Practice Management Alert

Compliance:

Glean 3 Key HIPAA Lessons from 2 HITECH Reports

Learn from the mistakes others made before your practice ends up in hot water. 

Reviewing lengthy reports from countless sources is probably not high on your daily to-do list, but focusing on the highlights from some Health Information Technology for Economic and Clinical Health (HITECH)-mandated reports could help you avoid costly HIPAA breaches. . 

Take a look at the lessons the experts have pulled out of these reports to help your practice stay informed and out of the next round of breach reports.

Source: The reports assess the most recent calendar years with complete data — 2011 and 2012, and are titled “Breaches of Unsecured Protected Health Information” and “HIPAA Privacy, Security, and Breach Notification Rule Compliance.” 

1. Ratchet Up Your Theft-Prevention Efforts

Theft didn’t merely rank number one on the list of breach causes, it blew all other causes out of the water. Theft accounted for half of the breaches in both years (50 percent in 2011 and 53 percent in 2012), according to a blog post from health law attorney Leah Roffman with Cooley.

“The statistics in both reports clearly show that the most breaches still come from ‘older’ sources of PHI, such as paper records, desktop computers, and network servers,” note attorneys Stephanie Willis and Dianne Bourque in an analysis for Mintz Levin Cohn Ferris Glovsky and Popeo, published in The National Law Review. But “in addition to updating and monitoring security protocols for older PHI sources, covered entities should address security problems with newer storage media,” according to Willis and Bourque.

And specifically, the breach report shows a large increase in the number of breaches involving laptops, say Willis and Bourque. “Because theft was the primary cause of breaches in 2009 to 2012, ensuring that laptops and other portable devices are secured in accordance with standards acceptable under HIPAA will become even more important as organizations adopt more ‘bring your own device’ policies to ensure the mobility and convenience of health care delivery.”

2. Keep a Close Eye on Your BAs

Although Business Associates accounted for only 26 percent of the breaches in the reporting period, these breaches affected 59.3 percent of the total individuals affected by all the breaches reported. And the large number of affected individuals in breaches involving BAs likely reflects the reality that BAs may house PHI for multiple CEs, Willis and Bourque point out.

Action point: “Based on these statistics, health care organizations must impose standards for using BAs and subcontractors,” Willis and Bourque urge. You must also ensure that your BAs and subcontractors understand their obligations under the HIPAA Privacy and Security Rules.

3. Beware the Cumulative Effects of Small Breaches

Although small breaches — those involving fewer than 500 individuals — may seem like a far cry from mega breaches affecting millions of people, they can still seriously hurt your organization.

Reason: “The problem with small breaches for organizations is that they can occur more frequently than large ones,” warn Willis and Bourque. “The occurrence of repeated small breaches can be indicative of a systemic compliance problem, and may suggest to a regulator that the organization has not taken steps to identify and remedy the problem.”

That’s why it’s crucial for your organization to determine its breach risk profile, and identify and correct any compliance gaps, Willis and Bourque stress. “All covered entities should ensure that they account for the likelihood of small breaches as much as they do for large breaches when doing their security risk assessments.”

Tool: For help with risk assessment for your general surgery practice, check out the HHS Office of the National Coordinator’s Security Risk Assessment Tool for small and medium-sized health care providers at www.healthit.gov/security-risk-assessment