Five Common Sources of HIPAA Breaches

From e-mail to smartphones to EHRs, physicians and medical staff are using more technology in practice than ever before. But while that new technology brings great opportunities, it also raises new challenges when attempting to keep protected health information (PHI) secure.

That's according to Robert Tennant, a senior policy adviser at the Medical Group Management Association (MGMA) and a presenter at the 2014 MGMA Annual Conference in Las Vegas.

"I would say a significant number [of practices] are at risk [of a HIPAA violation]," Tennant recently told Physicians Practice. "Maybe not just because they haven't instituted appropriate policies and procedures, it's just the nature of the business. I think that technology is ever more in use in practices and with the use of technology I think the risk of a breach increases dramatically."

THE SCOPE OF THE PROBLEM

Mike Sacopulos, CEO of the Medical Risk Institute, which helps providers identify where liability risks originate and how to reduce or remove them, agrees with Tennant that the majority of practices are at risk for violations. In fact, Sacopulos, who will also be presenting at MGMA14, estimates that at least 80 percent to 85 percent of small- to medium-sized practices have some sort of deficiency when it comes to HIPAA compliance.

He pointed to findings from the first phase of the Office for Civil Rights' HIPAA Audit Program, which found that only 11 percent of more than 100 audited entities were compliant with HIPAA. Worse, this analysis included large third-party payers and hospital corporations, which likely have far more infrastructure to handle HIPAA compliance efforts than smaller practices, said Sacopulos.

"... I would say that if they found across the board with all these big entities that there was 89 percent noncompliance that we could expect it would be just as high if not higher in small to medium-sized practices," he said.

ADDRESSING THE ISSUE

While protecting PHI is more challenging, understanding common sources of breaches can help practices better identify where and how to step up their breach mitigation efforts.

Here are five of the biggest technology-related risk areas that practices need to focus on:

1. EHRs and information exchange. EHRs bring some "inherent risks" when it comes to patient privacy if proper security safeguards and protocols aren't put in place, said Tennant. Common problems he pointed to include inappropriate access of staff to information in the system, and transfer of information between clinical sites in a non-secure manner.

2. Cyber threats. Cyber attacks, combined with inadequate staff training on how to keep information secure, are another common problem, said Sacopulos. For instance, if a staff member shares a password or fails to use a password appropriately, or if a staff member clicks on a bad link, it can raise the likelihood that your practice will be hacked.  "...When people are hacked it is most frequently [due to] human error and not technology error," said Sacopulos.

3. Remote access. Many practices enable their physicians to access their EHR from home or from other remote locations. This can raise big security issues if rigorous policies and procedures are not in place, said Tennant.

4. Lost or stolen devices. HIPAA breaches due to lost or stolen devices containing unencrypted PHI (such as a stolen laptop) continue to be a major problem, said Tennant. In fact, he said, this is one of the most common sources of breaches.

5. Texting and e-mail. Texting and e-mail are so easy and convenient that many physicians and staff may not think twice before sending information that contains unencrypted PHI, said Tennant. Of texting specifically, he said, "They think it's secure because it's only going to one person but in fact it's not secure at all."

A PROACTIVE APPROACH

To ensure your practice's technology use is not putting you and your patients at risk, Tennant recommends conducting a security risk analysis annually - at a minimum. 

"I think it probably makes sense to do an overall [analysis] probably each year, though if technology changes, for example the practice has decided to go to remote access of its EHR for the clinicians, that demands sort of a separate sub-risk assessment," he said. "So before you would go ahead and install and use the technology, you would have a long discussion with your vendor to ensure that the appropriate safeguards were in place and then train the staff thoroughly to ensure that they are adhering to these policies and procedures. You wouldn't institute it and then wait until the next year to do the risk assessment."
 
During his MGMA session, Tennant will provide more specific tips on how your medical practice can undergo a security risk analysis.

"... The old issues of making sure your front door is locked, making sure that you've trained your staff, that's been around for close to a decade, but these other technologies bring new risk and I think demand new actions," said Tennant.

Sacopulos' session, "Why Breaches Happen and How to Prevent Them," will be held on Tuesday, October 28, from 10:15 a.m. to 11:15 a.m. 

Tennant's session, “Critical HIPAA Privacy and Security Issues Impacting Medical Groups," will be held on Tuesday, October 28, from 2:45 p.m. to 3:45 p.m.