Does your practice have a HIPAA security plan?

December 11, 2017

Does your practice have a HIPAA security plan?

Updated February 8, 2018

According to a recent Medical Group Management Association (MGMA) member poll, only 55% of respondents believe their organization’s information technology (IT) systems are secure against attacks. Learn how to protect your practice against cyber risk.

Hardly a week goes by without the media notifying us of some new data breach exposing information of thousands or even millions of individuals.  And we have all heard about cases in which a health care facility EHR system is hacked or about stolen laptops or thumb drives. In fact, health care entities have paid over $73 million in fines in connection with such breaches. In the wake of all this, you may be wondering how you can effectively protect your patients’ information. While no security system is completely failsafe, there is a lot you can and, in fact, are required to do to minimize risk and protect your practice. In addition, having a security plan in place can help you reduce or avoid fines should you experience a breach.

Under the security provisions of the HIPAA law (not to be confused with HIPAA privacy rules), physician practices are required to implement security measures to protect electronic protected health information (ePHI). Even a single violation can result in a $50,000 fine.

While most of us are familiar with HIPAA privacy protections which are focused on sharing of PHI with third parties, we tend to be less familiar with the details of the equally important security portions of the HIPAA law. In a nutshell, the security provisions focus only on ePHI and require practices to maintain reasonable and appropriate administrative, technical and physical safeguards. If this seems vague, think secure access and control, password management, workforce training, encryption and the like.

Compliance begins with a Security Risk Analysis to identify and evaluate vulnerabilities and risks within your practice. Key elements are:

  • Identifying the Scope – Where is ePHI located in your practice?
  • Assessing the Risk – Where are your vulnerabilities?
  • Evaluating the Risk – What is the likelihood of occurrence and what is the potential impact?
  • Creating a plan to address the risk – What will you do to minimize risk?
  • Reviewing and updating plan periodically

Fortunately, there are a number of online resources to help physicians navigate these requirements. The AMA has developed a very helpful security risk analysis guidance. In addition, the Office of the National Coordinator for Health Information Technology at HHS has helpful guidance in their Health IT Playbook as well as a downloadable security risk assessment tool.

Tip: Remember that if you have insurance that covers security and privacy breaches (which you should) you need to make sure you are adhering to any protocols required by your policy. Otherwise, you may find your coverage in jeopardy in the event of a breach.