We’ve all heard and read the news about HIPAA breaches at large organizations and even the government. But what about your small practice? Are you at risk?
I’m sure you know where I’m going with this. Yes, even your single provider, ideal medical practice can be at risk for HIPAA violations.
Don’t take insurance? You are still at risk. I point this out because one clinician told me this… they don’t’ take insurance and therefore were not required to follow the “Health Insurance Portability and Accountability Act”, ie HIPAA.
Please don’t make that same mistake!
As a healthcare provider, you are a covered entity who must follow the HIPAA rules and regulations. It has nothing to do if you take insurance in your practice or not. For more on who must comply with HIPAA standards please visit this link.
The issue is that many smaller practices are not up to par on compliance with HIPAA. In fact, the HIPAA Journal reported that a survey by the NueMD (EMR company) showed:
- Over half respondents were unaware of HIPAA compliance audits that have been planned.
- Approx 30% did not have a HIPAA compliance plan in place.
- Slightly over 58% conducted annual staff training on the HIPAA rules.
- And only 68% knew they needed Business Associate Agreements (BAA).
There are several issues that are seen in practices today. They include:
- Snooping. We’ve certainly seen news articles where someone shared the information of a celebrity, but what about in our own offices? Medical information is not supposed to be accessed except for medical reasons. Are we (or staff members) looking at a spouse or at a friend’s record?
- Recently, there was a case of an NP who left one employment situation and took patient records to her new place of employment. Wrong.
- Furthermore, are you responding to patients online? Remember, patients can share what they want…your only response if you are drawn in, should be a request that they contact you at the office to discuss.
- What happens when we run into them at the store or other public places? This has certainly happened to me and was embarrassing for the patient (though she didn’t understand that), other patrons in the store, and for myself. Gently ask the patient to call the office and change the subject as quickly as possible. “How about this great weather we are having!”
- What’s on that laptop, smartphone, tablet, or thumb drive? Is it encrypted? Did it get lost? Stolen? Bingo.
- Telehealth is all the craze right now. Are you using Skype? Facetime? Make sure that whatever you’re using is HIPAA compliant and you can get a BAA.
- What about email? Are you using Gmail, Yahoo, or Hotmail? I hope not. Make sure you are emailing and texting through HIPAA secure platforms. Again, see if you can get a BAA.
Keep in mind that practices get hacked, information is stolen, and people access information when they are not authorized to do so. But also keep in mind that records are sometimes faxed or sent via courier or mail to the wrong recipients. And at times people can overhear conversations that should be private (your front desk, from the exam rooms, over the phone).
Ransomware is where an attacker gains access to your system and is able to lock up everything until you pay the ransom to unlock your data. This is something that can affect your personal systems as well as your work systems. To my knowledge, this has not yet hit smaller practices,but it easily can. Here’s how it works.
You receive what looks like a legitimate email with an attachment. That attachment may contain an MS word or excel document with an embedded macro that will attempt to download and control you computer.
Perhaps there is not an attachment but a link to be clicked that can then install the ransomware program on your computer.
Once it’s on your computer, it ties up your system and tells you that in order to unlock your system you’ll need to pay ransom in order to get access to your data. My understanding is that your backup data can also be infected.
The first step is to educate everyone who has access to your computers to be careful about clicking on links or downloading attachments. I’m very careful – even when it looks like I may know someone if there is anything suspicious…I don’t click or download.
Here are two articles for more information and thoughts on how you can protect yourself.
- Steps to Avert Ransomware at Your Medical Practice
- How to stay protected against ransomware by Sophos (this is a pdf document)
What can you do?
There are several things you need to do to protect yourself. First and foremost, if you have not run the Security Risk Assessment, do so now. And if you have, did you make the indicated corrections? By the way, this is one of the things that are looked for when you are undergoing an HIPAA audit.
How are your policies and procedures? You need several including:
- Patient Permission Documentation
- Annual Staff Training (don’t forget to document it!)
- Consent forms
- Business Associate Agreements
- Procedures for Breach Notification
- Disposing of devices and PHI
This is only a sampling of the things you’ll want to make sure you address…no matter the size of your practice.
Again, to learn more about HIPAA and what you need to do, visit HHS . You’ll find training, compliance, sample documents, and more.
Let us know in the comments below where you find your greatest challenge in regards to HIPAA.