Jim Hook, director of consulting services at the Fox Group, LLC, said the single largest problem he sees with risk assessments is with clients’ electronic records systems. When an office applies for meaningful use funds, they attest to the fact that their systems are HIPAA compliant because their vendor has told them it is. The problem is, only covered entities can determine if the system is HIPAA compliant – not a vendor.
“When it comes to EHR, providers hear from the vendor it’s HIPAA compliant and check it off the list,” he said. “But if they haven’t done a risk assessment, they are making a false claim to the government.”
Physicians need to think about issues such as how they will maintain passwords, how to back up the system, and if the system is internet based, what information should remain on computers, Hook said.
The most common error that results in breaches occurs when people transfer files containing personal health information onto a laptop, which is later stolen, Hook said. This could be avoided by doing a risk assessment and enacting a rule that laptops cannot be taken out of the building. Another option is encrypting files or using passwords for these files.
If an organization is found to have a breach when they were willfully neglecting compliance (that is, they hadn’t completed assessments), the penalties can be stiff. Hook said they can be as low as $100 for a first violation and much greater for successive penalties.
Just last year, the Massachusetts Eye and Ear Infirmary, a hospital with only 41 inpatient beds, was fined $1.5 million after reporting the theft of a laptop that was not encrypted.
“The feds have demonstrated they will fine,” Hook said. “And it can be more than a slap on the wrist. It’s more like a two-by-four upside of their head.”
Offices should also try to keep updated on changes in the regulations. Two new policies include an update to the privacy practices and how it impacts business associates.
The privacy regulation now allows people to receive services without disclosing the care to their insurance company if the patient pays in full for services. This could get tricky when someone is sent outside of the office for lab work or other services that they do not want disclosed, Hook said.
The second update is clarifying that business associates like EHR vendors are responsible for protecting the security and privacy of information they receive from a provider. Providers have to update their contracts to reflect this by September, Hook said.
Many physicians just “close their eyes and hope nothing happens,” but that can be problematic. It is best to prepare in advance and not end up on the “Wall of Shame,” an online listing of organizations that have reported information breaches. To date, the site lists more than 500 breaches.