If you’ve ever been speeding down the highway, passed a police car, then slowed to well below the speed limit, hoping you wouldn’t get pulled over and handed a citation, then you are likely doing the same thing when it comes to your HIPAA compliance.
Until you’ve opened a letter from the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) notifying you that your practice is being audited for Health Insurance Portability and Accountability Act (HIPAA) compliance, you won’t realize the gravity of the situation.
Now you must confront the fact that you’ve done a bare-bones risk assessment as you’ve sped through your practice day. The electronic protected health information (ePHI) that sits on your network is vulnerable to a security breach because you haven’t plugged all the leaks. And the threat of an OCR auditor handing out a steep fine for noncompliance can be waiting around the corner.
Here are the steps your practice should take to protect your patients’ information – and pass an audit:
Capture and inventory where patient information is stored, accessed, or transmitted. Most people think of their electronic health record system as their only source of patient records, but patient information can be in a word processing document or a billing report. Patient information could also be in emails or text messages.
How often does the practice perform data backups? Are employees logging into public Wi-Fi networks or sharing information on social media? Is there a termination procedure when employees leave the company?
The likelihood and impact of a threat should also be analyzed. How is the practice protecting information in the case of a natural disaster, or the loss or theft of a laptop computer containing patient information, or sending an email to the wrong patient? Again, have a policy in place and make sure patient information is secure and protected if it’s stored on a laptop.
A security risk assessment will identify additional security measures to reduce the likelihood of a threat and its impact.
A thorough security risk assessment will help a medical practice identify the additional security and procedures needed to lower the risk of patient data breaches and to satisfy OCR auditors.
Track access to ePHI and patient data to detect unauthorized access.
Don’t just protect against attacks but help alleviate any potential penalties as auditors will take into account whether a practice did all it could to protect the data.
Train employees to recognize “phishing” and telephone scams. Track the movement of visitors and patients while they are in the organization’s facility. Don’t assume there will be no problems: Have documented disaster recovery procedures in place.