Scheduling software Zocdoc announced this week that for the second time, their software as a service product failed to be HIPAA compliant. It allowed unauthorized individuals in their customer's offices to have access to protected health information.
Key requirements of HIPAA compliance are user passwords and audit trails, to be sure only authorized employees can access protected health information, and once inside the system, they are further limited to viewing only the information they are authorized to see.
Zocdoc's scheduling software product allowed old and even revoked employee user names and passwords in its customers' offices open access to far more than just an internet scheduler. A "bug" in the software allowed users open access to otherwise secured information, including protected health data, and once inside, a user would not encounter any internal restrictions.
While much of the focus of securing health data is focused on external hacking threats, the risks of human error and employing flawed software products that are not HIPAA compliant, remain equally important.
In these cases, the only way to identify these threats is for individual offices to conduct the HIPAA-required regular, thorough, and careful internal self audits, to check the performance of the software they have purchased.
In some cases, software has allowed users to post data to public-facing internet portals. Through human error, this protected data becomes compromised. Earlier this month, a health department employee in Wyoming accidentally published test results on the internet for one quarter of the state's population, including their blood-alcohol tests, COVID-19 tests, and influenza tests.
HIPAA requires software intended for use with individual health information to meet certain privacy and security standards. These requirements include internal controls to disallow all such unauthorized actions and employee mistakes. HIPAA also requires any business handling individual health data to discover vulnerabilities in their software through robust self-audits.
[P]rogramming errors...allowed some past or current practice staff members to access the Provider Portal after their usernames and passwords were intended to be removed, deleted or otherwise limited...