Ensuring that your healthcare app is HIPAA compliant is critical, but it’s only the start.
Yes, you should perform a thorough risk assessment of PHI in your organization – how it will flow and be stored. Yes, be sure to also limit access to PHI by granting permissions to only those who need it. Utilize a HIPAA compliant specialist to help you protect (PHI) in transit and in storage with end-to-end encryption.
Yet just as important is how your organization is prepared to maintain HIPAA compliant practices on a daily basis.
Consider the reality: a 7-year study conducted by researchers from Michigan State and Johns Hopkins University found that approximately 53% of all data breaches reported to the Office for Civil Rights (OCR) were actually the result of internal negligence.
Reasons for these data breaches might include:
- theft of data by current or former employees
- poor password policies
- careless use of laptops or mobile devices
- stolen hard drives (from the workplace, or employee’s cars or homes) with unencrypted data
- email phishing scams, etc.
All of which to say that when a HIPAA auditor comes knocking at your door, they will be looking at more than just your new app. They will be especially concerned to find any existing or potential holes in your procedures, practices, and overall security.
Thinking of compliance in this way involves more than ‘just a snapshot in time.’ In other words, just because compliance exists today, does not mean that it exists tomorrow or the next day. Today no mistakes were made by employees, but maybe tomorrow a document will be left in an insecure place, or an employee will fall prey to a covert social engineering scheme. On that day, you will not be compliant – and you may find yourself unable to access your data.
So Where to Start?
Instead of focusing on checking off the boxes in a compliance checklist, consider teaching your employees about HIPAA at a fundamental level, and imparting a sense of what true security is – both in digital and physical uses of the word.
The risk of not doing so is absolutely staggering. An annual data breach study conducted by the Ponemon Institute listed the average cost of a breach to the covered entity at $3.86 million (this amount has increased 6.4% since 2017). Which means that in 2018, the per capita cost of a data breach also rose by 4.8%, to $148 per record.
While you’re at it, follow the complete life cycle of your data, and where it goes from a top-down perspective. The goal here is to try to predict breaches before they happen. Being cognizant of your information life cycle helps you to be sure that all steps in the process are fundamentally sound from a security perspective.
With a well-designed and maintained security environment, it is less likely to have to overhaul the SOPs to gain/regain compliance. Starting with a strong base of security is also often much cheaper than launching a complete compliance initiative after the fact. With a system of security fundamentals in place, it is easier to see abnormalities or mistakes before they happen. As noted, not doing so could mean more than a tangible loss of financial capital. There could also be a profound loss of confidence on the part of your customers. Loyalty would be irreparably damaged.
With a good sense of security awareness, a well-informed employee pool, and fundamental attention to the core concepts in security, you’re well on your way to having a strong, compliant foundation to go with your app. Adding HIPAA Vault to your team to help manage your hosted data can make it possible to not only maintain compliance but also keep your data safe and secure. Get a quick quote today!
About HIPAA Vault
HIPAA Vault specializes in providing managed, secure, HIPAA compliant hosting environments. Our mission is to provide uncompromising data security combined with world-class customer-service and 24/7 technical support.