No matter how large or small your medical practice, you have to comply with government regulations. HIPAA, the Health Insurance Portability and Accountability Act, was passed by Congress almost two decades ago and was designed to protect patient privacy. It has evolved over time, and today’s electronic medical records (EMRs) not only need to be secure, they also have to be made readily accessible to patients who want to review their medical history. The combination of electronic record-keeping and evolving security regulations creates a new challenge for physicians, clinics, and hospitals to stay current and stay compliant.
The U.S. Department of Health and Human Services (HHS) estimates that the cost of HIPAA compliance is somewhere around $1,040 per organization, although industry experts estimate that is grossly under estimated. Depending on the size and nature of your medical practice, the cost of HIPAA compliance could run into hundreds of thousands of dollars, but the cost of non-compliance is even more.
Fines for failure to conform to the HIPAA security rule can run to $1.5 million, or higher. Fines are multiplied by the nature of the violation and the number of years a violation has occurred, with recent cybersecurity breaches across the healthcare landscape happening more and more often. Tenet Healthcare determined that its privacy data breach cost $32.5 million, and Anthem had a data breach that is estimated to have cost $100 million or more.
The price of HIPAA prevention is cheap compared to a privacy violation, and compliance has to start by focusing on securing your protected health information (PHI).
Protecting Physical RecordsHIPAA regulations lay out a number of required safeguards for the physical security of EMRs:
Administrative SafeguardsThese are policies and procedures to protect patient information, including:
- Identifying relevant information systems that need to be managed
- Conducting a risk assessment
- Implementing a risk management program
- Implementing appropriate IT security systems and services
- Deploying the appropriate security policies and procedures
- Implementing a sanctions policy
Physical SafeguardsThese safeguards are designed to control physical access to patient records, including:
- Access to the actual facility so only authorized personnel can view patient records.
- Workstation use, so physical workstations have access controls in place, such as two-factor authentication.
- Workstation security, including restricted access to computing hardware.
- Device and media controls, which means removal of physical hardware or electronic media that contain PHI.
Technical SafeguardsThe technical safeguards are designed to limit access to electronic data, and include:
- Access Control – Limiting access to PHI to authorized users with strategies such as unique identifiers, data encryption, automated logoff, and other security measures.
- Audit Controls – Maintaining a record of PHI access and activity.
- Data Integrity – Implementing protective technology to prevent EMRs from being altered or destroyed, including data authentication.
- User Authentication – Ensuring that the party accessing the data is who he or she says they are, i.e. proof of identity using biometrics or some other technology.
- Transmission Security – Protecting data in transit, such as records shared electronically with hospitals or other practitioners.
Protecting Shared Patient DataHIPAA compliance extends beyond the healthcare provider’s network. HIPAA privacy rules state that individually identified health records need to be kept private, but every healthcare practice has to work with outside service providers such as medical labs, other medical practitioners, pharmacists, and insurance underwriters. As part of HIPAA privacy laws, you also have to extend protection to data shared with business associates (BAs).
Of course, you can’t control how third parties protect their own data, but you can ensure that the data you share is secure. You need to be sure that your policies, procedures, and technology are in place to protect all shared patient records flowing through your IT.
First, make sure the appropriate legal safeguards are in place, Confidentiality agreements and contracts that ensure patient privacy should be executed and tracked in a central enterprise resource planning (ERP) system. The terms of the contract are kept in the ERP system and if the contract expires or falls out of compliance, the system alerts you that there is a risk. This also means that there have to be proper authentication protocols in place that are not only secure enough for compliance, but also ensure there is protection from a data breach. Stolen passwords and credentials are the easiest way to hack any system, so ensuring there are additional login protocols (two factor authentication) and even data encryption can keep shared patient data safe.
For any small practice, ensuring PHI security for HIPAA compliance can be a daunting task. However, with the right technology partners to design and manage a secure PHI infrastructure, you can rest assured that your medical practice is in compliance and ready in the event of an HHS audit.
Where else do you see HIPAA keeping the focus on small healthcare practices to focus on securing their PHI?