A married couple — both doctors who shared a medical practice — almost divorced over a HIPAA breach that blindsided them when a patient called to say that her medical records appeared in a Google search and she was filing a lawsuit.
The orthopedist of a small practice didn’t want to fund the cost of
an IT service provider to make sure his network was secure. Instead the
doctor hired his cousin who earned his IT stripes fixing performance
problems on his own laptop. Unfortunately, the family member never
updated the practice’s malware software and patient data ended up on a
rogue server. Now it’s being held for ransom.
The Smaller the Practice the Less the Compliance
medical practices with 20 or less employees, doctors are often
reluctant to spend money on HIPAA security than larger practices.
Importantly, the latter will have a compliance officer who makes sure
HIPAA rules are followed, employees are trained, and policies and
procedures are up to date.
Doctors running small practices don’t
believe they’re at risk for a data breach so they ignore the same steps
taken by the compliance officer. Meanwhile, it’s ordinary human errors
that could take down the practice. An employee leaves his tablet in a
taxi or thieves break into the office and steal two laptops that contain
patient records. Or the doctor loses his laptop and keeps it under
wraps since he thinks he hasn’t stored any patient records on it, so no
one needs to know. However, a disgruntled employee who was terminated
gets revenge by reporting the practice to the Department of Health and
Human Services’ Office of Civil Rights (OCR). The OCR accuses the
practice of having a breach and hiding it, and calls for an
These are all real world events that have sent
medical practices into a tailspin. Doctors call a HIPAA compliance
expert in a panic because they’re now caught in the web of the OCR and
scrambling to prepare for an audit. Worse yet, these compliance risks
were right under their noses.
The Practice Needs As Much Care As the Patients
risk of a data breach can be as life threatening to the practice that
doesn’t protect its data, as the risk of lung cancer is for the patient
who chain smokes. Think of a data breach as a disease and the stolen
laptop causing pain and suffering, and eventual death, which could all
be prevented. Doctors should think about data breach prevention and
care for their businesses with the same commitment to disease prevention
and care for their patients.
When a practice fails to perform a
security risk assessment or ensure that his employees used strong
passwords, not long after he is convincing OCR auditors that the breach
was an accident. He has to hire attorneys to complete the audit and
there is no budget left to invest in more network security, or cyber
HIPAA Compliance Made Easy for Small Practices
There are some simple steps small practices can take that will take far less time than preparing for an OCR audit:
- Perform a security risk analysis
— Analyze how patient information is currently protected. How often
does the practice perform data backups? Is there a termination procedure
when an employee leaves? Do employees have the minimum level of access
to patient information? Are all portable devices encrypted? Are medical
records protected in case of fire or flood, or lost or stolen laptops
that contain patient information?
- Train employees
— Make sure they know how to spot phishing scams and suspicious links
in emails, recognize fraudulent “IT experts” who call in to upgrade an
operating system. They should also know to avoid conducting business on
public Wifi, and minimize sharing on social networks.
- Inventory patient information
— Locate where all patient information is stored. It could be an EHR or
a word document in the form of patient letters, or excel spreadsheets
as billing reports or scanned images of your insurance carrier’s
explanation of benefits (EOB). This information resides on desktops,
laptops and mobile devices, and should be encrypted.
- Employee data theft
— Employee theft of information is one of the leading causes of HIPAA
breaches in small organizations. An employee steals patient information
and opens a charge account at a local department store. The patient
finds out and sues the practice for not protecting her electronic
protected health information (ePHI). Employees should have minimal
access to EHRs — only the information they need to perform their duties. Also data logs should be checked.
- Breach Response Plan
— Is there a response plan in place in case a breach does occur? The
plan should include who will be on the response team, what actions the
team will take to address the breach, and what steps they’ll take to
prevent another similar breach from occurring. Make sure the plan is
documented and all employees are trained on what they need to do.
few actions can make the difference between being sued by patients for a
data breach and gaining their confidence that their doctor cares as
much about their health as he does for their security.
Source(s): https://www.hcsiinc.com, Art Gross, http://www.physicianspractice.com