Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.
TAP - technical, administrative, and physical controls should form the foundation of HIPAA compliance.
Recently, I read an article in the American Bar Association Journal, entitled "Net Risk - Cyber Liability Insurance Is an Increasingly Popular, Almost Necessary Choice for Law Firms." Like law firms, medical practices have data security requirements. Hence, HIPAA and the HITECH Act. Yet, I am still amazed at how many physicians have "ostrich syndrome" and look the other way when it comes to cybersecurity and HIPAA compliance.
In my various experiences in dealing with physicians, whether it was in the operating room or dealing with contract negotiations, most physicians simply want to practice medicine. It is what they went to school for and what most have a passion for. Dealing with the ever-changing regulations and billing procedures is daunting. Even though cybersecurity compliance in relation to HIPAA and the HITECH Act has been in effect for a while, many physicians (and business associates) still don't know where to start.
In order to assist with this process, I suggest that physicians focus on TAP - the technical, administrative, and physical requirements referenced in the CFR and Final Omnibus Rule (Jan. 25, 2013). Here are some key items from each of the areas:
• Technical. Establish access control policies and procedures and assign unique user names and passwords.
• Administrative. Establish audit logs, access reports, and security incident-tracking reports; assign security responsibility; make certain that everyone undergoes security awareness and HIPAA training; and to ensure that the office staff and contractors are above board, run a background check.
• Physical. Establish workstation security parameters; implement procedures for the removal, sanitization, and re-use of electronic media; and keep a record of completed maintenance, including having locks changed and cameras installed.
The most crucial items to address first are the policies and procedures, followed by encryption (both data at rest and in-transit, at the FIPS 140-2 Standard's 256bit requirement). By encrypting the data, the physician may mitigate liability by falling under the safe harbor. Cybersecurity policies are also a prudent choice for physicians, especially since many practices also accept credit cards. "[T]he loss of such data can have many negative repercussions, including lawsuits, regulatory investigations, fines and penalties, and the loss of a good reputation as a trusted fiduciary" and applies equally to medicine as it does to law. Taking cybersecurity seriously is imperative.
1. Start with TAP and assess compliance with each of the areas defined in the regulations.
2. Speak with a knowledgeable insurance broker about the different types of insurance policies.
3. When evaluating insurance policies look for what is excluded, as well as what is included.