A Very Basic HIPAA Security Action Plan

With all the other stuff your eye care practice needs to handle, do you really need to worry that much about all those complicated HIPAA security guidelines?

The answer is yes. You do need to take security steps, and no, you just can’t leave everything to your IT vendors. Fines for security incidents can quickly climb into the millions, and the loss of your practice’s good reputation is incalculable.

Many physician practices are complying with the HIPAA Privacy Rule, and most know enough to require patients to sign a Notice of Privacy Practices. The HIPAA Security Rule is a bigger challenge. Alarmingly, many practices aren’t complying with the rule, and they’re putting themselves at huge risk in the event of an audit or breach. Is your eye care practice one of them?

Comply With These Three Main Components of the HIPAA Security Rule: 

If you’re like most physician practices, it’s highly likely you’re not doing enough to comply with federal and state security regulations. You must take a long, hard look at the security situation in your own practice, and an equally long, hard look at any vendor that handles PHI from your practice. It’s not enough to simply assess risks. You must take concrete actions and document those actions to protect your practice during a security audit or breach.

Administrative Safeguards

• Designate someone as your practice’s security officer and define the duties in writing. You can integrate this role with an existing compliance or IT role, as long as you spell out requirements in the job description.
•  Assess your risks and develop a corrective action plan. The HIPAA Security Rule requires this step, and you should document everything you do.
• Actually do the things you outline in the corrective action plan. If an OCR auditor looks at a risk assessment from this year and a risk assessment from the previous year and they are exactly the same, that’s a strong indicator that your practice isn’t actually doing anything about security compliance.
• Teach your clinicians and staffers about cybersecurity compliance. If you don’t have a cybersecurity training program at your practice, get it going immediately and document your efforts. Don’t forget to include HIPAA privacy and security training in your onboarding process for new employees.
• Make certain that your business associates (BAs) are keeping PHI secure. The usual suspects are EHR companies, practice management software vendors, and billing companies, but even a janitorial service that cleans your office is a potential BA.

Almost half (48 percent) of healthcare providers reported that the root cause of medical identity theft was unintentional employee action, according to a2016 survey by the Ponemon Institute.

Physical Safeguards

• Make sure you’ve safeguarded your office areas and workstations from unauthorized users. Protect workstations that process, transmit or store PHI. You can use physical locks, electronic keys, or some combination of these and other methods.
• If your clinicians or staffers access PHI from mobile devices, make sure you have a policy that keeps these devices secure. Not sure where to start? Here are some common-sense recommendations from the HHS office of the National Coordinator for Health Information Technology (ONC):
• Set strong passwords: Always use a password or other user authentication on mobile devices.
• Encrypt: Install and enable encryption to protect health information stored or sent by mobile devices.
• Use automatic log off: Also, make sure your mobile device requires a unique user ID for access.
• Enable remote wipe: Install and activate wiping and/or remote disabling to erase the data on your mobile device if it is lost or stolen.
• Keep the device with you: Maintain physical control of your mobile device. Know where it is at all times to limit the risk of unauthorized use.
• Use a screen shield: Also, don’t share your mobile device with anyone, and lock the device when not in use.
• nstall a firewall: Install and enable a firewall to block unauthorized access.
• Use a secure Wi-Fi connection: Use adequate security to send or receive health information over public Wi-Fi networks.
• Employ security software: Install and enable security software to protect against malicious applications, viruses, spyware, and malware-based attacks. Keep you security software up-to-date.
• Research mobile applications before downloading: Disable and do not install or use file-sharing applications.
• Use proper disposal methods: Delete all stored health information on your mobile device before discarding it.

Having technical trouble with your EHR? Think twice before you send a screenshot to the help desk to help the support person understand your problem. Unless you’re on an encrypted email system, anyone can grab the PHI in that screenshot and you’ve got a HIPAA violation on your hands.

Technical Safeguards

• Make sure you’ve safeguarded your systems from unauthorized users. When it comes to technical safeguards, many physician practices fall very, very short. If you are on a client server, you should have at least some of the safeguards listed below. If you are on a cloud, your vendor should be employing these methods to protect PHI:
• Firewalls prevent intruders, inspect all incoming messages, and determine whether to permit those messages. If your practice uses a Local Area Network (LAN), it should have hardware firewalls. If you use an internet service, your provider should provide firewalls as part of the package.
• Anti-virus, anti-malware, anti-ransomware software uses systematic scans to protect the network
• User behavior analytic systems (UBA) monitor user behavior and alert information security team of suspicious activity on the network.
• Encryption systems encrypt data while at rest and in transit.
• Back up your data. Back up and store PHI in secondary, secure locations. It will protect your practice and your patients in the event of a ransomware attack or natural disaster. You should test your backup systems periodically to make sure they can restore data properly. Backup precautions ensure that your clinicians can retrieve exact copies of PHI even when primary systems are disabled.