Choosing the right person to be the HIPAA security officer for your practice can make a big difference in how the staff views compliance.
One of the requirements of the Health and Information Portability and Accountability Act (HIPAA) is to name a security officer. In smaller practices, the position of security officer is often filled by default, by whoever appears to have the time to fill it.
However, taking some time to consider the talents and skills of each staff member could mean the difference between having a security officer who is truly dedicated to getting the job done, and having one in name only.
Diane Robben, JD, of Sandberg Phoenix & von Gontard, in St. Louis, Missouri, says one of the most important steps a practice can take regarding HIPAA is developing a culture of compliance. “Unless compliance is built into daily operations, and the staff is living and breathing it” says Robben, then all you will have is a set of policies in a binder on a shelf, which are unlikely to be useful in the event of a data breach.
HIPAA requires practices to name both a privacy officer and a security officer. The two roles do have some overlap; however, Robben suggests that having two separate people fill them allows for checks and balances. Both the privacy officer and the security officer need to have a thorough understanding of how the practice operates, where the problems with compliance are most likely to occur and a good idea of what will motivate the staff. They both need to be connected to every part of the practice, from the doctors and nurses to the billing and front office staff.
One big difference in the two roles is that the security officer needs to be more focused on the IT and technology side of operations. “They have to know where your (personal health information) PHI lives,” says Robben. Every medical practice has PHI that must be protected, whether it is contained in paper charts, or, more likely, in an electronic health record (EHR) system accessible from networked computers, online or even through mobile applications. Each technological innovation brings along a security risk, and the security officer should be aware of each of those risks.
The security officer needs to know whether or not physicians are accessing PHI from their phones or tablets, whether there is even a remote possibility of a laptop containing accessible PHI being lost or stolen, as well as where physical charts are located within the office. Robben says, “The security officer has to understand all of that and then develop policies to help control PHI and to keep it safe.”
The idea that one person on staff must both understand where PHI is vulnerable and find ways to secure it may be overwhelming. In smaller practices, staff members may lack technological know-how. Robben says that is not a terrible handicap, even for the security officer.
“The security officer doesn’t have to have all the answers,” she says, “but they do need to be able to [identify] the issues,” and know when to ask for help. Having an outside firm come in to help audit security practices or to strengthen a firewall is reasonable and often necessary. Robben notes that in smaller practices, “often decisions are made on a financial basis,” and risks must be prioritized.
Robben says a common question from small-to-medium sized practices is whether or not it is possible to outsource the role of HIPAA security officer. Robben strongly advises against having an IT company serve as the HIPAA security officer for a practice, as, “you are not going to have the cultural shift within the organization without someone having the responsibility.”
She says, for example, when a staff member gets a new phone, the security officer would be the person notified-and make sure password protection has been enabled. The security officer needs to be able to motivate people to change. They need to know whether a carrot or a stick will work better, she jokes.
Crafting policies that make sense for the organization isn’t enough, although it is important. Robben says it is critical for the security officer to be proactive. “You need to spend a day walking around the office, trying to do bad things,” Robben advises security officers. She says a good exercise is to imagine you are a patient who needs to go to the restroom. No one is around, so you wander out of the exam room, looking for the restroom. Do you find a chart, lying open on a desk? Are computer screens locked or is PHI visible? “Everybody plays a role in being HIPAA compliant,” she says, “but you have to have someone policing it.”
Rather than naming a staff member who will simply take responsibility for the role of security officer, practices should seek out someone who will seek out education opportunities, read the latest HIPAA and technology news, and look for chances to learn.
“You want someone who is going to be proactively looking at the systems and the organization and who will take steps to tighten things down instead of waiting to react when something happens,” says Robben, “because something is going to happen.” She offers the example of a stolen laptop, noting that if the security officer has done a good job, the practice is facing a rather small property loss and not an expensive and potentially embarrassing data breach with legal ramifications.