Keys to Surviving HIPAA

With the Health Information Technology for Economic and Clinical Health (HITECH) Act, a bill that was passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA), a number of incentives have been created to encourage the adoption of health information technology, such as electronic health record (EHR) systems. Furthermore, the HITECH Act anticipates considerable exchange of electronic protected health information (PHI) among health care providers and has increased the reach of privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA).

Earlier this year the Department of Health and Human Services (HHS) issued the Omnibus Rule, greatly expanding the types of entities that are required to protect patient privacy under HIPAA. Up until this point, the HIPAA Privacy and Security Rules have mostly focused on medical offices, hospitals, health plans and other “covered entities” that process health insurance claims. The Omnibus Rule expands many of the requirements to business associates of these entities, such as vendors and subcontractors who have access to protected health information. Specifically, the new rule affects the HIPAA Privacy, Security, Enforcement and Breach Notification Rules mandated by the HITECH Act and includes penalties of up to $50,000 per comprised health record with a maximum penalty of $1.5 million for violations of an identical provision in a calendar year. Last year, the HHS settled with covered entities for amounts ranging from $50,000 to $1.7 million.

  • The Hospice of Northern Idaho agreed to pay $50,000 after an unencrypted laptop containing health records was stolen.
  • Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc., agreed to pay $1.5 million to settle potential violations of HIPAA after an unencrypted laptop was stolen.
  • Phoenix Cardiac Surgery settled for $100,000 after the investigation concluded that the practice was posting clinical and surgical appointments for their patients on an Internet-based calendar that was publicly accessible.

Patients expect that doctors will ensure adequate protection of their data, which may include confidentiality provisions and notification in the event that their records are compromised.  Potentially damaging incidents happen every day. In today’s technology driven environment, information is only a click away.   Arming practitioners and patients alike with knowledge is necessary for protection.  Physical security, electronic security, monitoring, and employee training are the keys to securing data.

PHI includes both physical data, such as forms and paper work, and electronic data.  Whether a patient’s data is physical or electronic, it can be defined at any point in time as created, stored, used, transferred or destroyed.  Along the path that data travels, there are several keys to its security.

First and foremost, determine what data is being retained and whether the retention of that data is critical to the business.  Only keep what is needed, otherwise the risk of a breach grows exponentially with time.  If you don’t keep it, it can’t be compromised.  In most cases, confidential information is not important to doing business.  However if it is, here are some areas to focus on.

Physical Security
Physical security is a complex cornerstone to data security, without it all other methods of security are irrelevant.  You should authorize physical access for appropriate individuals only, restrict it for a specific purpose, monitor continuously, and revoke access immediately when employees are terminated. Segregating controls can set, approve, and monitor who has access to what and where.  Continuous monitoring and approval of “who has access to what” is key to maintaining the physical security of PHI.

Information Security
Electronic information access has many characteristics of physical access, such as authorization, restriction, monitoring, and disposal.    No one should access electronic data without specific authorization to do so. Depending on the function of the users, you should restrict access to what is necessary for that person’s job.  You can implement manual controls to adequately monitor and review individuals’ access to electronic data on a periodic basis.    As with physical security, controls for removing user access upon termination should be implemented to adequately restrict access to authorized personnel.  Overall, access whether physical or electronic, should be reviewed, monitored, and approved to ensure authorized access to electronic data at all times.

Data encryption for data stored or data being transferred is an important step to ensuring a high level of security.  Laptops, smartphones, emails, electronic data transfer (EDI), file transfer protocol (FTP) transfer or storage, and backups are all examples of different types of data storage and data transfer that should be encrypted.

USB drives have become a popular and easy method of transferring data.  USB drives have also been a common source of compromising a secure network.  In most cases, it is in the best interest of the practitioner to disable these ports on all terminals or at least limit the use of USB drives to privileged users.

Employee Training
“Knowledge is power.”  Training employees on data security is not only a good idea, it’s necessary to prevent potentially catastrophic breaches of patient information.  Technology is in a constant state of change, therefore it is paramount to keep up-to-date with best practices for ensuring adequate security.  What is considered secure today, may not be secure tomorrow.  Implementing an employee training program has significant benefits to your practice. By educating your employees and empowering them to become your security champions, you will elevate the overall security e environment.

Remember, the sum of all the parts is what determines security effectiveness of a medical practice.  A proactive approach is the most efficient and cost effective way of ensuring a secure environment.  Knowing the steps to take to secure data and identifying what is at risk are the keys to surviving HIPAA and avoiding costly data breaches.

Jorge Rey, CISA, CISM, CGEIT, is an associate principal and the director of information security and compliance at Kaufman Rossin, one of the largest independent accounting and advisory firms in the Southeast. He provides information security and advisory services, including HIPAA/HITECH compliance services, business consulting, security audits, training, and implementation of IT security programs. Jorge can be reached at jrey@kaufmanrossin.com.


Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.