Top recommendations for HIPAA Security Risk Assessments for physician practices

In completing security risk assessments for dozens of private practices, each is similar to writing a master’s thesis in terms of the breadth and detail required to properly understand all that is at stake. HIPAA remains the top compliance risk for physician practices.

HIPAA, then and now

The original HIPAA legislation was signed into law in 1996 (Pub. L. No. 104-191, 110 Stat. 1936). It protected patients’ PHI held by certain covered entities and provided patients rights to their own protected health information (PHI). It’s a federal floor for an expectation for privacy safeguards for any physician or anyone who works in the healthcare field.

Physicians always followed the Hippocratic Oath: “I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know.” It extends beyond government-funded care — it’s for all patients, and compliance is required for all providers who transmit claims electronically, which is the definition of a covered entity provider under HIPAA.

The HIPAA Privacy Rule, which took effect in 2003, requires the privacy of written, verbal and electronic PHI. At the time, many physicians did the bare minimum to ensure compliance with the new federal law and didn’t think much about it afterwards. 

This became a problem when electronic communication was protected by the HIPAA Security Rule, which took effect two years later. The Security Rule requires implementing safeguards for the security of information in electronic form, which includes faxes, email, claims’ transmittal information and electronic medical records. Big hospitals, which have IT people and lawyers on staff, had the resources to handle it, but small physician practices did not.

As the HIPAA law flew under the radar of most providers, major changes were included in the American Recovery and Reinvestment Act of 2009 (ARRA). Incorporated in the ARRA were the first major changes to HIPAA since 2001. Privacy changes were incorporated into the HITECH (Health Information Technology for Economic and Clinical Health) Act section of ARRA, which included $44,000 of incentive monies over five years for early-adopters of EHRs.

The government also decided to increase fines and proactively audit practices for HIPAA compliance. Instead of the previous $25,000 fine, the fine was raised to a maximum of $1.5 million ($1.6 million today) so providers couldn’t simply decide to self-insure against a breach. In addition to greater penalties for noncompliance, the HITECH Act increased enforcement, mandated reporting of breaches of health information by providers and required the government to conduct proactive audits.

The Final Rule, released Feb. 23, 2013, changed every paragraph of the 567-page HIPAA law except one. Any covered entity that hasn’t touched HIPAA since 2013 is living in the old world and has policies and procedures that are not reflective of changes required by HITECH.

For example, if you visit your doctor’s office and they give you a Notice of Privacy Practices that doesn’t list the right for a patient to be notified of a breach of their data, it’s not HITECH compliant. If the Notice doesn’t mention breach and the sixth patient right that you’ll be notified of a breach of your PHI, then it’s not compliant with the law.

The HITECH changes also warranted HIPAA training for your practice’s workforce.

Enforcement on the rise

The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is the enforcement arm for HIPAA. The OCR has received more than 170,000 HIPAA complaints since 2003. As part of HITECH, OCR regional offices get to retain any settlement dollars or compliance fines they levy against providers. 

For the first 10 years of HIPAA, the enforcement philosophy of OCR focused mainly on corrective action plans and educating providers on how to comply with the law. Now that more than 10 years have passed, most settlements and fines since 2013 have been around the previous maximum of $1.5 million.

When civil enforcement (punitive damage beyond fine) is carried out, the cost can be closer to $4.2 million for a health plan that went out of business and ignored subpoenas for medical records. The OCR sends messages through these resolutions.

The message being sent here was “don’t ignore our subpoenas.”

Also, proactive audits are happening. There are 169 requirements assessed in the audit protocol. Physician practices were the least compliant of covered entities in the first round of government audits. One finding of these audits was that the Security Risk Analysis was not done properly or not done at all by the majority (80%) of the practices audited. The audit found high rates of noncompliance with other aspects of the Security Rule as well: media disposal, audit controls and monitoring.

Areas that must be included in a HIPAA Security Risk Assessment (SRA) are outlined in Sections 164.308, .310 and .312 of the HIPAA regulations (available at the electronic Code of Federal Register website).

There are 18 Standards and 42 Implementation Requirements, of which 20 are required and 22 are “addressable.” The graphic is a simple representation of the three topics that are intended to be covered by a practice’s risk assessment, and the number of standards that are required under each topic, as well as the number that are addressable:

A “required” implementation specification means a covered entity must implement the standard. When an implementation specification is marked as “addressable,” it means that a covered entity must assess whether it is a reasonable and appropriate safeguard for the practice environment. If it is reasonable, you must implement the standard. If it is not reasonable, you must document why it isn’t, and then implement an alternative, equivalent safeguard that is reasonable for your environment. Addressable standards still must be implemented, but your office has a little more flexibility for implementing these standards, as opposed to the required standards which must be implemented as written. 

It’s important to know that an SRA was also required for providers who accepted the Medicare Meaningful Use incentive monies. If practices completed the one-page online attestation that they had done an SRA and CMS found out that they actually hadn’t, the physicians would be liable to pay back the $44,000 in Meaningful Use incentive monies they’d received. Today, doing an SRA is also required under the MACRA Advancing Care Information (ACI) measures.

If you plan to conduct your own SRA, these findings and recommendations will help:

1. The top recommendation is to start with a “technical architecture” diagram for your practice. If you can draw up an accurate technical architecture diagram, the rest of the document flows easily after that. Make this diagram your first order of business when starting your SRA.
2. There seems to be a heavy emphasis in HIPAA on access logs: regular audits by the practice of who is accessing patients’ electronic data. These logs help identify irregular activity or unauthorized access attempts, but most practices don’t do this. Some EHRs can produce these reports or a practice’s IT person can perform these audits. Practices should find the access log, monitor it for unsuccessful log-in attempts and then try to conduct penetration testing of their own IT system. This important audit function should be part of a staff member’s job description.
3. Remote access to a practice’s network should be done by Virtual Private Network (VPN) to ensure secure connections.
4. Practices should document all sanctions, even minor ones. Waiting to document and report only breaches doesn’t show a history of compliance with the law when little things that don’t rise to the level of a breach occur in normal day-to-day operations. Practices should get in the habit of building their documentation to show how they are policing HIPAA compliance as part of normal operating procedures. For example, the most common violation we see is someone at a physician practice emailing PHI unsecured. At a minimum, staff who email unsecured PHI should receive a warning, and that should be documented in the practice’s HIPAA Sanction Log.
5. Have a security officer position description and provide training. There might be someone at your practice who has the title of security officer, but we rarely find that they are trained or have knowledge of what is required in that position.
6. Link access needs within the EHR to the job description for each employee. Rather than granting administrator access to all employees, it should be customized for each role in the practice. This should be included in job descriptions as well. At a minimum, suggested language would be: “The job requires access to PHI. HIPAA training is required, and HIPAA compliance is expected.”
7. Conduct background checks on new hires before employment offers are extended. PHI is very valuable, and physician practices should vet the candidates they are hiring who will have access to patients’ PHI.
8. Have a termination checklist and use it. The list should be comprehensive (office key, email, EHR access, etc.) and should be followed so employees who leave the practice can’t access the ePHI systems.
9. Train your workforce on security awareness (a required safeguard under the HIPAA Security Rule). Once training is complete, have your staff sign a form to acknowledge they’ve been trained.  
10. Have a password management policy that requires a minimum level of complexity for passwords to be granted, as well as password changes after a certain number of days. Train staff to not share passwords.
11. Disaster recovery seems to be the holy grail for most physician practices. Everyone needs a policy, but most don’t have anything. Given the devastating hurricane season in 2017, it is even more important to have a plan in advance of a disaster to avoid problems in the event of a real emergency and practice disruption. The SRA requires a practice to have a Contingency Plan, which includes a data backup plan, a disaster recovery plan and an emergency mode operation plan.
12. Have updated business associate agreements (BAAs) after Sept. 23, 2014 (or Sept. 23, 2015, for BAs in effect before the HITECH update). Does your practice have these updated documents in effect with all vendors, including EHR partners? Are the practice’s business associates compliant with HIPAA? How are the BA workforce members trained and how are they protecting the practice’s PHI?
13. Set workstations to time out in a limited number of minutes of inactivity. This is a simple thing practices can do right away to safeguard each employee’s workstation, with shorter timeouts for workstations left unattended in areas that patients can access, such as exam rooms.
14. The standard for ePHI storage and transmission today is encryption. Encryption is the electronic scrambling of the ePHI or hard drive so that no one can read or decrypt it without the proper key. Encryption is an inexpensive way to secure PHI, yet there are many cases of stolen laptops and lost thumb drives that aren’t encrypted.
15. Get a certificate of appropriate destruction from a recycler when disposing of or returning a leased piece of equipment, such as a copier, laptop, cell phone, etc. These should be retained by the practice.

One final recommendation: physician practices should work with their malpractice carrier to be sure they are insured to the maximum limits possible for HIPAA violations. While malpractice coverage used to include some defense against a HIPAA violation or accusation, given the frequency with which these cases occur, we’ve seen a pull-back by insurers to only cover physicians or practices if they have purchased separate coverage (breach rider, cybersecurity policy or HIPAA riders). Before it’s too late, make sure you have coverage to help lessen the impact of a HIPAA investigation and subsequent settlement or fine from the federal government.