HIPAA Compliance for Medical Practices
82.6K views | +0 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Seven Tips for Avoiding HIPAA Penalties in 2015

Seven Tips for Avoiding HIPAA Penalties in 2015 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA violations may result in penalties of $100 to $50,000 per violation, depending on the conduct at issue.  If the violation results from “willful neglect” the party is subject to mandatory fines of $10,000 to $50,000 per violation. 

A single data breach may result in numerous violations.  For example, the loss of a laptop containing PHI of 2,000 patients may constitute 2,000 violations.  Additional penalties may be assessed if the breach resulted from failure to implement required policies or practices.  To make matters worse, covered entities must self-report breaches of unsecured protected health information (PHI) to the affected individual and HHS. 

The good news is that a covered entity may avoid HIPAA penalties if it does not act with “willful neglect” and corrects the violation within 30 days. 

Here are seven tips for avoiding “willful neglect” penalties, especially those arising from breaches of electronic PHI:

1. Conduct or update your security risk assessment required by the security rules.  This is a first step in identifying and preventing potential security breaches.  In 2014, HHS made available a risk assessment tool to help providers conduct and document their own risk analysis. 

2. Implement the administrative, technical, and physical safeguards required by the HIPAA security rule.  Most physician practices have polices required by the privacy rule, but comparatively few have properly addressed the safeguards required by the security rule.  Implementing the required safeguards is necessary not only for regulatory compliance; it is also simply a good business practice given the potentially disastrous consequences of system failures or cybercrimes.  Again, the government’s HealthIT website, HealthIT.gov, contains helpful tools and guides that practices may use to achieve compliance. 

3. Execute business associate agreements (BAAs) with business associates.  A good BAA is not only required by HIPAA; it will also help insulate the practice from HIPAA liability if its business associate violates HIPAA.  Ensure the BAA confirms that the business associate is acting as an independent contractor, not an agent of the practice.

4. Train your employees and monitor their performance.  According to HHS commentary, covered entities may avoid HIPAA penalties based on the misconduct of a rogue employee so long as the covered entity implemented appropriate policies and adequately trained the employee.  Unfortunately, there is no similar guarantee that policies and training will protect a provider from liability for state privacy claims:  An Indiana jury recently returned a $1.44 million verdict against Walgreens based on an employed pharmacist’s privacy violations despite Walgreens’ policies and training.  Thus, physician groups need to ensure their training is effective.

5. Respond immediately to any suspected breach. This is critical for several reasons. First, HIPAA requires covered entities and business associates to investigate privacy complaints, mitigate any breach, and impose appropriate sanctions against any agent who violates HIPAA.  Second, an entity may be able to prevent the data from being compromised by taking swift action, thereby avoiding the obligation to self-report HIPAA violations.  Third, a covered entity or business associate may avoid HIPAA penalties altogether if it does not act with willful neglect and corrects the violation within 30 days.  Corrective action may include modifying policies, implementing additional safeguards, disciplining employees, and providing additional training.

6. Report breaches in a timely manner. While the initial action resulting in the breach may not have been willful, the failure to timely report a reportable breach as required by the rules may constitute willful neglect. Under HIPAA, the unauthorized access, use, or disclosure of unsecured PHI is presumed to be reportable to the individual and HHS unless the covered entity can demonstrate there is a low probability that the data has been compromised based on factors such as the type of PHI disclosed; the recipient of the PHI; whether the PHI was actually accessed or disclosed; and steps taken to mitigate any breach. 

7. Document your actions. Documenting proper actions will help providers defend against HIPAA claims. Covered entities and business associates are required to maintain documentation required by HIPAA for six years.

Although there is no guarantee that these steps will protect against breaches, they will help physician groups mitigate resulting liability under the HIPAA rules.

No comment yet.

Securely Disposing Medical Practice Equipment

Securely Disposing Medical Practice Equipment | HIPAA Compliance for Medical Practices | Scoop.it
It goes without saying that computers are expensive. Medical practices will often gift used office equipment to employees or family members; or donate them to vocational programs. Risk management attorney Ike Devji says that donating old equipment like scanners, fax machines, and computers at the end of the year is very common. "At the end of the year practices will rush to spend money so that it is not taxable. They buy [new] equipment … and computers are replaced."

There's just one small problem. Deleting sensitive patient data will not permanently eliminate it from the hard drive of the device. And if you've donated your practice's scanner to the local thrift store, it still contains sensitive patient data that "a well-trained 12-year-old kid with access to YouTube can get … off the hard drive," says Devji.

Devji points out that a high-end digital scanner can store up to 10,000 pages of patient data. And equipment that is synched to your EHR, even smartphones and tablets, needs to be destroyed or disposed of in a secure manner.

If you have old equipment that you'd like to get rid of, contact your IT consultant. He should be able to point you in the right direction. Or you could follow Devji's approach: He uses his old equipment for target practice in the Arizona desert.
No comment yet.

N.J. Law Requires Insurers to Encrypt

N.J. Law Requires Insurers to Encrypt | HIPAA Compliance for Medical Practices | Scoop.it

A New Jersey law that will go into effect in July requires health insurers in the state to encrypt personal information that they store in their computers - a stronger requirement than what's included in HIPAA .

The new law, signed by N.J. governor Chris Christie last week, was triggered by a number of health data breaches in the state, including the 2013 Horizon Blue Cross Blue Shield of New Jersey breach affecting 840,000 individuals. That breach involved the theft of two unencrypted laptops.

The new law states: "Health insurance carriers shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.

The law applies to "end user computer systems" and computerized records transmitted across public networks. It notes that end-user computer systems include, for example, desktop computers, laptop computers, tablets or other mobile devices, or removable media.

Personal information covered by the encryption mandate includes individual's first name or first initial and last name linked with any one or more of the following data elements: Social Security number; driver's license number or State identification card number; address; and identifiable health information.

Different than HIPAA

"The New Jersey law differs from HIPAA in that it mandates implementing encryption, whereas HIPAA mandates addressing encryption," privacy attorney Adam Greene of law firm Davis Wright Tremaine says.

The Department of Health and Human Services offers this explanation of the HIPAA encryption requirement on its website: "The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of electronic PHI.

"If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision."

Greene points out that because the new state law is tougher than HIPAA, "A New Jersey health plan could determine that some of its protected health information does not require encryption under HIPAA, but they will nevertheless be required to encrypt the information under the New Jersey law."

No comment yet.

Data Breach Reporting Requirements for Medical Practices

Data Breach Reporting Requirements for Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

Are we ready to replace passwords with biometrics for access to our facilities' networks and EHRs? I know that I'm ready for something easier and more secure than my ever-changing facility login, a byproduct of being forced by the system to change my password every couple of months.

In its current iteration, the EHR at my facility takes three separate login steps to get into the record to document a patient encounter or retrieve information. This doesn't seem like much, but multiply it by 20 or 30 patients and it becomes burdensome and a significant time waster.

If a terminal is locked, I have to enter my credentials to access the system and from there, I have to enter my credentials to open the EHR. Then if I want to dictate any notes, I have to again enter my credentials to open the dictation software. It gets old in a hurry, and is a major complaint among members of the medical staff at my community hospital.

The IT team in our organization is experimenting with using the embedded "near field" chip in our ID cards as a way in which to log in to the EHR. It would be a big step forward and would eliminate the majority of authentication to access our EHR. It would also have the added advantage of encouraging all members of the medical staff to carry their hospital IDs, but not all software needed for charting supports this mode of authentication.

Fast Identity Online (FIDO) is the current buzz phrase that refers to all of the biometric authentication technology currently available or planned. We are already using our fingerprints in a variety of ways to unlock our phones and doors, and there are readily available technologies that rely on retinas, irises, face recognition, or voice recognition that are being developed to solve authentication and security problems. We have seen the future in a variety of science fiction films, and much of it is working and available technology.

While there is a tremendous upside to FIDO technology, there are also significant downsides in the form of privacy. We constantly see that passwords are not 100 percent secure, and companies tasked with protecting our personal data stored on their servers also fail. It is not too much of a stretch to raise concerns about personal biometric data being stored on vulnerable servers, and the privacy vulnerability that this represents to us all as individuals.

There should be similar concerns with biometric security data. My fingerprints are stored on my phone as a security measure, but could an enterprising criminal find a way to use that data to reconstruct my fingerprints?

As always, computer technology and software are well ahead of privacy protections and personal security, and will remain so for some time, possibly forever.

To make it work on an EHR, we need enterprise level solutions, as the thought of customizing my FIDO login separately at each terminal in the hospital, defeats the purpose and intent of making this simultaneously easier and more secure.

It seems that an enterprising technology company would see the opportunity in allowing medical providers to quickly and securely sign into an EHR. I know that there are a lot of smart people working on this problem in an attempt to make this both easier and more secure for those of us in the trenches.

As the pace of technology development and implementation becomes more rapid, so does the need for increasing security and privacy, as well as reducing the technological burden on the healthcare providers who daily have the use this technology in the performance of their jobs. These competing trends get more important everyday as the penetration of the EHR becomes more ubiquitous.

No comment yet.

Protect Your Practice Data Against a Breach

Protect Your Practice Data Against a Breach | HIPAA Compliance for Medical Practices | Scoop.it

Technology has changed the face of patient care. But it has also opened a Pandora's Box of lurid and potentially expensive data breaches. Don't be lulled into a false sense of security because you may think your practice is too small to be a target for hackers. The lessons for large health systems are as relevant as those for small, independent practices. Data security can't be left to chance.

Ike Devji an Arizona-based asset protection and risk-management attorney works with physicians to help them develop policies to protect their practice data and minimize liability risk. He says most doctors suffer from what he calls "risk myopia," meaning that they are focused too intently on mitigating malpractice risk. But what about identity theft or HIPAA violations or securing patient financial data? "If [data breaches] could happen to the most sophisticated companies in the world, who have entire dedicated teams of IT security professionals, believe me, it can happen to your medical practice," cautions Devji.

So what should you do? There are many ways that your practice can protect itself against data breaches, even if your technology budget is slim. Here's how our experts say you should start.


Even before you invest in software and support services to protect your patient data, you need to be clear about how your practice will approach data security. Too often, practice policies are absent or left up to individuals to haphazardly carry out. According to Devji, that is asking for trouble.

Devji's experience has taught him that practices often don't take cybersecurity seriously enough. He says that crimes happen most often when there is opportunity — it is easier for hackers to target a small practice and steal patient credit card numbers, than it is to, say, break into American Express.

Another concern for practices is making sure they are compliant with HIPAA regulations. In 2013, HHS released the HIPAA Omnibus Rule that strengthened the original provisions in HIPAA, bringing the total number of regulations up to 49, says Marion Jenkins, chief strategy officer at 3t Systems, a healthcare consulting company. He says the regulatory landscape is complex, and even a small practice could be looking at hundreds of thousands of dollars in fines for an unintentional HIPAA violation.

Devji says his firm makes sure that clients have an appropriate data security plan in place that includes HIPAA protections, limits staff access to protected health information (PHI), and also identifies the individual(s) who will be responsible for implementing and monitoring the plan. Here are five other key provisions that should be part of any data security plan.


Because smaller practices don't generally have an IT support budget, they tend to gravitate to free tools and solutions, which can be problematic, says Boatner Blankenstein, senior director of solutions engineering for Bomgar, an enterprise technology solutions company. "Without having IT resources, there's just a lot of opportunity for misuse of technology. Scams and things — people calling and saying they're here to help you and they are really not," he says.

Jenkins says that the strongest leg of your risk-prevention strategy should be finding professional IT support that you can trust. "I have a three-question quiz that [practices] can give to an IT provider … The quiz has to be given orally, because the first question is 'How do you spell HIPAA?' The second question is 'What does it stand for?' and the third question is 'What is the difference between HIPAA security and HIPAA privacy?' If they can't answer those three questions, then you probably have a HIPAA problem waiting to happen," he says.


Your staff members are not able to learn your data security policies through osmosis. So, you must make data security a priority and teach them how to approach it. Devji says many times HIPAA violations occur through simple mistakes, like failing to lock computers and mobile devices with passwords, and copying sensitive data to an unencrypted USB drive.

Your staff training should cover at a minimum:

• The use of practice computers for personal e-mails and Internet surfing;

• Transporting data offsite using mobile devices;

• Protocols for departing staff members, e.g. changing passwords and network access;

• Educating staff on HIPAA requirements;

• The use of mobile devices at home and work; and

• Encrypting all patient data, regardless of the device.


In the course of a normal business day, practices are communicating electronically with multiple websites and healthcare networks, like CMS, third-party payers, and the CDC, for example. It is vital to have adequate virus and malware protection programs installed on all desk-top computers and mobile devices, especially if they are used to access the practice's EHR system.

"[Anti-malware, anti-virus protection, anti-spam] are absolutely required by HIPAA. One of the 49 requirements is you have to protect your systems from malicious software," says Jenkins.

But don't stop there. Your software must be updated on a continuous basis. How many times have you skipped over software updates for your computer because you are too busy to stop what you are doing? Unfortunately, when you do that, you are missing out on critical security patches. Devji says "many of those updates are security specific and are continually patching vulnerabilities that are found in those programs." Skipping updates just makes it that much easier for hackers to access your computer system.


Protecting your patient data doesn't always require a sophisticated security solution. The safest thing a practice can do is guard against the loss or theft of mobile devices and make sure that all data is encrypted — both at rest and in motion. The Verizon 2014 Data Breach Investigations Report found that together, insider misuse, miscellaneous errors, and physical theft and loss accounted for 73 percent of security breaches in the healthcare industry.

The report recommends:

• Encrypting mobile devices, like laptops and USB drives;

• Backing up sensitive data; and

• Securing mobile devices with locks to immovable fixtures, like cabinets, when not in use.


Many practices are not aware that conducting an internal risk assessment is required by HIPAA, says Jenkins. He says he has conducted over 100 HIPAA security assessments, and the number of practices that have passed is "less than 5 percent." He says that while there are templates available through the HHS Office of the National Coordinator for Health Information Technology's website, practices should consider soliciting professional help, as "some of [the assessment] is pretty technical."

Some key action points here are:

• Engage an IT security expert or EHR vendor to audit your networks, equipment, and processes.

• Make sure that software upgrades are current on all equipment and devices.

• Review your anti-virus software to make sure it provides adequate protection.


Medical practice data security can't be left to chance; the stakes are just too high. Fortunately, after securing professional advice, there are simple things you can do to secure your information.

Take these steps to ward off loss of data and equipment:

• Create a practice data security plan

• Provide staff training on data security

• Install anti-virus and anti-malpractice software

• Adopt data encryption

• Conduct security audits

No comment yet.