The Health Insurance Portability and Accountability Act (HIPAA) requires hospitals, physician practices, and other healthcare entities to safeguard the privacy of patient health information (PHI). The Office of Civil Rights (OCR) in the Department of Health and Human Services audits HIPAA compliance and is expected to begin a permanent random HIPAA audit program in late 2014 or 2015.
Recently, the OCR conducted an analysis of data breach reports filed during 2011–2012 to determine the most common errors that cause hospitals and physicians to lose data and become subject to HIPAA violations, sanctions, and costly penalties (Fig. 1). OCR identified the following six areas that require attention to avoid data breaches.
Risk analysis and management
Does your practice have risk analysis and risk management plans? Does it identify and address potential risks for electronic and printed PHI? Do you know what data are sent out of your practice and on what networks? Where are they sent? Do you have a business associate’s agreement with each entity that receives PHI?
If you don’t know the answers to these questions, your practice may be at risk. Conduct a risk analysis and develop a risk management plan. Your plan should identify policies and procedures related to computer hard drives, digital copiers, portable hard drives, USB devices, laptops, mobile phones, and tablets, as well as any PHI transmitted across any networks. As part of developing the plan, ask a staff member to document all of the PHI sent out of the practice on a typical business day.
Practice managers need to ensure data are not at risk when changes are made, and conducting a security evaluation is essential to identifying possible problems. Managing PHI is vitally important if you are making any operational changes in the practice, such as moving to a new location, installing new equipment, or changing or updating software.
Physicians use cell phones every day for communication purposes. But do your practice physicians realize that transmitting identified patient images or data via a cell phone is a HIPAA violation?
Security, control of portal devices
The most likely cause of a data breach is a lost portable computer or USB memory stick containing PHI that is not encrypted. Every orthopaedic office should have policies and procedures governing portable devices, particularly for data stored on a portable computer or memory stick that leaves the office site. In addition, data in transit should be protected by documented safeguards.
Portable computers need two layers of authentication to help prevent unauthorized access to data stored on a lost unit. Another question that must be addressed is what happens to the data when the end user returns a portable computer with PHI that is no longer needed on the device.
Proper disposal of data
Data disposal procedures should be documented for wiping hard drives clean and testing devices for latent data. When hardware is replaced, the old hard drive must be purged or wiped thoroughly before it is recycled, discarded, or transferred to a third party.
Take a moment to count the number of workstations in your practice. How many are left “on” all day long? Physical safeguards must be established to limit access to facilities and workstations with PHI. For example, computers can be programmed to shut down automatically after a specified time of not being in use.
Walk through your office. Can you see the screen on any workstation? If you can see the screen, so can a patient. If patient information is visible, a data breach may occur. A screen saver program is not sufficient to ensure against HIPAA-related vulnerabilities.
Finally, be sure to train new employees as soon as possible on your privacy and security policies and procedures—as well as on the appropriate uses and disclosures of PHI and the safeguards to protect the information from improper uses and disclosures. Every physician and employee must be aware of the potential sanctions, costs, and other consequences for failure to follow the practice’s policies and procedures. Your human resources manual should clearly specify the actions that will be taken if a physician or staff member violates HIPAA privacy rules. It is everyone’s responsibility to be vigilant in protecting health information and protecting the practice.
What’s the risk?
Of data breach reports affecting 500 or more individuals filed in 2012, more than two-thirds were from healthcare providers. Although these data breaches might make headlines, they account for less than 1 percent of all reports. More than 20,000 reports were filed on smaller breaches (affecting fewer than 500 individuals).
According to the Department of Health and Human Services, private medical practices are the most common covered entities required to take action due to a data breach. Penalties for data breaches can range up to $1.5 million per incident.
Managing HIPAA requirements remains a critically important activity for orthopaedic practices. Orthopaedic practices need to conduct annual HIPAA compliance audits and staff training to ensure safeguards for protected health information. In some cases, seeking the assistance of a HIPAA security consultant may significantly shorten the time required to become compliant.
Howard Mevis is director of the AAOS department of electronic media, evaluation programs, course operations, and practice management. He can be reached at firstname.lastname@example.org