If asked, most medical practices would say they take the privacy and security of patient health information seriously. After all, HIPAA has been around for a while, and nearly every practice has at least a few policies that address the legislation. Though they understand the importance of protecting their patients, HIPAA compliance in physician practices often falls short, with a large number of organizations having insufficient policies and procedures to mitigate the risks of outside audits.
The reality of HIPAA compliance
Given the many competing priorities that small practices face, HIPAA compliance may not be top-of-mind. Some organizations may even underestimate the importance of revisiting their program to ensure it is up to date. There are a few common "reality checks" that practices should keep in mind as they work to comply with HIPAA rules.
Data breaches are a constant threat.
There is a common misperception among medical practices that privacy and security breaches happen more frequently in larger organizations, like hospitals or health systems, than in smaller practices. However, data from HHS' Office of Civil Rights (OCR) shows that covered entities of every size are susceptible to incidents. These breaches take different forms, from information theft, loss, and hacking to fraudulent activity, inadvertent disclosure, and improper disposal. The reality is that no organization is immune to HIPAA breaches. In fact, because smaller facilities are often unaware of all the potential threats, they may be even more vulnerable to issues.
Employees can pose a significant risk.
Although most employees would not knowingly steal patient information, they may inadvertently violate HIPAA regulations if they are not appropriately trained. Consider the employee who is worried about a sick friend from work. He may access the friend's medical record to check on their recent treatment and get their address to send a "get well" card. While done with the best of intentions, this is still an egregious HIPAA violation that could result in a substantial fine for the practice.
Staff can also put the organization at risk when they take shortcuts in the interest of time. For example, if a physician is in a hurry and shares his medical record password with an assistant or colleague so the coworker can shut down the physician's computer or update a record in his absence, this could result in serious security breach violations.
Patients are aware of their HIPAA rights.
When HIPAA first emerged, patients along with healthcare providers were not tremendously clear about what the law entailed. However, over the years, patients have become much more savvy and more concerned about the safety of their personal health information as they hear about high-profile breaches in the media. As a result, patients have greater expectations about an organization's responsibility to consistently safeguard privileged and sensitive information.
Strategies for enhancing HIPAA compliance
Although HIPAA compliance is complex, organizations that take an intentional approach can ensure they adequately preserve data safety and security for their patients and the practice as a whole.
Here are three key steps that medical practices can leverage to make up a strong HIPPA compliance strategy.
Conduct a risk assessment.
The chances of data breaches vary depending on the type of organization and the level of current precautions and protections already in place. As such, practices should assess their risk to fully appreciate any hazards and identify where they can improve. A gap analysis can be done formally or informally and should involve policy, technology, and training reviews, as well as vulnerability testing. To support a detailed risk assessment, a practice may want to consult a HIPAA expert who is intimately familiar with the legislation and the plethora of requirements.
Develop a compliance plan.
Having a "live" compliance plan helps to mitigate any risks uncovered in the initial risk assessment. While there are more than 50 different policies an organization can create to tackle HIPAA concerns, there are a few specific areas that all medical practices should address. For example, organizations should develop a policy related to minimum disclosure — the idea that the organization only shares what is absolutely necessary from patient information. For instance, if an attorney calls and asks for a patient's medical records but just requires the date of a particular service, it is up to the physician practice to determine what specifically the attorney needs and only send that information.
Another necessary policy deals with a patient's request for an amendment to their medical record. Even though most organizations realize that patients have a right to request their medical record, they may not know individuals also have the right to ask for changes to that record. Organizations must respond to these queries within 60 days. Developing a policy that covers this policy ensures an organization knows how to consistently handle requests, is prompt with its response, and avoids any violation.
Offer robust training.
Just creating policies is not enough to preserve data privacy and security. Organizations must also make sure their staff understands and can reliably execute these policies. First, organizations should include HIPAA compliance in their orientation programs so new staff fully grasp their role in safeguarding patient information. Second, practices should provide regular refresher training to help staff stay current with any new developments. These education sessions may occur periodically or after risky incidents. For instance, if a practice falls victim to a phishing scheme, the organization may want to give staff a brief reminder on how to recognize suspect e-mails.
Related: EHRs' broken promise
Technology enables better training. Leveraging Web-based solutions from outside HIPAA experts can ensure an organization offers a comprehensive and accessible program. Through online solutions, staff can access education materials when and where it is convenient, helping support greater participation. Leaders can also easily verify who has completed the program and which staff members require reminders.
Resting on past work is not an option
Although medical practices have made some progress toward achieving HIPAA compliance, most have a long way to go before they can be comfortable with their information security efforts. Taking a concerted approach that assesses and mitigates risk, leverages outside experts and delivers robust and regular training is a good way to get started down the path toward heightened data safety.
Lyn Triffletti is the vice president of Steri-Safe Compliance Solutions at Stericycle, Inc. She can be contacted at [email protected].