A married couple — both doctors who shared a medical practice — almost divorced over a HIPAA breach that blindsided them when a patient called to say that her medical records appeared in a Google search and she was filing a lawsuit.
The orthopedist of a small practice didn’t want to fund the cost of an IT service provider to make sure his network was secure. Instead the doctor hired his cousin who earned his IT stripes fixing performance problems on his own laptop. Unfortunately, the family member never updated the practice’s malware software and patient data ended up on a rogue server. Now it’s being held for ransom.
The Smaller the Practice the Less the Compliance
For medical practices with 20 or less employees, doctors are often reluctant to spend money on HIPAA security than larger practices. Importantly, the latter will have a compliance officer who makes sure HIPAA rules are followed, employees are trained, and policies and procedures are up to date.
Doctors running small practices don’t believe they’re at risk for a data breach so they ignore the same steps taken by the compliance officer. Meanwhile, it’s ordinary human errors that could take down the practice. An employee leaves his tablet in a taxi or thieves break into the office and steal two laptops that contain patient records. Or the doctor loses his laptop and keeps it under wraps since he thinks he hasn’t stored any patient records on it, so no one needs to know. However, a disgruntled employee who was terminated gets revenge by reporting the practice to the Department of Health and Human Services’ Office of Civil Rights (OCR). The OCR accuses the practice of having a breach and hiding it, and calls for an investigation.
These are all real world events that have sent medical practices into a tailspin. Doctors call a HIPAA compliance expert in a panic because they’re now caught in the web of the OCR and scrambling to prepare for an audit. Worse yet, these compliance risks were right under their noses.
The Practice Needs As Much Care As the Patients
The risk of a data breach can be as life threatening to the practice that doesn’t protect its data, as the risk of lung cancer is for the patient who chain smokes. Think of a data breach as a disease and the stolen laptop causing pain and suffering, and eventual death, which could all be prevented. Doctors should think about data breach prevention and care for their businesses with the same commitment to disease prevention and care for their patients.
When a practice fails to perform a security risk assessment or ensure that his employees used strong passwords, not long after he is convincing OCR auditors that the breach was an accident. He has to hire attorneys to complete the audit and there is no budget left to invest in more network security, or cyber insurance.
HIPAA Compliance Made Easy for Small Practices
There are some simple steps small practices can take that will take far less time than preparing for an OCR audit:
- Perform a security risk analysis — Analyze how patient information is currently protected. How often does the practice perform data backups? Is there a termination procedure when an employee leaves? Do employees have the minimum level of access to patient information? Are all portable devices encrypted? Are medical records protected in case of fire or flood, or lost or stolen laptops that contain patient information?
- Train employees — Make sure they know how to spot phishing scams and suspicious links in emails, recognize fraudulent “IT experts” who call in to upgrade an operating system. They should also know to avoid conducting business on public Wifi, and minimize sharing on social networks.
- Inventory patient information — Locate where all patient information is stored. It could be an EHR or a word document in the form of patient letters, or excel spreadsheets as billing reports or scanned images of your insurance carrier’s explanation of benefits (EOB). This information resides on desktops, laptops and mobile devices, and should be encrypted.
- Employee data theft — Employee theft of information is one of the leading causes of HIPAA breaches in small organizations. An employee steals patient information and opens a charge account at a local department store. The patient finds out and sues the practice for not protecting her electronic protected health information (ePHI). Employees should have minimal access to EHRs — only the information they need to perform their duties. Also data logs should be checked.
- Breach Response Plan — Is there a response plan in place in case a breach does occur? The plan should include who will be on the response team, what actions the team will take to address the breach, and what steps they’ll take to prevent another similar breach from occurring. Make sure the plan is documented and all employees are trained on what they need to do.
These few actions can make the difference between being sued by patients for a data breach and gaining their confidence that their doctor cares as much about their health as he does for their security.
Art Gross is the president and CEO of HIPAA Secure Now!, which provides security services to medical practices. He can be contacted at [email protected].