Last September, the FBI issued a warning that devices and objects that connect to the internet to send and receive data are vulnerable to cyber-attack. While this warning referenced many popular lifestyle devices such as smart phones and wearable fitness monitors, it also included devices common to laboratories and other businesses, such as printers, security systems and even thermostats.

The FBI recommended that the following steps be taken to reduce the risk of being a victim of such cybercrime, including:

  • Protect wireless networks with strong passwords
  • Isolate devices on their own protected networks
  •  Use security patches when available

Since HIPAA compliance is about ensuring the security of patient records, now is the time to evaluate the effectiveness of your compliance program. The G2 Compliance Advisor listed six actions you can do now:

1.Conduct a self-appraisal of compliance with HIPAA’s privacy and security rules. For instance, conduct a risk analysis of patient information in electronic form to check for vulnerabilities, such as lack of firewalls or weak passwords. Take steps to reduce or eliminate vulnerabilities identified. Make sure all staff members are trained in HIPAA compliance.

2.Make sure you’ve entered into business associate agreements with any entity or individual handling patient protected information on the lab’s behalf, such as a billing company. HIPAA requires labs and other covered entities to enter into these agreements to ensure that the business associate will safeguard the patient information adequately.

3.Consider encrypting patient information. Encryption is technically not required by HIPAA. However, a lab that opts not to encrypt has to at least address why it isn’t encrypting and document what alternative it will use instead to protect the data, according to Deven McGraw, deputy director, health information privacy division for the HHS’ Office for Civil Rights (OCR). “‘Addressable’ does not mean optional. It never has. We expect you to address it,” she explained. Note that patient data that is lost or stolen but has been encrypted in accordance with NIST standards is “secure” and does not need to be reported to patients or HHS.

4.Have an action plan to handle a breach of unsecured patient information. There are steps a lab needs to take, such as conducting an assessment of the likelihood that the information was compromised; timely notifications to HHS, patients and, in some cases, the media; and corrective action to forestall future breaches. You don’t want to be caught scrambling to comply once a breach has occurred.

5.Remember state law. State laws are often broader than HIPAA. For instance, labs suffering a breach of patient information may have to report it more quickly to state authorities than to HHS.

6.Keep an eye out for future developments. There’s a lot of activity concerning the privacy and security of patient data. In addition to the revised audit protocol expected this year, OCR is planning on releasing new guidance on patient access to their data. Other guidance or rules that are still forthcoming include clarification on what disclosures of patient information are the “minimum necessary,” as well as a proposed rule on how individuals that have been harmed by a data breach should receive a portion of the penalty imposed on the violator. Both of those are part of the HITECH Act of 2009 that amended HIPAA.

Originally published in the ADVANCE for Administrators of the Laboratory Lab Quality Advisor Blog

About The Author

Irwin is Quality Advisor for COLA Resources, Inc (CRI®). where he provides a wide range of technical assistance to laboratories across the country. He previously held the position of Executive Director at Community Response, a community-based organization that provides HIV/AIDS support services in metropolitan Chicago. Prior to that position he was the Laboratory Manager of Crittenden Memorial Hospital, West Memphis, AR. He holds a Bachelor of Science degree from Brooklyn College, a Medical Technology degree from Good Samaritan School of Medical Technology, a Master of Science degree from Colorado State University, and a Master of Business Administration degree from the University of Memphis.