Healthcare Data Breaches are on the Rise:
Is Your Practice HIPAA Compliant?
In the ever-evolving landscape of data breaches, the healthcare industry stands at the forefront of a concerning trend. As of July 2022, healthcare breach incidents have surged, with OneTouchPoint, a third-party mailing and printing vendor catering primarily to healthcare organizations, becoming a victim of illegal system access. Notably, their clients, including Blue Shield of California, Kaiser Permanente, Anthem, and Blue Cross, found themselves compelled to report data breaches involving the compromise of medical and patient records for 2.6 million individuals.
The compromised data included sensitive information such as names, addresses, birthdates, patient medical records, demographics, employee details, service descriptions, health assessment test results, and diagnosis codes. This security breach resulted in a class-action lawsuit against OneTouchPoint, alleging a failure to safeguard critical medical information, potentially exposing patients to fraud and theft. Moreover, the company faced criticism for not promptly notifying the affected organizations and patients as required by regulations.
In light of such incidents, it is imperative for healthcare businesses to conduct an annual review of their security policies. Ensuring both their internal processes and external business associates adhere to the Health Insurance Portability and Accountability Act (HIPAA) is crucial for safeguarding sensitive patient information.
HIPAA Compliance Checklist
To aid healthcare organizations in assessing their HIPAA compliance, we’ve compiled a checklist of essential questions.
1. Are Your Patients Fully Protected Everywhere?
- Do you avoid discussing patient identities in public areas or with unauthorized individuals?
- Are patient documents secure and attended when not in use?
- Is your computer screen locked when unattended?
- Do you refrain from calling patients by name or disclosing medical conditions in public settings?
2. Are Your Privacy Policies Available in Written Form?
- Can you provide a written privacy policy in case of an audit?
- Do your privacy policies address HIPAA’s main components of privacy, security, and breach notification?
3. Do Your Business Associates Have HIPAA Agreements?
- Have agreements been established with organizations handling patients’ private information?
- Are all staff, including janitors and building management, restricted from accessing patient information?
4. Do You Have a HIPAA Training Process?
- Are all staff handling patient information trained in HIPAA requirements?
- Do you provide refresher training to keep staff updated on changes?
- Do you maintain records of training sessions and attendance?
5. Have You Completed a HIPAA Risk Assessment?
- When was your last security risk assessment conducted?
- Are vulnerabilities and risks identified in your entity’s practices?
- Have you implemented technical, physical, and administrative safeguards?
6. Are You Properly Destroying All Private Information?
- Do you know the retention periods of stored files?
- Is information destroyed on the retention dates using a HIPAA-compliant method?
- Are all forms of information, including paper, electronic storage devices, and X-rays, destroyed properly?
Partnering with a HIPAA Compliant Shredding Company
Handing off private medical information to a third party carries inherent risks. Choosing a shredding company for paper medical records, hard drives, media devices, and X-rays requires careful consideration.
ShredPro Secure, with its NAID AAA Certification, offers secure on-site shredding at your location. If you are a healthcare entity in East Tennessee or Southwest Virginia, call us at 865-986-5444 or complete the form on this page for assistance in maintaining HIPAA compliance with all your information destruction needs.