In recent years, we’ve heard about the growing threat of cyber criminals to physician practices. Data breaches are trending upward and every practice is a target. Patient safety needs to be more than a bedside concern. Here are five questions all practices should ask themselves about whether they have their cyber security under control. Practices that are non-compliant may face significant fees, penalties, and loss of reputation.
- Are you violating HIPAA with text messages and emails? While not explicitly called out under HIPAA, texting and email are considered forms of electronic data transmission and, as such, are subject to rules regarding how personal health information (PHI) is transmitted. In other words, you should not communicate things such as diagnoses, procedures or other protected information through SMS or IM text or email unless A) the patient has provided written authorization or B) you are using a HIPAA-compliant messaging application. As a general rule, SMS or IM texting directly through a phone will not meet requirement B.
- When did your practice last complete a risk assessment? Under HIPAA, all covered entities must complete an annual risk assessment, which varies by the capabilities and size of the practice. An online security assessment tool – like one provided by HealthIT.gov – offers an easy-to-use application. Paper-based assessments are also available should a practice prefer that method.
- Who are your HIPAA privacy and HIPAA security officers? Both roles can be filled by one person with the responsibilities of a HIPAA compliance officer, but the role must be assigned and the duties taken seriously. Broadly speaking, the privacy officer is responsible for training, ensuring patients understand their rights under HIPAA and confirming policies and procedures are in place related to patient privacy. The security officer has more technical duties, such as ensuring antivirus software is up to date, firewalls are in place, PHI is stored safely and confirming policies and procedures related to securing PHI are in place.
- Have you phished your practice? The act of sending emails that appear to be from your practice but are instead tools used by hackers to mislead the recipient into disclosing information or passwords is known as phishing. Roughly half of all healthcare organizations have experienced a phishing attack in the past 12 months. If you haven’t yet, you will. How successful these attacks are depend heavily on how well your practice is trained on identifying these threats. Engaging a group to send test phishing emails a couple of times a year will do more than any technology solution can. Repeated testing and a well-trained staff are essential for deterring this easy yet effective attack.
- Does your HIPAA authorization form meet the requirements of HIPAA? The burden of ensuring a patient understands what they are authorizing lives with the practice. Overly broad or vague HIPAA authorization forms will most likely not pass an HHS audit and may result in fines or other penalties. Generally speaking, a HIPAA authorization form must be in plain, easily understood language and include:
- Specifics as to how the patients’ PHI may be used
- The name or types of people to whom PHI may be released
- How the information could be used
- Unless related to research, a specific date upon which the HIPAA authorization form expires
- Date and signature of the patient
- Information about a patient’s right to revoke the HIPAA authorization form
- Language informing the patient that the practice cannot condition treatment, payment, enrollment or eligibility upon signature