The Office of Civil Rights (OCR), the “police” that enforce HIPAA’s policies, report that most of the $67 million (and growing) in fines “stem from improper use or disclosure of electronic protected health information (ePHI); poor health information safeguards; inadequate patient access to their ePHI; and the absence of administrative safeguard for such information.” [Source: HIPAA Journal]
HIPAA Best Practices for Doctors’ Offices:
- Identify Compliance Officers – Your privacy and security officers must be named, evaluated, and have that role included in of their job description. For most doctors’ practices, these responsibilities fall on to the office or practice manager. Regardless of who is named the officer, that person(s) is responsible for the practice following all HIPAA regulations.
- Risk Analysis – Review your current infrastructure, policies, and practices for potential risks and vulnerabilities, including the risk using Business Associates. Not knowing is not an acceptable excuse for OCR.
- Track PHI – Review your Protected Health Information (PHI) at every stage from creation to destruction, including both physical and electronic forms. Additionally, review how PHI enters and leaves your practice including who has access to it outside of your practice, such as Business Associates (BAs) and remote workers.
- Risk Management – Create a plan to reduce your risks and vulnerabilities to a “reasonable and appropriate level”. Document your plan and progress because we’ve seen that OCR is more tolerant when you’re making efforts to improve.
- Communicate & Enforce Policies – Many risks discovered in your initial assessment can be reduced by creating company policies such as password protecting mobile devices, access management for ePHI, and employee offboarding checklists. However, those policies are useless if no one knows about them or if they are not enforced. Much like HIPAA’s early years, most people don’t worry about policies until the punishment increased to more than a “slap on the wrist”.
- Continually Train Your Team – People forget things that they don’t use and all changes in policies and processes need consistent reminders. Additionally, things be updated, so your training must change with new technologies, risks, and knowledge.
- Audit Improvements – Use your assessment as a baseline and periodically audit your practice to document the improvements you’ve already made and to discover new potential risks and vulnerabilities. Again, document everything.
- Protect Your Data – Besides usage policies and protocols, put in the necessary software and hardware to protect your medical practice, such as hard drive encryption, encrypted email, hard drive destruction, and multi-factor authentication.
- Data Breach Plan – Per HIPAA guidelines, you’re required to have a data breach plan in place, which you can outsource. You only have 60 days to contact those affected by the breach, so you don’t have time to figure out what to do once it happens. Earlier this year, a hospital was fined $475,000 for missing that 60-day period by just a few days! [Note: Some medical practices call this plan an Incident Response Plan (IRP).]
A good IT firm familiar with HIPAA’s regulations and requirements can help you measure your current risks and work with you to reduce your risks and vulnerabilities. Protecting PHI is more than just cybersecurity best practices (anti-virus, firewalls, spam filtering, etc.), although that can get you 80% of the way there.
Additionally, HIPAA requires your medical practice to make your “best effort”, meaning a medical practice with three doctors is not held to the same standards as a large community hospital. With that being said, HIPAA’s vagueness means HIPAA is not purely an IT issue. I suggest working with a good IT firm that can communicate well with your attorney, accountant, banker, and even your architect. That is one reason why My IT co-founded the Louisiana Healthcare Support Alliance, to educate ourselves of the other complexities of HIPAA outside technology and to provide our clients with knowledgeable professionals in each area of expertise.