We have recently conducted a healthcare-focused survey for Netmail and found that HIPAA violations are just waiting to happen. For example, our research found that:
- 33% of the organizations we surveyed do not have a data loss prevention (DLP) solution that will monitor outbound email for potential HIPAA/HITECH violations.
- 20% have not established any anti-spam, anti-virus, DLP, encryption or other standards with organizations with which they have HIPAA Business Associate Agreements.
Our research also found that various file-sharing and social media tools are used in healthcare organizations, including Dropbox, Box, Google Drive, Microsoft OneDrive, SharePoint, Novell Vibe and a variety of other tools. While these tools are quite useful and almost always work as advertised, their use in a healthcare-related environment – hospitals, clinics, medical practices, doctors’ offices, insurance companies, benefits administrators and others that share PHI – might not be a good idea without the appropriate technologies in place to protect against accidental or intentional disclosure of confidential or sensitive information.
As a result, many of the organizations we surveyed aren’t all that confident that they’re managing their data very well. For example:
- Only 59% of those surveyed believe that their organization is doing a “good” or “great” job at managing compliance.
- The same proportion believes they are doing a good or great job at preventing data leaks.
- 58% think they’re doing a good or great job at managing secure file sharing.
Interestingly, neither HIPAA nor HITECH require that PHI be encrypted during transmission or at rest, although some states require encryption, including Oregon and Minnesota. As a matter of best practice, however, all Covered Entities and Business Associates should encrypt data to ensure that unauthorized parties cannot intercept PHI.
For more information on our research and a discussion of these issues, check our blog post here.