Ask the Experts: HIPAA Compliance in Small Provider Facilities

What are new developments in HIPAA compliance for physician practices or small rural faciltiies?

Answer 1: In the case of rural practices, smaller facilities, and other targets of security breaches, staff members are often not up to date on HIPAA regulations and may not understand how HIPAA rules apply to their practice. Because these organizations typically lack a full-time privacy, security, or compliance officer, everyone from the executive team to front-desk clerks may be ill-informed and undertrained when it comes to privacy, security, and HIPAA.

Staff may shrug off such issues with statements such as, “I only work with paper” and “I only use a fax machine.” They are obviously unaware that HIPAA still applies in a paper world. Here are three high-risk provider settings to note.

Applied behavior analysis providers. These clinicians, who deal with autism patients, are now considered eligible providers and as such are required to comply with HIPAA rules and regulations. Many are completely unaware of this requirement as well as the privacy and security measures needed to protect this unique type of ambulatory setting.

This is a sample article from HFMA’s Legal & Regulatory Forum. Learn more and subscribe.

Small ambulatory and specialty centers. A privacy breach recently occurred at a small acute care surgical specialty hospital. The facility already had some HIPAA policies and procedures, a privacy officer, ongoing employee education, and other security safeguards in place. However, in hindsight, those safeguards were inadequate.

Practices acquired by a larger medical group. The possibility of security breach increases when a practice is acquired by a larger group because stakeholders are focused on the bigger operational issues involved with the merger, and the focus on security may wain. In these cases, the managed or owned businesses should leverage their newly affiliated medical group or hospital resources to quickly shore up compliance and strengthen privacy and security controls. Larger providers can assist in conducting a risk analysis, meeting HIPAA requirements, and auditing all business associates.

HIPAA auditors and patients whose privacy has been breached no longer accept lack of awareness as a valid excuse. Common red flags in practices and small provider organizations are related to data encryption.

Small providers often don’t realize they need encrypted e-mail. The fee is nominal for encryption when compared with the tens of thousands of dollars a practice may lose—in addition to more intangible losses, such as damage to reputation that could affect market share—due to a breach. A common misconception involves Apple products. Many Apple users assume they don’t need to worry about encryption, when in fact encryption features are available on many Apple products but must be set up properly.

If a laptop that is not encrypted is stolen, all the data stored on that machine is immediately compromised. Tablets and smartphones likewise are at risk.

Conducting a HIPAA risk analysis is the first step to uncovering critical gaps and preventing a breach.

This question was answered by: Richard M. Hart, CFO, Stanislaus Surgical Hospital, Modesto, Calif., and a member of HFMA’s Northern California Chapter, and Debi Primeau, MA, RHIA, FAHIMA, founder, Primeau Consulting Group, Torrance, Calif., and a member of HFMA’s Southern California Chapter.

Answer 2: Small practices typically don’t have the hours or expertise to do everything in house. As a result, they should be very careful in which experts they rely on and should have those experts perform at least annual reviews of changing technology use and compliance requirements.

I have seen a number of small practices outsource IT to “general business” IT companies that have no idea of the extra security, reporting and review processes that must be maintained by all healthcare practices. For example, I often see shared storage (windows servers, NAS devices or cloud storage) set up without proper at rest encryption or logging. Secure connections are standard so someone can’t intercept your data, but what about the data sitting on the server or a backup of the server, or a flash/external drive? If a server or backup drive is lost or stolen, all that data is at risk. More commonly, an unencrypted laptop drive or flash drive can represent a major threat if monthly accounts receivable reports reports are stored for dozens, hundreds, and even thousands of patients. Storing patient conversations in an unencrypted e-mail account or on a smartphone text app are all huge risks if unencrypted. Many providers, especially at small practices, are not aware of these issues.

This question was answered by: Curtis H. Bernstein, CHFP, CPA/ABV, ASA, CVA, principal, Pinnacle Healthcare Consulting , Centennial, Col., and a member of HFMA’s Colorado Chapter.

Answer 3: There are not really any new regulatory requirements coming out and there have not been for a while now. The biggest issue is the ramp-up of more auditing from the Office for Civil Rights and more random audits versus investigatory reviews.

Many smaller practices are at risk of not having basic HIPAA policy and procedures in place. Approximately, one third of practices have no compliance plan or awareness of basic compliance expectations, according to a survey in NueMD. The survey doesn’t specifically ask about having security assessments, which I suspect many clinics do not have, or they have completed minimal assessments and still are at risk.

The greatest risk is not having adequate security awareness training. The best defense is implementing a strong security risk assessment to prevent data breaches and then developing proper policies and procedures  that serve as evidence that a compliance program is in place. In my mind, I want to prevent breaches first, then have the general program evidence as a fast follower.

This question was answered by: Ken Miller, senior manager, Healthcare at Horne LLP, Jackson, Miss.

Answer 4: A recent National Institute of Standards and Technology (NIST)/OCR conference focused on ransomware and available backups so that patient data remains available. Solutions may be scalable, but the risk is the same for all providers and scarily real―hook anything up to the Internet and within hours it will be subject to phishing and other attacks.

This question was answered by: Martha Knutson, JD, CPC, a health lawyer with a private law practice in San Diego, and a member of HFMA’s Southern California Chapter.

Pose another question to our Legal & Regulatory Forum experts.

The information provided through the Forum’s Ask the Expert service does not constitute legal advice, even when the advice is provided by lawyers. You need to obtain your own legal counsel for legal advice, and consider the laws and regulations that govern your state. The content and opinions expressed are those of the Forum experts, and not that of their employers or of HFMA. HFMA does not endorse the material or warrant or guarantee its accuracy. The responses are based only on the specific facts or circumstances provided. Forum experts cannot be held liable for outcomes related to any information provided.