Since the Health Insurance Portability and Accountability Act (HIPAA) was first established back in 1996, it has provided the compliance management rules that offer protection for patients and their medical information. Technology has begun to play a growing role in all industries, including medicine. Particularly with the novel coronavirus pandemic, telemedicine has become an increasingly popular option. It offers patients the chance to meet with doctors from the comfort and safety of their own homes.
With more and more medical information being transmitted over the internet, however, the threat of cyberattacks has become more prominent. Criminals target healthcare facilities and patients, stealing highly confidential information. Data ranging from sensitive identifying information to medical histories are at risk. Understanding compliance management and patient protection have never been more important.
Critical Cybersecurity Threat: Hackers Attacking Telemedicine
Criminals have already shown many times, in the past year alone, that they are not above attacking medical organizations. In 2020, Los Angeles-based Methodist Hospital of Southern California experienced a tremendous breach through 3rd party vendor Blackbaud. The attack, which occurred in February but wasn’t discovered until May, potentially exposed patient information, the extent of which still isn’t fully known. Patients may have had sensitive information compromised, such as:
- Medical record numbers
- Admission dates
- Full names
In just this past year, other medical establishments throughout the state have also suffered cyberattacks, including:
- Rady Children’s Hospital of San Diego
- CCPOA Benefit Trust Fund health plan
- Indian Health Council, Inc.
- Golden Gate Regional Center
These hackers have already begun to launch their attacks against other medical establishments and the patients they serve. Your business must prepare to protect itself.
Manage Compliance or End up on the Wall of Shame
The organizations required to comply with HIPAA who suffer cyberattacks face a number of obstacles beyond an attack. The breach triggers an audit, and the audit often determines that while the organization had some measures in place, they were not fully compliant. The audit levies a hefty fine and requires public notification of the breach through the notorious Wall of Shame.
In 2009, HIPAA was amended by the HITECH Act. This requires the Department of Health and Human Services to post on its website a list of all the breaches that impact 500 or more people. As the Methodist Hospital of Southern California discovered, a single cybersecurity breach can land your medical business on this Wall of Shame for two years.
This wall was mandated to ensure that patients, like those who were treated at Rady
Children’s Hospital, are informed about breaches that impact them. The list includes information about the business, the number of people impacted, the type of breach and when it was reported.
Practices and business associates that find themselves listed are shown as failing to provide for patient privacy. This deeply harms the trust patients have in their healthcare providers and the provider’s reputation.
Why You’re Responsible for Vendor Compliance Management
As a healthcare provider, the last thing you should have to worry about is whether your vendors create HIPAA violations for you by compromising your patients’ security. When working with outside companies, there are critical steps you must follow. Here is what you need to know:
- The law requires that, if you are a “covered entity” under HIPAA, you have rules when you hire outside vendors.
- If you have an outside vendor, you must determine if they help you fulfill healthcare activities.
- If your vendor does fit this role, then you must have a contract with them, known as a business associate agreement, that defines the relationship.
- This contract must require the vendor or associate to follow the HIPAA rules established to protect patient privacy and health information.
- The vendor or associate can be considered liable for violations of HIPAA regulations.
Make Sure You Are HIPAA Compliant
Even if you’re not a healthcare organization, it’s important to ensure you’re compliant with HIPAA to provide for patient privacy. With the risks presented by telemedicine and the increasing prevalence of technology in healthcare, cybersecurity should be at the forefront of your protection plan.
Ensure vendors and your internal practices provide you and your patients with maximum protection so you don’t end up on the Wall of Shame. Chances are, you have some compliance measures in place and think it’s “good enough.” Unfortunately, audits are all or nothing. You either pass or fail.
How confident are you that you could pass an audit today? Contact us today to learn how we can help you as a HIPAA-compliant managed IT provider.