10 Signs that Your Healthcare Provider is Not HIPAA Compliant
When I visit a dentist, chiropractor, physician, psychologist or any other healthcare provider, even the local pharmacist, I always look for obvious signs that they’re in need of help with HIPAA.
I do this because they’re conversation starters. If there are obvious signs of a lack of HIPAA compliance, then I’ve come to the right place.
Here’s something to think about in today’s high-tech world. HIPAA exists to protect healthcare patients. All businesses should put their best foot forward when it comes to protecting their client’s information. HIPAA is really the tip of the iceberg when it comes to cybersecurity. If you’re only doing HIPAA, you’re doing the bare minimum required to protect your patient’s information, and it’s not enough.
Looking for signs that your healthcare provider is not doing their best to protect your most sensitive information should be just as important as not giving your social security number over the phone.
Here are 10 things you can easily spot when you’re at your doctor’s office.
10 easily recognizable signs that you’re not HIPPA compliant.
Is your doctor/dentist/chiropractor/optometrist guilty of any of these?
1. Windows 7/2008 Still in the environment – Windows 7, or Server 2008 is still in the environment. Windows 7 and Server 2008 are no longer supported by Microsoft which means they won’t be patched, which means security wise they are no longer compliant. And let’s remember that when it comes to HIPAA, when it comes to your business’ security, HIPAA is really at the bottom rung of cybersecurity. If you’re not even doing that then your practice is not secure, and you’re risking your business but you’re also risking your patients, who are your clients. You’re risking their information being breached, and the heartache that they will have to deal with.
2. Windows 10 not patched/outdated software – Windows 10 patches are outdated, or you have outdated software. Maybe you haven’t updated Java in a while. Maybe you haven’t updated Adobe PDF reader in a while. Maybe you haven’t updated (hopefully you’re not using Flash Player) flash player in a while. These are the bare minimums. If you’re not doing it you’re putting your patient’s information at risk. Last week I shared 10 of the most exploited vulnerabilities are in some cases 5 to 8 years old. All 10 were either Adobe Flash, Microsoft Office, Internet Explorer or WinRAR.
3. Free antivirus – you’re using free antivirus, for example, Avast free or AVG free or whatever other free antivirus that’s out there today. If you’re using any of these, they are not doing the job that you want them to do, and they’re not ensuring the security of your systems. Today you need something that’s a little more proactive. You need security software that doesn’t wait for updates. Let’s face it, if you’re using a free antivirus program, updates are even less frequent than a paid antivirus. You need something that’s anomaly-based. Something that’s going to look for things that aren’t normally there.
If you see a computer with AVG and it pops up with an ad, then it’s free AVG. This would be a little disheartening to me. I would be concerned that the healthcare practice does not have your best interest.
4. Wi-Fi router shares guest Wi-Fi – I know most businesses offer guest Wi-Fi. It’s available almost everywhere you go. I always tell people don’t hop on just any Wi-Fi. If you absolutely need to use wireless on the road, have a hotspot with you. Most phones have hotspot capabilities now, use that instead of public Wi-Fi or guest Wi-Fi. If you happen to notice (it’s something I check anytime I walk into a business) there’s a guest Wi-Fi on the same router as the internal Wi-Fi this is a sign that a recent security analysis has not been conducted.
Internal Wi-Fi should only be available to the staff and not potentially exposed through the guest Wi-Fi. It’s a little bit closer to being able to be easily compromised. The internal network needs to be segmented by utilizing a separate router and segmenting the network from the guest Wi-Fi.
5. Using a free email account – This is a pet peeve of mine. If you’re in business, you should not be using a free email account for communicating with clients. It just looks unprofessional. Let’s forget that for a minute though.
If you’re using a free email account in a healthcare practice it is not HIPAA compliant because they will not sign a business associate agreement. Google will sign one with a G-Suite account. Microsoft will sign one with an Office 365 account. They will not sign one with an outlook.com account or a gmail.com account? AOL, Yahoo, and all the other free email account options will not sign a business associate agreement. In most cases, they will also not offer encryption.
6. Clipboard with a sign-in sheet – My physician used to do this. You would walk in, there’d be a clipboard at the window. You’d put your name, the reason you’re there, who you’re there to see and the time you got there.
This is a HIPAA violation. Now there are 10 other people in front of me and I know why they’re there. This is a clear HIPAA violation. Walk away.
7. No privacy screens – A dental practice I recently walked into had nobody at the reception desk and four computers unlocked. The computers had no privacy screens on them. I could see the schedules. I could see the names. I could see all kinds of things. I took a picture of it to share with the practice. If you are able to see patient names, schedules and why they’re coming in to see the healthcare provider this is a clear HIPAA violation.
A member of a Facebook group I belong to shared an image of a pharmacist (a well know chain) who did nothing to protect the prescriptions waiting to be picked up. You were able to clearly see names, addresses and the name of the prescription. There was no privacy wall or anything to protect this information. This falls into the same category.
8. Private conversations with patients/staff in the waiting area – This happens all the time. I’ve walked into my kid’s pediatrician and they asked me to verify my name, address, phone number and if any information has changed right at the front counter, just a few feet away from where other people were waiting.
There should be a separate area for conversations that are sensitive.
This happens a lot in pharmacies. There should be a separate area where the pharmacist or the health care practice staff can have a conversation without other people being in earshot range.
9. Little/no physical security – If they don’t have locks, motion sensors, a locked room with all the files, or cameras they’re not doing everything they can to protect paper files they may have for their patients.
Here’s why I mention this. On episode 64 of the ProactiveIT Cyber Security Daily, I had to report two different practices in two different states that were burglarized. This wasn’t a stolen laptop. They were not hacked, not phishing. They were burglarized. Somebody physically broke in. And in one case they did steal healthcare files.
In the other case, it does not appear that they did, but we don’t know if they took pictures. We don’t know what they were doing.
It still happens. There needs to be some level of physical security. Those files cannot be easily accessible to somebody who breaks into the practice. If you walk in and you see the files right there behind the front desk with no locks on them, no cameras, no additional security that’s a red flag.
10. No privacy disclosure – Anytime you go to the doctor for the first time they should ask you to review and sign their privacy disclosure. They’re not going to ask you to do this every time, but I believe they must do it once per year.
They should have you sign a document explaining their privacy practices. This is part of HIPAA. They usually have you sign a document explaining their HIPAA practices too (as they should). If they don’t do this, then I wouldn’t use this healthcare practice because they’re not taking your privacy seriously.
Why Recognizing HIPAA Compliance Issues is Important to You as a Patient
If a healthcare practice is taking insurance and transmitting your information electronically to the insurance carrier then they are supposed to be HIPAA compliant. If you see any of these in your healthcare practice give us a call. We’ll give them a call and ask them what’s going on?
All it takes is one call to the HHS OCR and an investigation will be opened. This could mean anything from financial fines or settlements to a corrective action plan to technical advice. No matter what the outcome of that call is it puts the healthcare practice on the OCR’s radar. They don’t want to be on the radar.
Forget the OCR for a minute. They should WANT to protect their patient’s data because they are in the business of caring for people.