Your healthcare records are under attack. It seems like we read about another data breach or ransomware attack every day. In 2015, the protected health information of more than 100 million patient records was compromised. This is why the federal Department of Health and Human Services (HHS) recently announced random Health Insurance Portability and Accountability Act (HIPAA) audits for covered entities and their business associates. HHS is using the same strategy that creates fear of an Internal Revenue Service audit to mobilize healthcare professionals to take action.
Here’s the thing: If the fear of an audit is not enough to cause you to take action, the fear of a data breach or ransomware attack should. You must protect your most valuable asset—your patients’ private information. If you focus on your key vulnerabilities to secure protected health information (PHI), a random audit won’t matter, because you’ll be well on your way to HIPAA compliance. However, if you do nothing, you exponentially accelerate reputational and financial risk.
Focus on protection, not avoiding penalties.
An audit is only a regulatory method of policing something that regulators feel is critical. In the case of HIPAA, HHS announced random audits because too many covered entities and business associates aren’t holding up their ends of the bargain. Audits are simply the quickest way to inspire action. But with so much emphasis placed on the policing of HIPAA compliance, it’s easy to forget that the point of such regulation is to protect practices, not penalize them.
Be proactive, and evaluate your risks.
Instead of fearing audit repercussions, ask yourself, “In the absence of an audit, would I still understand where my practice is most vulnerable?” If you don’t know your vulnerabilities, how can you protect against them? With the speed at which technology is accelerating, anything that can go wrong eventually will.
The best way to understand where you’re vulnerable is to take a risk assessment. They’re especially helpful for small to mid-sized offices that just don’t know where to start. Hire a professional to help you get started. Attempting to navigate HIPAA alone and uncovering where your practice may be most vulnerable is like trying to do your own taxes; it’s most likely not the best use of your time.
Start with your IT and administrative personnel. They’ll help make sense of the requirements and how your practice can most effectively meet them. They can begin by reviewing the basics at hhs.gov, although I’d also recommend partnering with a HIPAA professional to build a team that can quickly uncover where your practice might be most vulnerable. The idea that your IT department and office manager has HIPAA and patient data protection completely covered is a common and dangerous misconception.
Understand your key vulnerabilities.
Here are key areas where we see most small to mid-sized practices fall short:
- A lack of updated policies, procedures, and business associate agreements;
- No documentation or plan to train employees on the importance of security and privacy;
- Not using proper encryption for backing up and emailing protected health information;
- No proactive emergency and incident response planning;
- No experience of testing the restoration of PHI in case of an incident;
- No Payment Card Industry (PCI) certification on file, leading to unnecessary fees;
- No asset protection or clear understanding of steps to take in the event of a data breach.
By being proactive and taking steps to assess your practice’s security measures (through a risk assessment), you can quickly identify potential risks and mitigate them. In fact, risk mitigation is the entire philosophy behind HIPAA compliance and the security of PHI.
The trick is to protect your practice without draining all your profits in the process. You are running a small business, after all. You don’t want to spend all your time and money trying to guarantee a completely risk-free environment. That isn’t practical. However, finding the right balance between mitigating risk and resource allocation is.
Yes, there is a chance to be randomly selected by HIPAA for a compliance audit. But more importantly, you should be taking proactive steps to secure PHI and mitigate key vulnerabilities—not because of an audit fear, but because it’s the right thing to do for you, your employees, and your patients. I don’t fear an IRS audit, and yet, inevitably, I file my taxes every year.
The first step for both you and your patients’ benefit is to take an assessment of your vulnerabilities. It’s easy to get started. You can begin here: HIPAA Risk Assessment.
Jeff Broudy, founder and CEO of PCIHIPAA, has been actively involved in building startups and leading sales and marketing teams in a variety of industries over the past 30 years. He is now pioneering a “compliance as a service” business with the release of OfficeSafe by PCIHIPAA, a technology focused on providing HIPAA compliance and data security solutions to small and mid-sized medical and dental practices. Learn more at officesafe.com and pcihipaa.com.