Most Common HIPAA Gaps
It’s not uncommon for healthcare breaches to make the headlines these days. Whether it’s a major breach like Anthem’s $16 million breach or a smaller HIPAA violation such as improper disposal of secure records, healthcare organizations are falling victim to security breaches at an alarming rate. According to IBM Security’s 2019 Cost of a Data Breach Report, the highest industry average cost of $6.45 million is the healthcare industry. Do you have $6.45 million that you’re ready to use if your systems are breached? Are you prepared to spend years dealing with the OCR for failing to protect privacy rights? Of course not. One of the best ways to avoid these detrimental consequences is to make sure you’re compliant with HIPAA and start mitigating common HIPAA gaps now.
Missing the Mark with HIPAA Gaps
Maybe you’re preparing for a HIPAA audit and looking for the first step to compliance or you don’t know anything about HIPAA and you’re struggling to get started. Either way, you need to know about these common HIPAA gaps to avoid possible threats and hefty fines. What are HIPAA gaps that are most prominent vulnerabilities revealed in recent healthcare industry security breaches? Let’s discuss four common HIPAA gaps.
Non-Compliant Business Associate Agreements
A Business Associate Agreement, or BAA, is a document between a covered entity and business associate confirming that both entities will do their due diligence to protect PHI that is transferred between businesses. Not having a thorough written agreement in place to protect PHI is a violation of HIPAA. According to recent OCR findings, non-compliant BAAs are common HIPAA gaps that you should be working to mitigate. If you aren’t already practicing proper BAA procedures, you need to start now.
Missing Risk Analysis
How often should a risk analysis be performed? What should you do with your risk analysis findings? These are good questions to ask when mitigating common HIPAA gaps, as missing a risk analysis tends to be one of the first weaknesses found during a HIPAA audit. A risk analysis should be performed after any major changes in your organization and, at the very least, once annually. Once the risk analysis is performed, your organization should adjust and correct any vulnerabilities found. Don’t be a victim of this common HIPAA gap!
Physical Security Holes
Your physical security is one of the most important defense practices you can establish to protect valuable PHI. Without proper locking of secure documents, the use of security badges for access to secure areas, or proper desktop auto-locking procedures, you’re creating vulnerabilities that could be breached by malicious individuals. To comply with HIPAA, you have to be diligently working to mitigate common HIPAA gaps like holes in your physical security.
Lost or Insecure Devices
While it may seem obvious that all devices with PHI need to be protected against loss or theft, it’s still one of the most common HIPAA gaps found during the compliance journey. Encryption is a big piece of the puzzle, as all devices in your organization should be protected against malicious use in the case of loss or left. Taking the next step to back up your systems and encrypt those backups vital in mitigating any threats to your organization.
Learning to Close Common HIPAA Gaps
By mitigating these gaps early on, you’re setting your organization up to avoid costly fines and unexpected breaches. You can start your compliance journey by closing these common HIPAA gaps and implementing company-wide procedures that address vulnerabilities plaguing your systems. These practices will help you avoid becoming another number in common healthcare security statistics. Instead of joining the hundreds of other healthcare organizations that were victims to 466 security incidents in 2019, your organization can join the many KirkpatrickPrice clients who are satisfied with the expert-level, quality audits we perform. Contact us to start your journey to becoming more than an information security breach statistic!
More HIPAA Resources
Penetration Testing in Support of HIPAA