American healthcare organizations must store and exchange patient data in ways that comply with the HIPAA law, or else face hefty fines. One mental health service in Alaska recently learned this lesson the hard way after being hit with a $150,000 fine. Is your healthcare organization’s IT infrastructure 100 percent HIPAA compliant?
Last December, the Office for Civil Rights (OCR) found Anchorage Community Mental Health Services (ACMHS) guilty of a breach of OCR’s electronic protected health information (ePHI) that affected more than 2,700 patient records.
As reported by The National Law Review, this whole fiasco could have easily been prevented if ACMHS stayed on top of their basic IT maintenances: “The OCR determined that the incident was the direct result of ACMHS’ failure to identify and address basic risks such as running outdated and unsupported software, and failure to regularly update software patches.” In addition to ACMHS being fined a cool $150k, they agreed to adopt a corrective action plan set by OCR.
The last thing your healthcare organization needs is to get slammed with a major fine like this. Additionally, having to take actions to rebuild trust with your patients may be more costly to your organization than a fine. To help your healthcare organization remain HIPAA compliant, be sure to implement these four HIPAA guidelines provided by The National Law Review:
- The Security Rule, which relates to electronic PHI, continues to be a focus of the OCR;
- A basic requirement of the Security Rule is that Covered Entities and Business Associates should regularly conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the security of electronic PHI;
- Covered Entities and Business Associates should remain current on software and software patches to help avoid malware and other hacking incidents; and
- HIPAA policies and procedures should be meaningful to your organization and should be regularly used, reviewed, and revised as necessary.
For security reasons like a breach experienced by ACMHS, it’s risky for any business to use unsupported software (like the infamous and no-longer-supported Windows XP), or to skip out on installing security patches. However, when it comes IT maintenances like these, a non-healthcare business has the option to roll the dice and risk not doing them. Due to the stricter-than-normal demands of HIPAA regarding the maintenance of IT systems, your healthcare organization doesn’t have the luxury of not updating your information technology.
Ultimately, these extra protections afforded by HIPAA are a good thing because they better protect patient information. Your healthcare organization having to jump through extra hoops may seem like an unneeded pain at times, but with a knowledgeable IT provider like Setton Consulting overseeing your organization’s IT infrastructure, you can rest assured that your practice is HIPAA compliant. If you’re all squared away with HIPAA, then you can focus your time and energy on more important things than updating software and installing security patches, like taking care of your patient's health!
To make sure that your healthcare organization’s IT infrastructure is HIPAA compliant, give Setton Consulting a call at 212-796-6061.