With the government conducting a new round of HIPAA privacy and security audits in 2017, small medical practices need to be prepared
With the government conducting a new round of HIPAA privacy and security audits in 2017, small medical practices need to be prepared.
The problem is that most are not.
In an assessment of its first round (Phase 1) of audits, the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR), which is responsible for enforcing patient privacy rules, found that many healthcare entities, including smaller practices, are having difficulty not only with implementing security technology to protect patient data, but with implementing plans and selecting personnel to manage HIPAA compliance at their practice.
Struggling with HIPAA protocols
In fact, 66% of entities lack complete and accurate risk assessments in a review of Phase 1 audits, according to Zinethia Clemmons, OCR’s HIPAA compliance audit program director.
Research from SecurityMetrics, a data security company in Orem, Utah, suggests that protecting digitized patient health information continues to be a low priority for small practices.
A poll of 150 healthcare professionals responsible for HIPAA compliance at organizations with fewer than 500 employees found that:
51% don’t test employees on HIPAA-related training;
50% of respondents don’t know if their organizations use multi-factor authentication;
41% don’t know how often their firewall rules are reviewed;
27% don’t encrypt emails containing patient data; and
26% don’t use mobile encryption.
There are a variety of reasons why small practices find it difficult to make their systems HIPAA-compliant. One is finding information on how to prepare. OCR and the Office of the National Coordinator for Health Information Technology (ONC) have a HIPAA Security Risk Assessment tool available online to assist small and medium-sized practices. (bit.ly/HIPAA-SRA).
Many small practices also haven’t implemented measures to prepare for a potential HIPAA audit. In a recent study by cloud-based practice management software provider NueMD, 30% of healthcare professional said they didn’t have a compliance plan. Fifty-four percent said they did not have a security or privacy officer, and 60% were unaware of the planned increase in audits under OCR’s Phase 2 HIPAA Audit program, which began last year and is ongoing.
Clemmons says that small practices preparing for the new round of audits should use the federal government’s HIPAA audit protocol, which provides specific guidance on what is required. It is available on the Health and Human Service department’s website.
Inadequate resources may be another reason many small practices rely on their software vendors to manage HIPAA compliance issues. Some small practices may believe mistakenly that software or billing vendors are taking care of HIPAA security issues, Clemmons says.
Against this background, physicians such as Rodney Hood, MD, are keeping up with HIPAA audit requirements by strengthening their defenses against patient data theft.
Hood, an internist who runs a two-physician practice in San Diego, California, has taken several steps to prepare for an audit. For example, he recently bought a new cloud-based EHR system for his patient data management operations, and assessed its HIPAA-compliant features as part of the selection process.
He has also contracted with a local IT company to check for software vulnerabilities. The company is addressing any that it finds by providing patch management services, updating legacy applications and assisting staff with log management software.
Additionally, Hood belongs to an independent physician association (IPA), which provides his practice with services such as identifying consultants that offer a HIPAA security risk assessment at a reduced rate. Through his IPA, Hood performs an annual mock HIPAA risk assessment of his IT systems, policies and procedures.
He has assigned the practice’s office manager responsibility for training staff on many aspects of security such as changing passwords, alerting staff to the dangers of opening unusual emails and making sure that computer screens cannot be seen by patients or visitors.
Hood says that as small practices redesign their business operations around managing larger quantities of data, they are increasingly forced to engage the services of IT service providers such as cloud services and IT consulting companies to help manage and secure patient data.
“In a small practice like this, we rely on our partners-the EHR vendor, the local IT company we’ve hired and the IPA we belong to, along with our office manager, to take care of securing patient data,” Hood says. “We assume and accept what we are being told by the vendors about how secure the software is or isn’t.”
HIPAA conducts two types of audits, on-site and desk. The Phase 1 HIPAA Audit Program, which occurred in 2012, included on-site audits by auditors who interviewed key personnel and observed processes and operations to determine compliance with the HIPAA Privacy and Security Rules.
The Phase 2 HIPAA audit program, now underway, consists of desk audits. During a desk audit, practices are asked to provide documentation of their privacy, breach notification and security practices electronically via a secure web portal.
Mark Swearingen, JD, a lawyer with the Indianapolis, Indiana, law firm Hall, Render, Killian, Heath & Layman, PC, has several recommendations for small practices as they prepare for a potential HIPAA audit:
Develop and implement policies and procedures that address HIPAA requirements.
For example, practices need to develop HIPAA-compliant protocols for responding to outsider requests for patient medical records. Among the questions to be answered are:
Implement practices that adhere to HIPAA privacy requirements for physical safeguards.
For example, make sure that conversations during patient registration can be held in private. Also, ensure computer screens can’t be seen by patients and visitors to the practice.
There is no prohibition on the privacy or security officer performing other activities or functions, which means small practices don’t necessarily have to hire a person solely dedicated to doing this job, but HIPAA requires that they identify someone within the practice to manage HIPAA compliance activities.
The individual in charge of privacy and security activities must demonstrate that the practice has made good-faith efforts to meet HIPAA requirements, including obtaining and regularly reviewing HIPAA policies, ensuring that employees are trained on the policies, making sure that an IT risk analysis is performed and problems are addressed and ensuring that business associate agreements are in place as necessary.
Always have an agreement.
Where a third party performs a service or function on behalf of the practice that involves access to patient information, that third party is a business associate under HIPAA and the practice should not disclose such information to the business associate until a business associate agreement has been signed.
Practices utilizing cloud computing technology to host their patient data should ensure a business associate agreement is in place with the cloud service provider.
These practices also should have an agreement with the provider addressing issues such as security responsibility and data backup and recovery in the event of an emergency such as a ransomware attack, apportionment of liability and how data will be returned to the customer after service use ends.
Make sure mobile devices are encrypted.
Implement policies that address how these devices are managed. For example, policies should state whether or not laptop computers can leave the premises. Practices should make sure apps doctors use to manage patient care have sufficient safeguards to protect the confidentiality, integrity and availability of patient information.
Prepare and maintain documentation of HIPAA compliance activities so that information is readily available in the event of an audit. Not only will this improve the overall function of the practice’s compliance program, it will better position the practice to respond to a government request in a timely manner. (Practices selected for a HIPAA desk audit, have only 10 days to prepare and send the requested documentation to OCR.)