Corpus Christi Medical Associates (CCMA), a family practice in Corpus Christi, Texas, has always found it difficult to comply with HIPAA's privacy and security regulations.
"We struggle to have enough resources to dedicate to the ever-changing environment," said J. Stefan Walker, MD, a family medicine physician at CCMA. "There is always something new and regulations are constantly evolving. It's a moving target, and cyber-liability is probably the greatest risk, added Walker."
Despite this sentiment, Walker was determined not to be one of the practices listed on the "Wall of Shame" webpage maintained by the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services. Practices are listed there if they report a data breach that affects 500 or more patients.
Walker said that CCMA has been the target of a few breach attempts already. "For a small practice like ours, dealing with the fallout from a breach could literally bankrupt us. We are looking at how to minimize the risk," he says.
That desire led Walker to participate in a pilot phase of a new cybersecurity tool designed to help small practices identify and address weaknesses. Called HITRUST CSFBASICs, the program goes into greater detail than the security assessment required in the EHR Meaningful Use program, according to Walker. HITRUST sought to create a program that small practices could take advantage of. "I think the emerging product will do just that," he said.
A privately held organization, Health Information Trust Alliance has established a Common Security Framework (CSF) that can be used by organizations that store or exchange health data.
CCMA is not alone when it comes to finding HIPAA compliance challenging. Many small practices struggle with both privacy and security policies, and practices may be in violation of the law without even realizing it. Physicians Practice asked several consultants who work with provider organizations to describe some common weaknesses they encounter and what practices should be doing to address them.
Encryption and Other Challenges
Jason Karn, chief compliance officer with Raleigh, N.C.-based Total HIPAA Compliance, a provider of HIPAA compliance and training tools, said one of the biggest challenges is that the language of the HIPAA law can be vague. For instance, people argue about whether HIPAA requires encryption or not. The law says you have to do a risk assessment to determine whether encryption is the right thing to do, according to Karn.
"We do risk assessments for companies all the time, and we have yet to find a good reason not to encrypt data," he says. If a laptop is lost and the data is encrypted, the provider organization wouldn't have to report it as a breach as long as the key or password for the device is not with it. There is no way that a hacker can get at that information. "Encrypting can save you a lot of heartache if anything happens, and possibly save your practice," Karn says.
Another potential violation Karn's firm finds involves doctors and nurses texting about patient information using applications such as iMessage, which is not HIPAA-compliant. Unencrypted e-mail is also problematic.