Failure to properly identify & protect ePHI information assets
You can’t protect the data if you don’t know where it is. Sure, it’s probably in your server(s). And you may think it’s in your desktop and laptop computers. But have you considered that it might be in smartphones that get connected to your network? Or printers, fax machines, copiers, cameras, and other devices (e.g. X-ray machines)? What about USB-connected devices (e.g. thumb drives, external hard drives)? And lastly, do you store PHI “in the cloud”? After you find it all, you must figure out how to protect it.
Failure to protect ePHI in motion or at rest (e.g. encryption)
Sounds like a physics discussion. PHI is “at rest” when it “sits” on the devices mentioned above. It is “in motion” as it moves across your network or outside your practice. This includes PHI transferred via fax transmission or email. Most email and fax transmissions are not HIPAA-compliant. Proper encryption is an acceptable method for protecting ePHI in motion and at rest.
Inadequate workforce training, policies, and procedures
Policies & procedures are a big part of the HIPAA requirements for data security. But it’s not enough to just have a binder full of policies and procedures sitting on a shelf. You must also be able to prove that they are being followed. Workforce training is important because your staff cannot be expected to safeguard PHI if they don’t know why/how to do it. And they can’t be expected to follow your policies and procedures if they haven’t been properly trained on them and reminded of them. The rules have all changed over the past few years.
Inadequate data backup & improper disposal of obsolete devices containing PHI
Proper data backup & recovery procedures are critical components of a good disaster recovery plan. Could you restore your PHI if your office burned to the ground or you were the victim of a “ransomware” attack? HIPAA offers very specific guidance regarding what constitutes proper data backup. Disposal of obsolete devices containing PHI is another matter. When you retire devices that once contained PHI (see #1 above), do you take measures to properly delete that PHI first?
Non-existent or inadequate Business Associate Agreements
A Business Associate (BA) is anybody with whom a Covered Entity (CE) shares PHI so that the BA can provide services on the CE’s behalf. Through this relationship, the BA has the same obligations to safeguard PHI as the CE. There must be a proper Business Associate Agreement (BAA) containing specific language that defines this relationship. Under HIPAA, the CE must also obtain “satisfactory assurances” that the BA understands their obligations to safeguard PHI.