Could HIPAA Ignorance Cost You Your Medical Practice?
HIPAA (Health Insurance Portability and Accountability Act) went into effect over 20 years ago (1996) but with all the news and attention it has gotten recently you would think it is a brand-new act.
In short, HIPAA is designed to protect patient confidentiality and privacy. The primary goal is to not allow patient information to be released without their prior knowledge.
Seems simple enough, right?
WRONG. There are numerous ways for PHI (Protected Health Information) to accidentally or intentionally fall into the wrong hands.
What’s worse is even an accidental HIPAA violation can cost you tens of thousands of dollars, loss of license or loss of your practice. It can even cost you jail time.
Not only is the medical practice responsible to ensure HIPAA best practices are followed but any vendors/business associates the medical office works with are also required to follow best practices (IT, Accountant, etc.…).
It makes sense. Would you want your medical records to be seen by other people? Would you be OK if a bookkeeper was able to see your medical records?
The truth is there are a lot of opportunities as it relates to HIPAA and HITECH in medical and dental offices.
I have personally visited doctors, dentists and other practices that have glaring opportunities. Here are a few things that I have witnessed:
- Laptop or Tablet left unlocked in the same room as a patient while the doctor or nurse steps out.
- Printed forms with diagnosis and/or prescriptions left in high traffic, high visibility areas.
- Medical Office calendar viewable and showing patient names and appointment times.
- Lackadaisical office administration allowing potential access to patient information.
- Conversations (overheard by others) at the reception area between a patient and the office staff that included name, address, and insurance info, as well as why they were visiting the doctor.
- Sign in sheets with names and reason for visit left at the reception window.
- Open wireless networks with doctor’s laptops/tablets connected to them (in one of the world’s most well-known hospital).
These are just a few examples that I can recall, all within the last year.
Less scrupulous people may have taken advantage of these very real scenarios.
Not to Worry. There Are Solutions.
9 Steps to Decrease Your Medical Office Risk Exposure.
- Education – tell me if you’ve heard this one before, on this website! It’s worth repeating. Education is probably the biggest component of any successful plan, especially one that involves critical/sensitive information. It’s very important to educate your employees and business associates on HIPAA, HITECH, and PHI.
- Disable USB Drives – Not allowing USB drives protects you in several ways. First, it is easy to connect a smartphone or tablet to a computer through USB and copy data to that device. Second, connecting a USB drive with a key logger or some other software that is capable of copying files only takes a few seconds. Another exploit used by would-be hackers is to leave a USB drive with malicious software somewhere an employee might pick it up and connect it to their computer. This could then autorun a program that will steal data.
- Lock All Computers When Not in Use – This one is a little easier to accomplish but is so often overlooked. Set a policy to lock your computers when the user is not at the computer. Also, set it to automatically lock after a short period of inactivity. Some employees and business associates might find this annoying but it’s certainly better than the alternatives. Imagine this scenario: An employee leaves their desk for lunch but fails to lock their computer. Your medical practice has not set up any policies with employees or on the computer. Another employee wants to get information about a patient and sees an opportunity. They use the first employee’s computer to get the information they want. Now it looks like the first employee is the one who accessed this information. You now have a HIPAA violation for which you can be fined $50,000 and possible jail time.
- Protective Screens – They make protective screens that you can put over your monitors. These screens make it almost impossible for someone to shoulder surf.
- Quiet Area for Sensitive Conversations – I am always amused when I see the separate window for private conversations at the pharmacy. They’re always right next to all the other windows and the waiting area…not very private. The reception area at many doctor’s offices is similar. They are in the waiting area where anyone listening can eavesdrop and pick up sensitive information about a patient.
- Avoid Paper Whenever Possible – We live in a digital world. There’s almost no reason to give sensitive patient information on paper. Records can be transmitted electronically if needed. Prescriptions can be transmitted electronically. There are even apps that allow patients to get their medical information. Why are medical offices still printing this information?
- Managed IT and Managed Anti-Virus – If an IT (MSP) is monitoring your servers, workstations and other technology it’s easier to identify unauthorized activity. Remote management and monitoring mean access is controlled and monitored, patching and software updates are performed as needed, content can be blocked, uploading can be prevented, installation of software can be controlled, etc…If the same IT support team is also managing your medical practices anti-virus software and processes as well as proactively protecting against phishing and SPAM your risk decreases significantly.
- Regular HIPAA/HITECH Compliance Checks – If this isn’t already happening then it needs to take place immediately. There’s simply no way to know what risks are present unless you’re checking. It should be a regular practice to perform a HIPAA/HITECH Compliance check at least once per year.
- Security Audit – Along with the HIPAA Compliance Check you should do a security check of the physical building as well as the technology/network. Check for vulnerabilities and address them as they’re needed to prevent the vulnerabilities from being exploited.
Your reputation as a medical provider (or business associate) can be destroyed in the blink of an eye. The financial and legal repercussions can damage your business and personal life beyond repair. It’s enough to make some medical personnel and business associates think twice about getting into the medical industry.
It’s also enough to scare off any business associate who does not take their business seriously. Make sure any vendor or business associate with you understands HIPAA and HITECH and does not take it lightly.