March 6, 2013

Can Your Medical Practice Survive a HIPAA Violation?

medicalrecordstheftThe Health Insurance Portability and Accountability Act of 1996, otherwise known as HIPAA, set forth new standards for the privacy and security of electronic protected health information (EPHI). Once the Y2K ‘crisis’ had come and gone, healthcare organizations could now turn their attention to these new regulations.

The frequency of data breaches in healthcare organizations has increased by 32 percent. Why? Healthcare records and insurance information fetch more on the black market than credit cards.

A HIPAA violation can be devastating to a medical practice no matter what the size. A  practice was burglarized (read more here) and many of the practice’s computers were stolen, including the server that contained the practice management database.

HIPAA Section 164.310 mandates that physical controls for the facility be documented and instituted. This physical security plan defines and documents the protective measures used by the practice to protect the facility or facilities from environment, unauthorized physical access, tampering and theft.

A security plan must document the use physical access controls. These controls must ensure that only authorized individuals have access to facilities and equipment that contain EPHI (electronic patient records).

In general, physical access controls allow individuals with legitimate business needs to obtain access to the facility. Procedures must be implemented to prevent unauthorized access to physical and electronic patient data.

A security plan reviews staff, patient, visitor and vendor access requirements. Physical security systems as well as employee security practices restrict and monitor access. Some of these include but not limited to:

  • Locked doors in restricted areas along with warning signs
  • Surveillance camera systems in restricted areas
  • Electronic access controls
  • Tamper resistant property inventory control tags
  • Escort visitors, patients and personnel in restricted areas
  • Document visitors and vendors

Never rely on a facility being 100% safe and secure. While the implementation of electronic security systems provides for increased protection, there is still a human element that must be used. Keeping an open eye to the “who, what, where, when and how” is good common sense.

Meeting regulatory mandates is an important element of risk management for a company. It is important that health information be protected from accidental and unauthorized access. A single violation can result in significant losses in the form of fines, civil penalties and damages to reputation. Depending on the violation, the US Attorney and the Secret Service may be called in to investigate along side with the Health and Human Services investigators. As of 2009, the U.S. Department of Justice (DOJ) has stated who can be held criminally liable under HIPAA.

These are just a handful of the physical security requirements. For checklist that can help