Top 5 Healthcare IT Compliance Mistakes That Are Costly
Healthcare organizations deal with highly sensitive patient information. This sensitive data is stored as electronic health record EHR. While the government supports the adoption of EHR and cloud-based information systems, it is well aware of the risks and threats that follow. Therefore, various regulations, such as HIPAA and HITECH, are in place to ensure better data security across the sector. Failure to fulfill the regulatory requirements can lead to costly consequences.
The largest HIPAA settlement of 2017 cost $5.5 million dollars. The settlement was made by Memorial Healthcare Systems in Florida after a breach in ePHI was uncovered. The breach compromised the data of around 115,143 individuals. In another case, lackluster encryption policies cost MD Anderson Cancer Center $4.5 million in penalties.
U.S. Department of Health and Human Services Office for Civil Rights has a wall of shame dedicated to such cases. While the portal serves as a warning, it also provides insightful information regarding mistakes that lead to breaches that can cost millions of dollars.
Here are five of top healthcare IT compliance mistakes that can result in heavy fines and penalties.
1. Failure to Understand Compliance Regulations
There are many reported cases of compliance issues arising from a sheer misunderstanding on the organization’s part. HIPAA has been around since the nineties and over the years its scope has spread beyond IT security rules. It covers a wide number of aspects including process and protocols regarding breach notification. It also dictates the privacy rules and regulations set by the organization. IT compliance is not limited to the IT teams. It expands into other departments including billing office, HR, and ER front desk.
Moreover, the scope of healthcare compliance regulation also concerns wirelessly connected devices and components, which may include employee mobile phones a well as lab appliances and other machinery. Therefore, every component, person, process, or entity that connects to the infrastructure comes under the compliance umbrella.
2. Failure to Conduct Risk Assessment
Although risk assessment is defined as one of the crucial requirements for HIPAA compliance, many healthcare organizations skimp on proper assessment. According to a report, nearly 90 percent of all audits conducted by OCR during ePHI breach investigations identified lack of proper risk assessment.
In a way, this mistake is connected to the first one. Insufficient risk assessment often results from a lack of understanding of the scope. Organizations often fail to consider all the components that somehow connect with the ePHI in their current environment.
Moreover, in some cases, many organization treat risk assessment as a onetime process and overlook its importance during and after any form of change in the environment.
3. Failure to Treat Security as a Priority
Failure to prioritize security is not about neglecting compliance. It can often stem from an excessive focus on compliance. Many organizations put compliance before security out of fear of fines and penalties. While it is not wrong to worry about compliance, it often steers the focus away from the root of compliance issues.
Despite regular changes, healthcare regulations and compliance requirements are still loosely defined. It is possible for organizations to fulfill the requirements while leaving out numerous loopholes in the security system. With compliance as the major concern, organizations might overlook potential threats that are present but necessarily defined by HIPPA.
Therefore, health care must focus on setting up a solid security infrastructure and then work on making it compliant.
4. Choosing Non-compliant Cloud Vendor
While cloud technology has opened a new array of opportunities, it also brings a plethora of problems. To ensure cloud safety and security, HIPPA now covers various new regulations. HITECH itself is another set of regulations that were introduced to make cloud technology safer for the healthcare industry.
However, despite their claim of being HIPAA compliant, cloud vendors aren’t always telling the truth. Their compliance is often limited to the certain criteria they need to fulfill as a vendor. They may not always be able to help with your HIPAA and HITECH checklist.
Organizations should be careful with their selection of vendor and service providers. It is imperative to work with a provider who can work along the security team to understand the needs and requirements and deliver a custom-tailored solution accordingly.
5. Not Understanding the Common Factors
Another mistake that often results from excessively prioritizing compliance is redundancy and duplication. While most commonly discussed, HIPAA isn’t the only regulation that concerns the healthcare sector. There are different compliance regulations that focus on different areas of the business such as HITECH, PCI, NIST, ISO, COBIT, FTC, and GDPR.
Organizations often fail to understand that there are many commonalities between these regulations. For instance, there may be a PCI requirement that is already covered by HIPAA. When different teams are assigned for the management of different regulatory requirements, there is a risk of effort duplication. Time and efforts are needlessly spent on tasks that are already taken care of by another team.
An effective way to eliminate this issue is to streamline the whole process by identifying the commonalities before tasks are assigned to different teams or individuals.
Compliance is a critical issue for a healthcare organization. While a lot of effort, time, and money is spent on fulfilling compliance criteria, there are mistakes that lead to violations. By avoiding the aforementioned common mistakes, organizations can save millions in fines and penalties.