Tip: Encrypt your data - it's just that simple. Fresenius Medical Care North America's (FMCNA) recent HIPAA issues highlight the need for risk assessment and management. Let's address the separate breaches and what you can do to fix problems like these before they bring down your practice. 1. Confirm physical safeguards are rock solid. Two FMCNA branches did not aggressively protect their locations from "unauthorized access, tampering, and theft" even though the HIPAA Security rule required them to do so, suggested an HHS Office for Civil Rights (OCR) release. Ensure your practice has tight controls over not only electronics like workstations, laptops, mobile devices, and medical equipment to avoid illegal access, but also security for the facilities themselves that stop intruders from damaging and stealing equipment. Ask yourself these questions about the physical safety of your office and equipment: Tip: "The high impact cases OCR moves forward with are intended to send a message to the industry," explains attorney Kathleen D. Kenney of Polsinelli LLP in Chicago, Illinois. "With that in mind, I advise our clients to use these cases as learning opportunities. "Ask 'could this happen to my organization?'," Kenney stresses. "And, if the answer is 'yes,' use it as an opportunity to voluntarily take corrective measures." 2. Outline the access, movement, and removal of practice HIT. One of FMCNA's sites lacked the proper HIPAA protocols to fully protect its "hardware and electronic media that contain ePHI" from moving in, out, and around the facility, the OCR release mentioned. Consider these questions related to the "Administrative Safeguards" section of the HIPAA Security rule that specifically reference the movement and control of health IT: Tip: "As devices get smaller and more portable, the potential for lost or stolen or misplaced data increases - and so does the risk for a breach," warns Peter Arbuthnot, regulatory analyst with American HealthTech in Jacksonville, Mississippi. That's why it's essential to clearly state who's in charge of the maintenance, care, and updates of practice technology. 3. Encrypt ePHI and maintain device control. More and more large-scale breaches fall prey to device management issues that lead to the loss of ePHI, and FMCNA failed to implement encryption strategies. When you encrypt and decrypt ePHI, set strong password protection on your mobile devices, and implement at-rest and remote access rules, you are protecting your patients and your livelihood. Check these three questions and see if you risk the exposure of ePHI: Tip: "If you do have a breach in your networks, or if a device containing PHI is stolen, proper encryption can be a lifesaver," points out Brand Barney, HCISPP, CISSP, QSA, security analyst with Security Metrics in Orem, Utah. "If your data is properly encrypted using industry-accepted encryption strengths, you don't have a breach. And it's also a requirement for HIPAA." Resource: For a closer look at the HIPAA Security rule, visit www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html.