By Michael J. Sacopulos, JD
From e-mail to medical records, everything in medicine is digital today. Yes, things are faster and often more efficient now that we have so much information at our fingertips, but this innovative way of conducting business has also opened up a whole new web of liabilities, and your practice may be vulnerable.
Protected health information (PHI) leaks are becoming commonplace—and not just among big health care conglomerates, either. Late last year, an Illinois practice’s server was hacked, and the hacker demanded payment to hand over a newly created password. In Massachusetts, a laptop that stored thousands of patients’ protected health information was left on a city bus. In Arizona, a practice’s online scheduling of patients could be seen by anyone and everyone. These are just a few of the cases handled by the Office of Civil Rights involving PHI breaches.
The federal government passed the HITECH Act in 2009, and the privacy rules under HIPAA were greatly expanded in January 2013. This expansion included approximately 570 pages of new rules that involve everything from third-party marketing to patients to requirements for some health care vendors. These federal laws are enforced by the Office of Inspector General under the Department of Health and Human Services. They now require that medical practices and facilities conduct a security risk analysis on a routine basis to make sure there are no holes or breaches.
“You would be shocked by the number of practices we find with nonexistent or weak firewalls,” says Todd Gooden, CEO of The Solutions Team, located in Jackson, Miss. He also sees physicians communicating private health information via e-mail accounts like Yahoo!. “Their e-mails need to be encrypted, but often they are not,” he says.
“The other problem we find is practices asking their general IT provider to conduct the security risk analysis,” he says. “Do you really think the people in charge of your IT security are going to tell you about the holes? Talk about a conflict of interest!”
The US Department of Health and
Don’t get complacent. Not long ago, I had a client say, “I don’t want to do some risk analysis. What’s going to happen if I don’t?”
My answer? A lot! The risks are real, and the Department of Health and Human Services is not backing down. For example, a Massachusetts provider settled a HIPAA violation case for $1.5 million. In Alaska, another case was settled for $1.7 million. At the close of 2012 HHS announced its first HIPAA breach settlement involving less than 500 patients. The fines are large enough to shut down a business.
Risk analysis should be ongoing and involve an implementation or updating of security policies. These policies need to include a Security Risk Policy and Business Associate Agreements (required by federal law) and may also include a Social Media Policy or a Mobile Device Policy. The risk analysis should test the practice’s hardware and software for such safeguards as firewalls and encryption. Finally, the risk analysis must document the ongoing training of staff regarding patient privacy rights.
The goal is to keep current. The results of a given risk analysis should provide organizations with the means to determine the effectiveness of risk responses, identify risk-impacting changes to organizational information systems and the environments in which those systems operate, and verify compliance.
With some planning and attention, the process will not be burdensome and the practice will be well on the road to compliance.
|Michael J. Sacopulos, JD, is the CEO of Medical Risk Institute (MRI) and serves as general counsel for Medical Justice Services. Additionally, he is the legal analyst for several national publications, including Plastic Surgery Practice. He may be reached via [email protected].