It is crucial and mandated by federal law for healthcare
organizations to ensure the privacy and security of PHI. Many acts of neglect,
willful or not, can be considered violations of HIPAA. In a video titled Privacy
and Security: The New HIPAA Rule, we
are given three examples of violations: a hospital in Michigan accidentally
posting over a thousand patients’ PHI online, a health insurer losing the
financial and personal information of over 450,000 customers, and several
pharmacy chains improperly disposing of medical records in dumpsters instead of
by using appropriate disposal methods such as shredding. These examples are
extreme and include cases that affected a great number of people; however,
violations that only affect a few individuals are also cause for concern
because they shed light on a problem in the organization’s privacy and security
policies and procedures. The fines for security breaches are hefty, ranging
from $100 to $50,000 depending on the scope of the violation, as well as
whether or not the violation was made unwittingly or as an act of uncorrected,
willful neglect with full knowledge of the law. These fines correspond to 4
tiers of violations increasing in culpability, as set by the HIPAA Omnibus Rule
(Sterling, 2015). Measures can be implemented to avoid such HIPAA violations
and security breaches, and it is crucial for management to routinely conduct
thorough analyses of their organization to identify potentially risky areas or
behaviors. Whereas an internal security audit is better than no audit, it is
also important to undergo a professional Security Risk Analysis (SRA) which may
identify new factors that may not have previously been considered.
Additionally, an annual SRA is now required in order to attest for Meaningful
Use.
In
the event of a security breach that involves more than 500 people, several
steps are required by the Breach Notification Rule. First, the organization
must provide individual notice to all persons affected by the breach. Ideally,
this should be done in the form of a letter sent by first-class mail, but can
also be done by email if the individual affected had previously agreed to
receiving such notifications by email. If more than 10 people affected are
unreachable due to inaccurate contact information, the organization must post a
public notice about the breach for at least 90 days on their website, in
broadcast print, or by use of media. Second, the media must be notified of the
breach, most commonly done by holding a press release in the affected area.
Finally, the organization must also notify the Secretary by going to the HHS
website and filling out a breach report form (HHS, 2016).
In
the event of a security breach that involves less than 500 people, individual
notice to all affected persons is required, but the media does not necessarily
need to be notified. Additionally, in a breach involving less than 500
individuals, the Secretary does not need to be notified immediately—such
breaches can be reported to the Secretary on an annual basis (HHS, 2016).
However, regardless of scope, security breaches can take a huge toll on the
organization in several ways—it will cost the organization a significant amount
of money both in fines and in reparation efforts, will take up time and
resources in order to appropriately notify all affected individuals and the HHS
Secretary, and will also tarnish the organization’s reputation. It is therefore
crucial for management to be well-versed in privacy and security regulations,
and to ensure that all measures are taken to avoid security breaches.
The
main causes of HIPAA violations include lack of knowledge, low security,
unauthorized users or unnecessary access to PHI, and simple neglect. To address
lack of knowledge, healthcare office managers must take several measures.
First, a policies and procedures manual must be kept updated and revised as new
opportunities for violations arise, such as in the case of new technology or
devices being implemented. Our practice recently started using a mobile app
through our EMR, which allows providers to access PHI from their smartphones.
They are able to access patients’ charts, send prescription refills or lab
orders, and perform other tasks that may be necessary for an on-call provider
who may not otherwise have access to the EMR system at that moment. Such new
features, although beneficial for patient care, open up new opportunities for
security breaches. To address such risks, a new policy must be added to the
policies and procedures manual, and precautions must be taken such as requiring
that the providers accessing the mobile app utilize a complex password to
access their phones (in addition to the login credentials needed to access the
mobile app). Staff trainings must be done on a regular basis to review the
policies and procedures in place, as well as to introduce any new policies. In
our organization we also subject all employees to HIPAA testing after training,
to ensure that they understand what they have learned. It is not enough to
simply conduct yearly HIPAA training, especially considering the fact that new
employees may be hired after the yearly training has already been done. These
new employees must immediately be subjected to a thorough training on what
constitutes a HIPAA violation, and how to prevent such occurrences within the
organization. A Privacy and Security Officer must be designated so that all
employees have someone to turn to when they have questions or if situations
arise that they are not sure how to handle appropriately.
Low
security must be addressed by a Health IT professional, who can take steps such
as preventing access to certain sites, using a secured network, installing
firewalls and other antivirus programs, creating unique desktop and EMR login
credentials and complex passwords for users, encrypting data, as well as remote
data wiping in the event that a device containing PHI is lost or stolen (Cohen
& Difiore, 2014). Unauthorized access to PHI can be monitored through
random log audits to ensure that users are only accessing PHI on a need-to-know
basis. Additionally, users can be placed in categories with different sets of
permissions based on their roles and job functions. For example, front office
staff does not need the same access to PHI as a healthcare provider or medical
assistant involved in direct patient care. Additionally, physical measures can
be taken such as implementing screen protectors to ensure that other patients
or unauthorized individuals cannot see an employee’s screen. It is important
for staff to be trained to log out of their EMR system when leaving their
workstation so that unauthorized users cannot access PHI under their login
credentials. It is crucial that no patient information is left laying around on
desks at the end of the workday so that individuals such as the cleaning crew
do not have access to PHI. Furthermore, any such individuals that conduct
business with the organization should have signed a Business Associates
Agreement as well as a Workforce Confidentiality Agreement that briefs them on
the importance of protecting PHI.
It
is not always easy for an organization to ensure full HIPAA compliance. It may
in fact be very difficult to implement, especially in a practice or facility
that has high employee turnover, and no time or no qualified person to
regularly train all staff. However, when faced with the serious penalties and
consequences that may arise from not being fully compliant, it is important to
dedicate time and effort to this cause. The main key to reducing potential violations,
aside from technological safeguards, is the proper training of all employees,
the designation of a knowledgeable and thorough Privacy and Security Officer,
as well as the existence of a clearly-defined, updated, and accessible policies
and procedures manual in place in case an employee has any doubt about whether
a specific act or behavior constitutes a violation.
Leading Management Solutions helps medical
practice leaders identify ways to improve operations to increase revenue,
employee engagement, and patient satisfaction. Learn more about us at www.lmshealthpro.com.
About the Author:
Sonda Eunus is the Founder and CEO of
Leading Management Solutions, a healthcare management consulting company (www.lmshealthpro.com).
Along with a team of experienced and knowledgeable consultants, she works with
healthcare practice managers to improve practice operations, train employees,
increase practice revenue, and much more. She holds a Masters in Healthcare
Management and a BA in Psychology.
