Block on Trump's Asylum Ban Upheld by Supreme Court
If your small to medium-sized business is handling confidential medical information for clients or patients, you should know that the U.S. Department of Health and Human Services' Office of Civil Rights will now start investigating data breaches involving less than 500 individuals. According to the announcement by HHS last month, regional OCR offices will now have the discretion to prioritize investigations of small to mid-sized health care organizations that handle, process, or possess information protected by HIPAA.
If your healthcare related business handles information or documents covered under HIPAA, apart from ensuring compliance with the law, there are a few things you can do to avoid being investigated due to a data breach.
1. Set up email news alerts so that you get notified when a similar business gets hacked or suffers from a data breach.
Oftentimes, the data breaches are the result of phishing emails where hackers send the same or similar emails with malicious attachments to as many people as possible. If you have an email alert set up to notify you when a news story appears about a data breach, you can notify your employees, and IT department, to be wary of certain types of emails or emails containing certain types of attachments.
2. Restrict access to HIPAA protected information from personal devices.
While many companies are embracing the BYOD (bring your own device) philosophy, this has potential to create serious security breaches. If your employees will be using their own devices, it is important to make sure your organization provides customized software, encryption, or, at very least, specific security protocols for employee devices. Also, there should not be any way to disable these security features without also deleting or destroying all the HIPAA related information.
3. Document and regularly update your organization's security protocols for how HIPAA protected information is to be handled.
At the beginning of every year, and at the time of hire, all employees should be required to review your organizations security protocol for HIPAA information. Distributing actual paper documents, rather than just sending an email is preferred, as well as providing a highlights section that lays out any changes as well as the most critical aspects of your organization's security measures.
With the rise in the number of hackers going after personal medical or health information, and particularly as larger institutions have now instituted heavy duty cyber-security, small health care organizations are facing the highest risks from hackers to date. But it's not just hackers that expose your organization to risk, a lost iPhone can cost you $650,000.