THANKS TO the HITECH Act, Meaningful Use and the Medicare Access and CHIP Reauthorization Act (MACRA)/Merit-based Incentive Payment System (MIPS), the number of optometrists using EHRs will be at an all-time high by the end of 2017. Many practices are trying to implement software, install IT networks, ensure data backups are running properly and integrate diagnostic technology, such as optical coherence tomography devices, into electronic information systems.
For established practices the overwhelming sentiment is, “This is not what I went to school for!” While that statement may be true, O.D.s must embrace this technology. It is tied closely with The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and, thus, the survival of one’s practice.
Whether it is patient names, Social Security numbers, dates of birth or medical histories, the data stored in EHR is extremely profitable to those with malicious intent. In fact, this protected health information (PHI) is 10x more valuable than credit card information on the black market, reports Reuters. This makes optometry practices targets for criminals. (See “Securing Your Practice,” p.23.)
To ensure you’re complying with the latest HIPAA security requirements, consider following these five steps.
1 PERFORM A RISK ANALYSIS
This is a self-evaluation in which a practice must identify safeguards in place to secure PHI, as well as identify potential risks to the confidentiality of that same sensitive information. For example, many practices do not change computer and server passwords on a regular basis — a potential risk. As a result, my company recommends computer and server passwords be changed at least 3x per year, as anything less frequent would be considered an elevated risk.
The Office for Civil Rights (OCR) at the United States Department of Health & Human Services is clear in explaining that the risk analysis is the first step in a practice’s HIPAA security compliance efforts. Without one, a practice cannot be considered HIPAA compliant.
In the case of a HIPAA audit, data breach precaution is the first item the OCR will require from a practice as proof of risk analysis. (The first thing the government will ask for in case of an audit is proof of risk analysis). This makes it vital for practices to have their risk analyses easily accessible and up to date.
The five categories to consider when documenting the risk analysis are (1) physical, (2) technical, (3) administrative, (4) policies and procedures and (5) organizational requirements. (See tinyurl.com/RAHHS .)
Pro tip. Rather than updating the risk analysis once per year, make it a habit to update it, at minimum, on a quarterly basis to save a substantial amount of time.
Securing Your Practice
- Business Planning
- Self-risk analysis
- Review and audit procedures and policies
- Training and security awareness protocols and schedules
- Physical Security
- Physical access control
- Physical barrier to open access to computers (guest access)
- Workstation use policies (access through log-ins and passwords)
- Access notifications and tracking
- Lost or stolen device protocols
- Software security
- Firewalls and malicious software prevention
- Encryption
- Media disposal
- Physical access control
- Business continuity
- Disaster recovery (server outage, etc.) documentation and protocols
2 DOCUMENT POLICIES AND PROCEDURES
No matter the size of your practice, it is imperative to document all HIPAA policies and procedures for your organization, as the 2016 HIPAA Audit Protocol mandates policies and procedures be reviewed in the case of an OCR audit.
While it may seem like overkill for smaller optometry practices to have a full complement of documented policies, doing so can be beneficial in the case of disaster recovery efforts or streamlining the onboarding/off boarding process for employees.
Pro tip. Make sure policies and procedures are specific to your organization’s processes. In other words, avoid using generic online or purchased templates that can give a false sense of security that you are meeting the HIPAA policy and procedure requirement. Examples of policies: access authorization, disaster recovery plan, email and fax transmission and employee hiring and termination.
3 CREATE A HIPAA TRAINING PROGRAM
Many practices conduct HIPAA training for all staff (full/part-time), but few may be meeting OCR’s training requirement. This requirement: Not only must HIPAA training be completed, at minimum, once per year for all employees, but training requirements also mandate that it be concluded in a modular format. This means documented proof is required that a quiz was taken by each employee.
Pro tip. Make sure new employees go through a formal HIPAA training program and take an associated quiz within 90 days of being hired, or “in a reasonable time frame.”
4 REQUIRE BUSINESS ASSOCIATE CONTRACTS
Also known as BACs, these offset liabilities in the case of a data breach. With the majority of data breaches caused by business associates (CPA firms, attorneys, consultants) and not internal employees, the importance of getting BACs signed cannot be understated. If a business associate will not sign a BAC, realize that by continuing to work with him or her, the practice is taking on a huge liability risk. (See tinyurl.com/BACHHS .)
Pro tip. Every BAC is worded differently, so be sure to identify when the BAC expires.
5 ENCRYPT OR SECURE PHI
You may understand the importance of ensuring servers and backups are encrypted properly, but have you ensured other applications, such as your email, are secure? Emails containing PHI should never be sent under any circumstance unless encrypted or secured. Also, remember that every time a document is scanned or printed to a multi-function device, a copy is saved to the internal hard drive. If hard drives are not encrypted or wiped properly and the device is returned at the completion of a lease or sold to another business, a data breach can occur.
Pro tip. Most all-in-one printers/copiers/scanners provide a HIPAA-compliant security or encryption package. If these are not available for your device, work with an IT professional to wipe and delete hard drives properly before disposing of the system.
PROTECT YOUR BUSINESS
While many practices feel burdened by the added responsibilities of technology, such as EHR, lack of time to interpret HIPAA security requirements is not an accepted excuse when a HIPAA audit reveals problems. Follow the steps outlined above, and consider reaching out to a third party for questions, concerns or if you just need help. OM