HIPAA: A Short Story

Nov 21, 2016 at 12:08 am by Staff


By Dennis Ciabatoni, CHSP

By now everyone in the medical and legal fields have heard the following HIPAA buzz words: Compliance, Security, Risk Analysis, Remediation and Continuity. But before we get in to that we need to understand what HIPAA is and why it’s so important to become and stay compliant. 

In a nutshell, HIPAA (Health Insurance Portability and Accountability Act) was created to ensure medical and legal practices are doing their due diligence to protect patient and client health records. HIPAA was not created to give you the willies and keep you up at night. However, insomnia is a side effect if you ignore it. HIPAA is a set of ground rules you must follow to ensure that the Electronic Protected Health Information (ePHI) your practice maintains and retains for your patients/clients are protected against security breaches which can lead to possible theft. HIPAA defines ePHI as anything that identifies a patient or nursing home resident that relates to treatment, diagnosis, or payment for health care. In this electronic world of ours and the ever-growing digital threat, I for one am grateful for these regulations. 

A famous misconception that most small to medium sized practice owners have is they think they are too small to get audited. Please, think again. If you don’t have the proper policies/procedures and IT security in place, the fines range from $100 - $25,000 per violation (per record) with an annual maximum of $1.5 million. The American Recovery and Reinvestment Act of 2009 (ARRA) established a tiered civil penalty structure for HIPAA violations, so the fines do vary depending on severity of the violation. The civil penalties are enforced by The Office of Civil Rights (OCR) and The U.S. Department of Health and Human Services (HHS) Meanwhile, criminal penalties are enforced by The U.S. Department of Justice. If you ask me, even $100 per violation is too much! All it takes is one security breach to ruin your day. In addition, aside from the hefty fines, you will have to publicly announce that your practice was a victim of a security breach. I imagine an announcement like that can’t be good for current and future business. 

In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted. This Act brought a lot of changes to the table and rattled the cages to not only the medical field, but to the Business Associates. I look at the HITECH Act as a positive enhancement to the digitally growing world. Since HITECH, Business Associates are held to the same level as the medical practices. The HITECH Act also provides funding for Meaningful Use incentives. An example of Meaningful Use is an incentive to implement an EHR System to move toward electronic PHI. They also made changes to encryption and encrypted devices. It states that if a device was lost or stolen but was encrypted, then you do not have to report that device as an incident. Of course, you need to be able to provide proof that the device was encrypted. 

In most cases, achieving compliance status is not difficult and even time consuming. All you need is peace, love and… remediation. I would start with having a 3rd party IT vender, that’s qualified and certified, to perform a HIPAA Risk Analysis on your network. This will identify the potential security risks and highlight remediation tasks. Please note that whether this report has a passing or failing grade, it must be retained for your records. This satisfies a check box in the actual audit that you are keeping up with your yearly audit requirements. The obvious next step would be to fix, or remediate, these issues. Some common loss of points are viewable screens to the public, EMR is left open and accessible to the public, using a free email/calendar service, sharing files through free file sharing services (DropBox, Google Drive), and ePHI that’s accessible through public unsecured WiFi, just to name a few. You must also have a Business Associates Agreement (BAA) signed with every one you do business with that may have access to ePHI. This includes your outsourced IT company, shredding and copier company. 

Now that the issues are fixed, doesn’t mean you’re in the clear. At this point, you may have won the battle but the war is still raging on. Maintaining compliance and process is the real struggle. It’s very easy to allow the newly implemented processes to slip. Face it, you’re not in the IT field just like I’m not in the medical field. This is why a Security Officer needs to be named and held accountable to maintain those processes. This person is usually the Practice Administrator. After the security officer has been appointed, it is important to consult a reputable Managed IT Company to enforce and maintain compliance continuity. This IT Company should perform a yearly internal HIPAA Risk Analysis and remediate those issues accordingly. Educating end users is also key to staying compliant and decreases the chance of a security breach. End users should not click on an email from someone they don’t know or expecting anything from, log out of the EMR and lock the screens when they walk away, and encrypt email when sending sensitive data, just to name a few. 

This was a brief summary of HIPAA and what you should do to become compliant. HIPAA compliance doesn’t have to be complicated or stressful.

Dennis Ciabatoni, CHSP, is with TaylorWorks serving Central Florida.


Sections: Events