have unseen consequences. Every violation of the Health Insurance Portability and Accountability Act (HIPAA) damages an organization’s reputation, introduces new risks, and requires implementing costly measures to ensure that the violation doesn’t occur again. Like with most violations of policy, lack of knowledge isn’t a defense against a future violation.
There are solid best practices for HIPAA, with a focus on protection against future violations. Adhering to these best practices isn’t done in a vacuum; if there are other policies for your organization to manage reputational and compliance risks.
Routine, Regular, Refined Reviews
Brushing up on the actual HIPAA rules is a good starting place. Obviously, the actual policy is too lengthy for this guide, but it can be boiled down to this: protected information must have strong security measures that are followed constantly. An organization can still be out of compliance and not be fined yet. Before the company has to face public scrutiny, it’s time to conduct reviews are that routine, regular, and refined. What we mean by this is that a security review of protected information should occur regularly and not be seen as a special event. It should be refined as all layers of the system are studied. Is every access point logged? What type of encryption is being used across the enterprise? Are all the users implementing password changes properly? How is that being enforced? When users leave the organization, how fast is access revoked?
Managing the Human Element
Social engineering attacks are effective, as human behavior can be difficult to change. In fact, a recent report from Verizon indicated that even C-level executives fall prey to fraudulent emails. These executives are targeted due to their high-level access to protected information.
Tightening up communications is an important best practice in safeguarding confidential information. Educate the users within the organization about phishing, vishing, and even open chatter about sensitive information. Gossip around the workplace is commonplace, but no one should be openly discussing sensitive information without establishing whether the other party actually needs to know that information.
Remaining vigilant about HIPAA best practices ensures that violations are much less likely to occur. Staying educated about the security aspect of compliance is incredibly important, as new threats appear every day and affect organizations of all sizes. If something isn’t clear, seeking professional guidance is critical.