Most Practices Face Increased HIPAA Risks due to Security Lags

Penalties for HIPAA violations are rising, as is the government's emphasis on ensuring practices are securing protected health information. But findings from Physicians Practice's 2014 Technology Survey, Sponsored by Kareo, suggest that many medical practices aren't heeding the warnings - or the requirements - as they should.

Here's a look at some of the most troubling findings, and some guidance regarding what many practices need to do to step up security and compliance:

Only 31 percent of more than 1,400 survey respondents said that they have implemented rules for bringing mobile devices to work.

Since many security breaches occur due to theft or misplacement of mobile devices that contain unencrypted protected health information, personal mobile devices used for professional purposes represent huge risks to medical practices. Yet it appears that most medical practices (nearly 70 percent) are not doing all they can to regulate mobile device use.

In addition to ensuring that all mobile devices used for work-related purposes are password protected and encrypted, ask your staff to sign a mobile device agreement. This agreement will reinforce the importance of mobile security, and it will serve as a reminder of important security protocols.    

Only 61 percent of the respondents said they are backing up data securely on a second server/other method.

The HIPAA security rule requires practices to establish procedures to create and maintain retrievable exact copies of ePHI. The survey results suggest that nearly 40 percent of practices are failing to comply.

While finding ways to back up data securely might sound like a daunting project, it does not necessarily require a lot of time and effort. Chris Apgar, CEO and president of Portland, Ore.-based Apgar and Associates, LLC, a healthcare consulting firm specializing in privacy and security, told Physicians Practice earlier this year that one smart option to consider is moving to the cloud.

"Cloud technology is such that there are some good vendors out there that can be used for back up," he said. "You can even set it up to do an automated backup for you so it's continuously doing a backup."

Only 31 percent of practices said that they have conducted a risk analysis.

Practices are required to conduct a security risk analysis under the HIPAA Security Rule. In addition, any practice hoping to successfully attest to the government’s requirements for meaningful use of EHRs must conduct a security risk analysis.

Essentially, a risk analysis requires practices to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of their electronic protected health information (ePHI). Click here for guidance on how to get started.

Full results from the 2014 Technology Survey, Sponsored by Kareo, will be published in the July/August 2014 issue of Physicians Practice and online July 9.