Complying with HIPAA in the face of data breaches and ransomware attacks
by Kristin Easterling
August 1, 2019

There’s more to compliance than simply checking boxes with your accrediting organization. Health care companies that fail to safeguard their patients’ electronic health information can face stiff federal and state penalties. The Health Insurance Portability and Accountability Act (HIPAA) outlines how businesses should protect patient data.

HomeCare sat down with Benji Sawyer, chief information officer (or “Young Whipper Snapper,” according to the company website) of Birmingham, Alabama-based Sawyer Solutions, an IT company serving health care companies and other small to medium businesses, to walk through the steps to protect your business from malicious data breaches, and why you should care about complying with patient protection law.

HomeCare: Why is compliance with HIPAA so important?

Benji Sawyer: It’s only important if you want to stay in business. There’s a lot in HIPAA that is just good business practice.

Right after President Trump was elected, during the Office of Civil Rights’ (OCR) annual HIPAA conference, everyone wanted to know how the Trump Administration would handle HIPAA enforcement. To paraphrase, the answer from OCR Director Roger Severino was, “We are coming after you.” Not just big companies—small ones, too. The understanding in the government was that businesses were not complying with the law.

The OCR has always had the ability to do desk audits. They will typically request two pieces of information: Your most recent risk analysis and your business associate agreements. Until recently, they lacked the funding to conduct the audits. As one of the acts in the recovery from the recession, the OCR was given seed capital to run a pilot program, which took three to four years to set up. It had a 94% failure rate.

Most business owners don’t realize the OCR is allowed to self-fund enforcement actions. Their budget was cut this year and they’ve been told to make it up through enforcement. Many in the medical industry don’t take HIPAA seriously, and the OCR knows that.

Anyone can report you for a violation and it’s a must-investigate. The odds of being randomly audited are relatively low; a disgruntled former employee reporting you for a violation is much more likely. The vast majority of HIPAA issues arise from the non-technical side—someone saying something they shouldn’t have—but this is starting to shift, and shift quickly.

The OCR has caps on what they can fine your business. It’s not very high for a big company, but the fines can sink a small business. Also, the state attorney general can prosecute HIPAA non-compliance, and these fines aren’t capped. A non-compliance case is a slam dunk for a state attorney general to litigate. In the worst scenarios, you can lose your license. The OCR has training for the attorneys general on how to handle these cases.

It’s important for small business owners to keep in mind that HIPAA isn’t designed to punish a data breach; it’s designed to punish you if you haven’t taken reasonable steps to protect your business. You can’t stop a data breach from happening. But if you have taken the reasonable steps prevent the data breach, then you only have report that the breach occurred. It’s up to your individual credentialing agency to determine what’s reasonable to prevent data breaches.

HomeCare: What are the potential pitfalls of keeping IT in-house for small health care companies?

Sawyer: It’s not cost-effective. Especially in health care, you need more than someone who knows how to fix computers—you need someone who understands the law.

People who understand HIPAA don’t come cheap. The small business environment also likely won’t be challenging enough if they are skilled and want to grow in their career. You can outsource your IT needs to a company for cheaper.

HIPAA requires a lot of documentation, and while the law doesn’t change, every time there’s a breach, the Department of Health and Human Services (HHS) issues further guidance. For example, three years ago, a large hospital in California had a ransomware attack that shut down the hospital for weeks. Before that, ransomware was not considered a data breach; after that happened, it was.

HomeCare: What steps to compliance with current laws might small business owners miss when it comes to protecting patient data?

Sawyer: They miss step 1: Do a risk analysis. If you have not done this, you fail. Step 2, fix any issues you find. Step 3, repeat step 1.

A risk analysis has to be completed at least annually. People don’t have the associate agreements signed for the companies working with them. Anyone with more than incidental contact with your data has to have a signed agreement. This includes your copier company, your email provider, your technology company, etc. Both companies can be held liable for a breach without a signed agreement. I find companies without paid antivirus software—free doesn’t cut it under HIPAA standards. HIPAA compliance is based on “reasonable standards.” Your definition of reasonable isn’t the one that matters—it’s the government’s. Also, keeping computers updated often gets missed.

Companies will also fail to track inventory. Anything that has ever had electronic protected health information (EPHI) on it needs to be tracked, including flash drives. Where did it go, and how did you wipe it? Login attempts have to be tracked if a system has access to EPHI. Even large companies miss tracking those.

If you are using cloud systems for your electronic medical records, email, etc., cached files stay on the computers from printers and web pages. Don’t assume EPHI isn’t on the computer. If you are wrong about your system in a breach, it’s bad. And you have to prove you’re right.

HomeCare: How can small business owners assess their compliance with HIPAA and other regulations?

Sawyer: You can do it yourself, though it may take some technical knowledge. The HHS website has a self-assessment tool to perform the risk analysis. Review it. Fix it. You may have an issue in only one area and that’s all you need to fix. For example, there are older medical record systems that aren’t HIPAA compliant and never will be because they don’t track who is working in the system. So, you may have to replace your system. Encrypt your hard drives and have strong passwords on your computers.

Retain a lawyer who understands HIPAA, not just your business attorney. They can make recommendations if a breach occurs. The state attorney general will often take into consideration if you sought professional help. Have an expert to call.

HomeCare: What are some examples of data breaches that can occur in small homecare companies, and how can they prevent them?

Sawyer: Ransomware attacks are the most common. They happen and keep happening. Ransomware is easy to recover from with proper backup.

Email incursion is when someone gets into your email. Don’t email EPHI back and forth. If someone gets into your email, that’s a data breach. You can have a secure email system, but we don’t recommend it, because it’s too easy to make a mistake. Generally, incursion occurs through phishing. This can be defeated with two-factor authentication, so if your email doesn’t support it, get an email service that does.

Another common breach I see is lost laptops and thumb drives. If these are encrypted, you don’t have to worry. Windows 10 Pro and Mac OS have encryption built in on business class laptops. It only takes 10 minutes to activate it, and most of that is writing down the code provided. Encryption doesn’t protect you if you’re actively using the laptop and someone hacks in, but that generally is not a worry for small businesses.

You need mobile device management (MDM) for tablets with enforced passwords and the ability to mobile wipe the hard drive if the tablet is lost. You have to have an MDM platform for that to happen.

It’s not common for someone to target a small company for EPHI. Generally, they are looking for access to your payroll systems to transfer money. But this can still cripple you if you can’t make payroll.

HomeCare: What keeps you up at night when it comes to helping your customers maintain compliance?

Sawyer: What have I missed? Have I missed something that is a problem in their system? Most small companies are very similar in the technology space. They have one program they rely on to drive their company, and there’s Microsoft Office and email and file sharing on the side. How can we make our clients more secure? The best thing we can do is education.

HomeCare: What else should small business owners know?

Sawyer: Even if you only take private payments, you still have to be HIPAA compliant, because it is the standard for the industry. While you can’t be sued by the OCR, the relevant attorneys general will use HIPAA as the meter stick and come after you for a data breach.