Everyone in the healthcare industry seems to be familiar with HIPAA but as we normally comment, they may not know as much as they think. For example, it is not uncommon to hear a statement such as:
- My IT company says HIPAA doesn’t apply to them.
- My phone is encrypted so emails and texts sent from my phone are protected.
- We are a small practice, so HIPAA doesn’t apply to us.
- Our backups are secured, we keep them on the office server with all our other confidential data.
- Our EHR is HIPAA certified, hence we do not need to do anything else to comply with HIPAA.
- The data was not encrypted, but the device had a password, so the device’s loss is not considered an incident.
- We don’t have a business associate with our account firm as they only handle write-offs, collection activities, and tax documents.
- Our office manager used her own computer to work from home, but we cut access to the cloud once she was terminated.
- Our marketing department uses photos from the clinic but never posts any patient information, so we are not violating HIPAA.
- We did our Security Risk Analysis two years ago, but nothing has changed so we don’t have to do another this year.
All of the above statements represent a HIPAA violation, yet not all of them meet the definition of an incident. To make matters more convoluted, you need to question whether these violations represent a breach.
45 CFR § 164.304 defines a security incident as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
Based on the above, we challenge you to read the 10 statements above and decide whether they meet the definition of an incident, and if so, what would be your actions?
In case of questions, reach out to your HIPAA Security Officer or simply contact us with your answers and we will provide you with additional guidance.
Note: To Learn more about HIPAA Security and why it’s important for your Healthcare Business visit EPICompliance.