HIPAA compliance is the financial gamble that could ruin your business
STORY BY Deirdre Carroll
It’s the 6,000-pound monster in the room. The boogieman under the bed. The thing in the mist ... you don’t know what it is, or when it’s coming, but you know it’s out there. It will get you eventually but you have no idea what to do about it. Or maybe you think you’re prepared. Protected. You can handle it. Let’s dispel that myth right now. In this scenario, you’re the nubile young coed who decided to take a shower while a homicidal maniac is on the loose. In other words ... you’re an easy target and HIPAA compliance is the axe-wielding lunatic coming to get you.
According to Matt DiBlasi, president of Abyde, a company that guides independent medical practices through the complexities of implementing HIPAA compliance programs, last year after the U.S. Department of Health & Human Services (HHS) — which oversees HIPAA compliance under the Office for Civil Rights (OCR) — did a first round audit of the program, they found that 83 percent of the covered entities audited did not have a complete risk assessment or analysis. A covered entity is any business dealing with protected health information — social security numbers, medical histories, and, yes, lens prescriptions, etc. So, that means you even if you don’t have an OD on site. And a risk analysis is considered just the first step in HIPAA compliance; without it you cannot consider yourself compliant. In fact, 94 percent audited in that first round didn’t have a risk analysis or any other part of the puzzle.
Terrifying when you consider that the minimum fine Abyde has ever seen was $25,000. And it should be noted that the amount of a fine is not determined by the size of the business, but the size of the breach and the steps you have taken in advance to protect patient information.
Can your business survive a $25,000 fine?
While no specific stats for independent verticals within a heathcare field are currently available because HIPAA does not differentiate between covered entities — meaning your eyewear boutique or one doctor optometry practice is held to the same standard as a large urban hospital — we do know that independent practioners are behind.
“Everyone can agree with that,” says DiBlasi. “The stats we’ve seen are very eye opening.” He estimates that 90-95 percent of eyecare practices are non-compliant “but we don’t blame them. Most haven’t been educated properly so they don’t understand what their formal roles and responsibilities are when it comes to HIPAA.”
Abyde works with independent practices, regardless of specialty, but predominantly in the eyecare field, so we asked DiBlasi the three most common violations a smaller practice might see.
1. REMOTE THEFT
This includes hackers, viruses and phishing. Any outside person or entity with malicious intent that accesses a network or Practice Management/EMR software. “An OD practice needs to be aware of what remote theft is and how they can react to it,” says DiBlasi. “It’s the number one way criminals get access. Ransomware — someone takes ‘control’ of your IT network or data, locks it down, and you must pay to get access back. Even once you pay, you may still not get access. By that time, the damage is done. On top of that, there are PR ramifications and each individual who had their information stolen needs to be notified. If the breach affects more than 500 individuals, it’s even worse – media must be notified.” In April 2017, the HHS announced a $400,000 fine for an organization in Colorado after 3,200 records were compromised during a phishing attack. The organization was fined for failing to conduct a risk assessment and failing to properly implement documented policies and procedures to prevent, detect, contain, and correct security violations.
2. LOSS OR PHYSICAL THEFT OF DATA
This includes accidental disclosure, accidental loss of a device, or theft of USB drives, hard drives, computers, tablets, and/or servers. Say an employee leaves their laptop somewhere or someone comes in and steals a computer. If there is protected health information on those devices they should be encrypted, including scanners or copiers with hard drives. “All information copied or scanned gets stored on internal hard drives and unless the hard drives get scrubbed periodically all patient information is exposed,” DiBlasi warns. To underscore the risk, an organization was fined $2.2M in January 2017 after a USB drive with 2,209 individuals’ complete names, dates of birth and Social Security Numbers was stolen from its IT department, where it was left without safeguards overnight. An investigation revealed the organization’s noncompliance with HIPAA rules, specifically a failure to conduct a risk analysis and implement risk management plans, as well as a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media. The organization was also cited for failing to implement or delaying implementing other corrective measures it said it would undertake.
3. LACK OF HIPAA SECURITY & TRAINING
his includes what the practice is doing every day to protect patient information and what they are prepared to do should information be compromised. “There should be formal training,” says DiBlasi. “At minimum, formal training should be done once a year... By training employees on a regular basis, safeguarding patient’s sensitive information becomes ingrained in their everyday habits... HIPAA education is lacking in the large majority of practices based on settlement statements from the OCR... Most organizations who have been fined were not trained properly on how to handle patient health information. If trained properly, a risk assessments/analysis would have been conducted and thus immensely reduce their overall risk and eliminate or substantially reduce the fines incurred.”
If that’s not enough to give you nightmares, fines imposed by the OCR have increased in the last three years. 2016 was a record year, with fines totaling $23.51M. As of May 2017, the OCR has levied $17.1M in fines, putting them on track to almost double what they did in 2016. It continues a trend; 2016 nearly doubled 2014 and 2015 combined. Additionally, the OCR is putting more resources into updating its websites and guidance materials stating it will focus more on small data breaches. DiBlasi says “criminals are focusing on the smaller businesses because they are sitting ducks.”
You are basically gambling with the financial health and longevity of your business if you are not actively implementing, and most importantly, documenting a formal HIPAA compliance program. To make it even scarier, though covered entity audits are selected at random, a disgruntled patient or employee can lodge a complaint that also instigates an investigation and audit. They are protected under the Whistleblower Act and eligible for a cash reward.
Finally, DiBlasi leaves us with this: “We are all patients somewhere. I think we can agree that we all want our own doctors to implement security standards to protect our private information. By complying with the government regulations, not only will you protect your practice from audits but you will also be ensuring your valued patients are protected from those who have malicious intent.”
HIPAA COMPLIANCE BASICS
Five things you should do immediately
Most of the time violations are accidental breaches. Nonetheless, documenting that you have tried to be compliant by analyzing and mitigating risk, and by documenting policies and procedures, is a good faith gesture that could save your business. There is no ironclad way to assess that risk but here are a few pointers:
1 Perform a risk analysis. There is no formal template for ECPs, but the HHS.gov site offers a helpful 15-page document.
2 Document policy and procedures as they pertain to the accessibility or security of patient information specific to your organization. If generic policy and procedure templates are purchased or downloaded, be aware they must be edited and updated to accurately portray which safeguards your practice has implemented to keep protected information secure.
3 Implement business associate agreements. Any vendors or third party companies or individuals who may have access to private health information need to sign one stating they are HIPAA compliant. Examples of business associates include the IT company that does your maintenance or updates, and who could have access to information on your server, your file storage and disposal service, etc. When signed and executed properly, they protect both companies when there is a data breach. According to DiBlasi, this year a fine was levied on a seven-location practice because the company they contracted to store their physical records discarded them (without their notice) into an unlocked bin. A business associate agreement was not in place and the practice was fined $31,000.
4 Proof of HIPAA training and awareness for doctors and staff. Document completed written quizzes with a certificate of completion, which includes the name of the employee, the date it was given, and the name of the training.
5 Do it on a continual basis. Always be assessing your risk. Always be documenting what you are doing to mitigate that risk. Conduct training on a regular basis and ensure your business associate agreements are up to date. And remember, “risk assessment is an ongoing process that ultimately never ends,” says DiBlasi.
Lastly, bring in a third-party expert to help. Abyde itself is great resource and DiBlasi puts the cost in perspective: “It’s pennies on the dollar when you’re talking about fines.” Learn more at continualcompliance.com.
This article originally appeared in the January 2018 edition of INVISION.