Six Potential HIPAA Threats for PHOs and Super Groups

June 27, 2015

For PHOs and super groups, one practice's misstep to put everyone at risk. Here are six potential threats to avoid and the best way to stay safe.

Physician Hospital Organizations (PHOs) and super groups are on the rise. About 40 percent of physicians either work for a hospital or a practice group owned by a hospital, or they ban together to form a super group. Individual practices share operations, billing, and other administrative functions, gain leverage with insurance companies, add specialist resources and increase referrals, improve patient outcomes with a cohesive care plan, and more. The benefits are plentiful.

But just like a negative restaurant review on Yelp can hurt customer patronage and the restaurant's reputation, one practice that commits a HIPAA violation can affect the entire group, and result in an expensive fine, cause distrust among patients, and in extreme cases, the data breach can lead to medical identity theft.

For PHOs and super groups, adherence to HIPAA rules becomes more complicated when compliance isn't consistent among the group's practices, and a compliance officer isn't on board to manage risks and respond to violations.

At a minimum, the group should identify the potential sources for exposure of electronic protected health information (ePHI) and take measures to avert them. For example:

Super groups include smaller practices that struggle with HIPAA compliance and associated time and costs. Although PHOs or super groups may be abundant in physicians, employees, and offices, these assets could come from a majority of smaller organizations. Historically smaller practices struggle with resources to comply with HIPAA and hiring expensive compliance consultants could be prohibitive at the individual practice level.

Each practice uses a different EHR, or the EHR is centralized but the ePHI is stored on different devices. It becomes difficult to assess HIPAA compliance as well as how patient data is being protected when there are various EHRs implemented across multiple practices. Some EHRs may be cloud based while other systems reside in an individual practice's office. Getting an accurate inventory of where ePHI is stored or accessed can be challenging.

Hospitals can't conduct thorough security risk assessments for each practice in the group. A PHO could have 20 or more individual practices and the time required to perform individual security risk assessments could be daunting. These risk assessments are labor intensive and could strain the resources of hospital compliance staff.

Meaningful use drives HIPAA compliance and grants from HHS could be significant, especially with a large number of providers. Along with these funds comes responsibility to comply with meaningful use objectives. One of the most frequent causes of failing a meaningful use audit is ignoring a HIPAA security risk assessment. If one practice fails an audit, it could open the door to other practices in the group being audited, which could result in a domino effect and a significant portion of EHR incentive funds having to be returned.

For physician groups that share patient information the security is only as strong as the weakest link - one practice or even one employee. A breach at one practice could expose patient information for many or all other practices. Security is then defined by the weakest link or the practice that has the weakest security implemented.

Untrained employees in the front office unwittingly violate HIPAA and a patient's right to privacy. An employee could fall for a phishing scam that gives criminals access to a practice's network, and compromises the security of many or all practices within the PHO or super group.

The best way to avoid a HIPAA violation and a patient data breach is to create a group policy that requires each practice to:

• Perform regular HIPAA security risk assessments;

 •Inventory location of patient information;

• Assess common threats;

• Identify additional security needs;

• Set up policies and procedures;

• Stay up to date on patient privacy rules and requisite patient forms; and

• Properly train employees in protecting both the privacy and security of ePHI.

Make sure every practice in the group treats HIPAA compliance with the same care as a patient's medical condition.

Art Grossis CEO of HIPAA Secure Now!, a former subsidiary of Entegration, Inc., a provider of IT management services. Prior to starting HIPAA Secure Now!, Gross held IT management positions at pharmaceutical giant Merck, where he focused on business system development and technology architecture in the corporate division. He can be contacted atartg@hipaasecurenow.com.