By Troy Young and Bobby Seegmiller
As a provider, you are responsible for protecting your patients’ information. Data access must be restricted both in house and throughout the entire process of electronic protected health information transference among authorized parties. There are many places this safeguarding can go awry, a reality that can be overwhelming to providers in general, and to health information professionals in particular.
Not sure where to begin? You’re not alone. Read on for yearly must-dos, frequent auditor questions, common compliance threats, and go-to guidance tips for a smooth compliance journey.
Complete a Risk Analysis
The critical first step on the path to HIPAA compliance—a step that must be taken annually—is performing a HIPAA security risk analysis, also referred to as a risk assessment. This process will help you identify the proverbial “holes in your boat” before you set sail on the compliance journey. Think of it as an inspection: you can’t fix what you don’t know is broken.
A risk analysis is generally a small investment that can address a very large potential problem—your ship sinking. In addition to Health and Human Services’ Office for Civil Rights’ HIPAA enforcement teams, state attorneys general also have the authority to bring civil actions for violations of HIPAA Privacy and Security Rules, which include hefty fines. Regardless of your participation in meaningful use or other reimbursement programs, you’re required to perform a risk assessment annually under the HIPAA umbrella.
The good news is, achieving HIPAA compliance requires the effort toward resolution—not attaining perfection in remediation. By performing a risk assessment, practices can identify compliance gaps and put a plan in place to correct the issues and pass the audit. By next year, the practice can demonstrate its progress.
In honoring your promise of protecting patient data, make this annual assessment covering physical, administrative, technical, and organizational components a priority. While many providers wait until quarter four to complete their analysis, hoping for leeway on the submission with no risk of penalty, those days are gone. December 31 is the absolute cut-off, so don’t wait to begin.
What Auditors Are Asking
If you don’t remember risk assessments being required—and enforced—even just five or six years ago, your memory isn’t failing you. Auditors have increased their focus on risk assessments in the past two or so years. This is very often the first question an auditor will ask: “Where is your HIPAA security risk analysis?”
Another common area of auditor attention is the trusty policies and procedures document. If your practice’s copy has been sitting on a shelf gathering dust for the past six years, you’re in compliance danger. It needs to be updated frequently or you could be hit with a fine. Often, submitting a sample will do, but make sure the practice has updated the entire document and communicated changes throughout the organization.
Auditors also tend to ask for documentation regarding HIPAA compliance training. These questions illustrate the relatively recent shift of auditing from an external perspective to an internal one. It’s vital that administration frequently communicates with all employees regarding the importance of HIPAA compliance, and includes simple reminders for ways the staff can help the practice meet its goals.
A Human Factor
Today, many health systems and smaller physician practices alike are taking cybersecurity very seriously. Even IT departments that create a “Fort Knox”—or gold standard of security—are still vulnerable to threats. With safeguards in place, the back door can still be left open.
That back door? It’s usually the employees; an attack is only one careless click away. Data theft often is traceable to human error or misuse inside the organization. Between 2009 and 2017, 53% of 1,138 breach incidents started internally. Phishing e-mails, specifically, have become a huge problem for health care organizations. They are cleverly executed, look legitimate, and arrive persistently and strategically.
Of 1,300 US physicians surveyed by the American Medical Association and Accenture, 83% had experienced a cyberattack and more than one-half of these came in the form of a phishing e-mail. HIPAA training and awareness in this area are key. Consider performing simulated e-mail phishing to see which employees take the bait. Teach staff members how to recognize the risks of a breach and encourage them to stay aware and vigilant.
Emphasize the importance of selecting strong passwords and updating them frequently, as well as logging in and out of computers. Persist in the demands for encryption and multifactor authentication, despite pushback from physicians and other staff members regarding the ease of workflow. Security must come first. Consistent training is key for protecting patient data.
Finally, make sure any business associates that have access to your patient data perform risk assessments annually. Whether it’s a referring physician, software vendor, laboratory, or medical imaging group that’s handling your records, their breach is ultimately your responsibility. Have a good business associate agreement in place and demand to know what they’re doing to protect patient records. If there are holes in the associate’s security system, understand what they are and the partner’s plan to remediate them.
Solutions for Practices of Any Size
Unfortunately, there’s no shortage of security threats in health care—from hardware and software to people. For a comprehensive guide to compliance and protected health information points of entry, refer to the Office of the National Coordinator for Health Information Technology’s Guide to Privacy and Security of Electronic Health Information about avoiding the most common pitfalls.
Regarding this complex compliance climate, of course, not every practice is able to sustain a full-time HIPAA security officer. The changing requirements—both on the state and federal levels—are particularly challenging to maintain for small practices. Still, for administrative staff wearing multiple hats, HIPAA compliance is attainable with the help of technology. When selecting a compliance solution, it is important to look for a tool with a regularly updated software to meet the latest state and federal regulations and audit protocols, including National Institute of Standards and Technology and Office for Civil Rights audit protocol. Additionally, software that integrates directly into the EHR can significantly simplify the process. The benefits of this option include automation of tasks and reminders, progress tracking and updates; identification of risks and assigning likelihood of impact; as well as remediation, certified auditor review and final report findings.
— Troy Young is chief technology officer at AdvancedMD.
— Bobby Seegmiller is senior vice president at HIPAA One.