Guest post Gene Fry, vice president of technology and compliance officer, Scrypt, Inc.
According to the 2016 Survey of America’s Physicians, around 70 percent of the nearly 800,000 physicians in active patient care in the U.S. work independently or in practices consisting of 30 physicians or fewer. For these small and medium sized practices, maintaining a robust HIPAA (Health Insurance Portability and Accountability Act of 1996) compliance strategy is extremely difficult. In fact, one report suggests a third of small practices do not have a HIPAA compliance plan in place at all, which is a worrying statistic, given the potential repercussions of a HIPAA breach.
Only last year, HHS’ Office for Civil Rights (OCR), the agency responsible for enforcing the HIPAA Privacy and Security rules, announced an initiative to more widely investigate smaller HIPAA breaches. While this may not have been directly aimed at small practices – small breaches can just as easily occur at large organizations – it provided a stark reminder to all covered entities that no organization is exempt from the rules, and noncompliance is noncompliance, regardless of magnitude or intent.
To highlight this, back in 2012, Phoenix Cardiac Surgery — a four-physician practice based in Arizona — was fined $100,000 and required to take corrective actions, after it was revealed the company had been using a publically accessible calendar service to transmit ePHI to employees’ private email accounts. This violation would have been avoidable, had the offender known the use of such technologies by a medical practice is prohibited under HIPAA.
Small and medium practices, big responsibilities
Keeping on top of HIPAA compliance, alongside the many other regulatory constraints that come with managing a busy medical practice, is a challenge for any organization, but small and medium practices typically have fewer resources and less budget to manage and mitigate risks effectively in-house, so the challenge is larger than most.
Managing a full-time HIPAA compliance program, for example, is simply not feasible for most small organizations, as they are unlikely to have staff members who possess the necessary skills to lead a team in promoting HIPAA best practices, as well as undertaking risk assessments and so on. As such, all responsibility lands with the medical staff, who must assume dual roles; as both clinicians, and compliance experts. While it could be argued that every medical professional should be well versed in HIPAA compliance anyway, the reality is not all are, and this presents major security and privacy risks.
The good news is, there are some relatively easy steps small- and medium-sized practices can take to significantly minimize the risk of a HIPAA breach occurring, that don’t require any major financial investment. While the following points are not a definitive list of HIPAA requirements, they should provide a good starting point.
Start with the basics and build up
HIPAA is complex and often overwhelming, but there’s no point worrying about the small details if the fundamentals are not in place. Organizations must ensure that all staff are familiar with the following key areas of HIPAA:
- Why HIPAA exists and who it covers
- Key requirements under the HIPAA Privacy Rule, the Security Rule and the Breach Notification Rule
- Protected Health Information (PHI/ePHI) and the key personal identifiers
- HIPAA enforcement and the consequences of noncompliance
- Their responsibilities as an individual within the organization