Small physician groups that might have assumed they were basically exempt from government data-security regulations received a rude awakening in 2012: a five-physician Phoenix-based cardiac practice was fined $100,000 for failing to comply with the privacy provisions of HIPAA.
The penalty sent a message that small practices, no less than hospitals and insurers, have an important role to play in safeguarding patient data. The government strengthened its regulation in this area when it passed its final “Omnibus” HIPAA rule in 2013.
With the Department of Health and Human Services gearing up for a major audit of HIPAA compliance this fall, it's time for small medical providers who may have overlooked the latest rules on data security to do a tune-up — or overhaul, if necessary — of their systems.
HIPAA requires that covered entities such as small practices train their staffs in patient privacy issues, establish policies and procedures for handling patient information, plan for the fallout from data breaches and implement a bevy of security measures.
The early results from the HHS’ audit of HIPAA compliance revealed that many practices were having trouble bringing their procedures and policies in line with the law. The audit found that smaller practices in particular struggled to comply with HIPAA regulations, and that healthcare providers generally had a tougher time following the regulations than did insurers and other entities.
Despite the lack of progress among small practices, HIPAA compliance really is not as difficult as it may seem. For one, many of the law’s requirements track the dictates of common sense. Physicians don’t need to be reminded how important it is that their staff members use discretion when discussing patients, for instance; they just need to take the time to train staff members on how to do so. HIPAA’s requirement that practices give proper notice in the event of a data-security breach is similarly intuitive.
Other requirements, however, are more technical — particularly those relating to data-security practices. In an earlier phase of the audit that will continue this fall, HHS found that nearly all of the healthcare providers surveyed – 58 of 59 – were deficient in some respect in complying with the law’s requirements for securing patient data. That, perhaps, should not come as much of a surprise. In a world where physicians can check patients’ records from just about anywhere, and where nearly all the information recorded on patients — from prescription records to X-rays — may be digitized, it stands to reason that smaller practices might have trouble keeping up with regulations.
When it comes to these more technical requirements, small medical practices would be well advised to hire an HIPAA consultant or Managed Service Provider (MSP) to help them implement the necessary protections. Many such consultants offer services that are tailored to small medical practices. And these protections are likely not as difficult to implement as practitioners may assume, because the security provisions of HIPAA were specifically designed to be flexible enough to cover a range of practice sizes and organizational structures.
Typically, a HIPAA-knowledgeable MSP will work with a small medical practice to analyze the risks that face the practice’s systems, and to implement solutions that will bring those systems into compliance with HIPAA. Many consultants also offer “check-in” services, helping practices to ensure that they remain complaint with HIPAA in the face of changing technologies and regulations.
Practitioners who aren’t motivated by the threat of enforcement to reform their security systems may be compelled to do so by a more familiar reason: maintenance of the doctor-patient relationship. Patients entrust physicians with the task of safeguarding extremely sensitive personal information; now that such information has gone online, maintaining strong data-security practices may be seen as an extension of the doctor’s traditional duty to guard it.
Cam Roberson is director of the reseller channel for Beachhead Solutions, a company that designs cloud-managed mobile device security tools.