<<< Part 1: Avoid the Wall of Shame & Stay Within Budget
DIY HIPAA compliance strategy #1 – protect PHI
You have to make sure that none of the EMR undergoes loss or theft, or is otherwise available to illegitimate third parties. Per Bendix in his August Medical Economics report, mobile computing generally represents the most significant risk for providers because it’s simple for a thief to grab a portable device and abscond with the patient data. That applies to laptops just as it does to thumb drives: the vulnerable characteristic is that they are “easily picked up and carried,” says Tennant of the MGMA-ACMPE.
Although theft can often occur with mobile devices, you don’t want to have to hold back your organization’s transition to the third platform (the post-PC general computing environment that incorporates cloud, mobile, big data, and social networks). The solution is software that encrypts all mobile devices (“scrambling” and password-protecting the files). That doesn’t just protect the data but achieves compliance: if a cell phone or tablet is stolen, it isn’t technically a breach if the health records are encrypted. Encryption software is affordable and commonplace. Regarding implementation of encryption mechanisms, Tennant comments, “There’s really no excuse not to do this.”
It’s not enough to put the necessary safeguards in place, such as encryption (also accomplished for records access with SSL certificates and VPNs) and firewalls. The burden of proof is yours to demonstrate compliance. Create policies and procedures, in writing, for the protection of EMR, along with an action plan for any instance of breach. The OCR (the HHS’s Office of Civil Rights) looks favorably on firms that have conducted risk analyses and designated individuals as privacy and security officers (as demonstrated by Carnegie Mellon’s health data policy). Although documentation is essential, you also must have evidence that the policies are being followed.
Needless to say, it’s difficult to follow policies if you don’t know what they are. Your staff should understand the basic security protocols for healthcare information. It’s wise to conclude your training seminars with a quick test so you know your staff comprehends expectations and so that you can prove you made an effort to educate them, says Angela Dinh Rose, an executive with the American Health Information Management Association.
Your staff should be trained to send any patient concerns directly to the privacy or security officer (who may be the same person). It’s critical to move fast with any complaints so that the patient doesn’t go to the HHS with their problem. “Issue an apology if appropriate,” advises Tennant, “and of course identify and correct the problem.”
DIY HIPAA compliance strategy #2 – sign BAA’s
Sometimes healthcare organizations have to be concerned with the practices of third parties tasked with handling their data, such as hosting services. While a medical practice has always been considered a covered entity, these outside parties – which include billing companies, shredding firms, and anyone else with PHI access – have previously been considered business associates, approved under the law with BAA’s (business associate agreements). Now those companies officially fall under the umbrella of covered entities. In other words, Atlantic.Net puts its professionally standardized systems on the line financially by offering HIPAA-Compliant Hosting plans.
Bendix reports that the extent to which a healthcare company is liable when a business associate fails is not clearly delineated, so be careful with contracts that involve anyone with health information access – electronic or hard copy. Have an attorney look over the agreement. The vendor should offer a business associate agreement of its own, a good sign that they are experienced with healthcare solutions.
DIY HIPAA compliance strategy #3 – insure the data
After putting in all the protections you can, seriously consider adding an additional layer of protection: cyber insurance. (Atlantic.Net itself has a cyber liability policy through a major carrier.) Dean Sorensen of Sorensen Informatics says your cyber policy should cover you for the following:
- business downtime (so that you are compensated if you have to shut down temporarily in the event of a breach)
- breach remediation, which includes the costs of notification to your patients and the press
- noncompliance fines
- any legal fees incurred.
When you get a cyber insurance policy, an underwriting process will be initiated by the carrier. That generally involves filling out a questionnaire in which you confirm specific protections that are set up to reasonably protect the data.
Underwriting can be time-intensive, but it helps firms to systematically review their policies and practices. By doing so, says Sorensen, practices can avoid “overlooking something as simple as not locking the door at night.”
Beyond protecting PHI within your practice, working with compliant business associates, and looking into cyber insurance, Sorensen suggests assessing your network through the payment card industry-data security standard (PCI-DSS) parameters as well. In other words, you want to be sure your data protection is comprehensive.
In our SSAE 16 certified datacenter, it is. Complete Healthcare Solutions chose us for our “100% up-time, secure infrastructure, and expertise in Healthcare IT.” Get experienced guidance today in compliant hosting along with many of our Cloud Hosting Solutions.