More than ever, Covered Entities are at greater risks of falling short on patient privacy requirements.
Since HIPAA was passed in 1996, healthcare has experienced an ever-growing stream of regulation. For example, the HITECH Act of 2009 put a little more “teeth” into the HIPAA fines and penalties as a result of privacy violations.
While there will always be privacy and security risks within a Covered Entity, HIPAA (and HITECH) are stressing to anyone handling PHI (Protected Health Information), to do as much as you can to mitigate these risks.
A good formula to follow for medical practices is: assess, document, make adjustments, monitor and repeat the process consistently. While these steps may seem daunting and time consuming, you and/or your business partners are already doing some of this. What we usually find in medical practices, is that the steps within this “formula” are being done in bits and pieces, not documented, not centralized and without clearly defined roles (ownership).
During the course of a Security Risk Assessment, or the review of a practice’s last Corrective Action Plan (if there is one), we often find many items that were just not addressed, or just dropped because of lack of ownership of the tasks. For example, there is often a heavy reliance on a practice’s 3rd party IT partner. This reliance for their IT expertise often results in lack of follow-up, documentation and communication within the practice. A frequent event would be when the 3rd party IT company modifies or reconfigures something within the practice’s network or did some reconfiguration that they think is better suited for the practice, but nothing was ever documented or clearly reported to the practice. [Side Note: Always ask your 3rd party IT company if they themselves have had Security Risk Assessment performed by an outside firm – you do not want the “fox watching the hen house”]. As a Covered Entity, you are responsible for protecting the PHI that is created, disseminated and handled by your practice or clinic. While your 3rd party IT company plays a significant role in performing a practice’s Security Risk Assessment, they USUALLY are not qualified NOR are they trying to provide you with a Security Risk Assessment that you would want to submit to the Office for Civil Rights (OCR) or Health and Human Services (HHS).
As previously mentioned, there are many risks and opportunities for mistakes when protecting PHI – we are after all, only human. The key to being successful in protecting the privacy & security of PHI, is to utilize your resources and partners to best mitigate those risks. 3rd Party IT partners are a great resource and can be the significant piece to maintaining a successful IT environment. However, it is the Covered Entity who must ensure that all of the documented policies & procedures are being followed, assessed and updated on a regular basis. Ignorance is no longer bliss, and “I didn’t know that”, is not a defense.