HIPAA violations are something that no healthcare organization ever wants to worry about, but a new ruling shows just how inevitable they may be in certain circumstances. In March of 2016, an administrative law judge upheld a civil monetary penalty (CMP) against Lincare, Inc. after they violated HIPAA in terms of their electronic health records. The judge found that not only did they NOT have written policies in place to safeguard protected health information, but their complacency also exposed the records of 278 patients to an unauthorized individual. This ruling, which Lincare appealed and promptly lost, will cost them approximately $239,800.
The HIPAA Violations To Avoid So You Don't Get Penalized
Remote Workers
One of the issues that contributed to Lincare's current financial troubles has to do with how they dealt with remote workers. According to the judge, a Lincare employee was able to successfully remove patient information from company offices remotely, and then subsequently left that information exposed and eventually abandoned it altogether. The employee didn't do this with the intention of harming anybody or even stealing information - they simply didn't take the appropriate steps to protect information while working out of the office. Unfortunately, now the entire organization is paying the price.
This is one of the many reasons why a HIPAA compliant FTP service is so important. Using a service provider like Sharetru includes security features that are designed specifically with remote workers in mind. Not only do remote workers have access to all the data they need to do their jobs from any location, but that data is always delivered in a secure fashion. Safeguards are also in place to further prevent that data from falling into the wrong hands due to complacency or negligence.
Technical and Administrative Safeguards
Another one of Lincare's issues stems from the fact that the judge found that they had "woefully inadequate" policies and procedures governing how information can be accessed, where it can be accessed from, and what steps were being taken to prevent a data breach of any kind.
This is another reason why a HIPAA compliant FTP site is so important - these technical and administrative safeguards are built directly into the service you are paying for. Had Lincare been using a file sharing provider like Sharetru, they would have been able to create a unique user account for that employee and make sure they only had access to the information needed for the immediate task at hand. Even if the employee's computer was compromised, the data contained on the server would have remained safe. An FTP site also would have allowed Lincare to perform an adequate risk analysis and assessment of their current cyber practices, allowing them to identify areas of improvement and close any gaps before they could be exploited.
What makes this ruling so important for medical providers everywhere is that the mistakes Lincare made were not malicious - they simply weren't using the right type of technology in the right way. This is something that could easily happen to anyone, particularly if they choose to go with a more straightforward consumer-grade file sharing solution as opposed to a more secure, HIPAA compliant FTP provider.