Like herding cats, adhering to HIPAA and preventing privacy breaches is a full-time effort
requiring concentration and diligence. Over 90 percent of breaches are caused by human error. The
remaining are more nefarious, potentially involving medical identity theft, medical fraud or
Historically, HIPAA has been based on "voluntary" compliance. This era is ending as HHS and OCR have stepped up their enforcement. The costs and other downsides of breaches are more onerous (see Massachusetts eHealth Collaborative President and CEO Micky Tripathi's compelling " First-Hand Experience with a Patient Data Security Breach at HISTalkPractice.com), and HIPAA security audits will soon begin. In other words, HIPAA now has teeth - a bite to back up its bark.
It has gotten to the point that the costs of prevention are far less than the costs of a breach, especially a massive one. And healthcare executives are paying attention. More organizations now have security officers and a security budget. Allocating already-scarce financial resources and human capital to the breach problem shows a change in thinking in the industry.
Steps to Take Now
However, like most things in healthcare, the change is fairly glacial and will take time to spread. Until privacy and security become second nature to healthcare executives and providers, a few important and practical steps should be taken.
The human error aspect of breaches is solvable only through education and then more education. The time of cursory HIPAA training, and policy and procedure manuals sitting on a shelf collecting dust is over. Continuing education, access to legal counsel, encryption and risk assessments are practical steps that every healthcare provider should be taking ... now!
Training is a living process that requires updates and constant attention. It should involve a curriculum of courses building on each other, which provide continual reinforcement of the HIPAA principles and workflow requirements needed to minimize risk. Using or employing legal counsel and purchasing cyber liability insurance are becoming commonplace.
Encryption is best practice and is likely to become mandated in the near future. If encrypted data is lost, it is not considered a breach and is not reportable to the government or media. But beware, breaches that are deliberate may be inside jobs resulting in breached decryption codes and accessible information. Technologies are emerging that can even help with this issue by wiping clean information on a laptop if it is seen to be at risk.
Perhaps the most important practice a provider can undertake is regular risk assessments, as mandated by HIPAA. Not only must regular risk assessments be done, but recommendations stemming from the assessment must be followed up on. Risk assessments are best if they combine internal assessments with external assessments. External auditors bring a wider knowledge base and are likely to see things that providers may inadvertently overlook.
Unfortunately, breaches are inevitable. There is simply too much patient information moving about to eliminate all the risk. Not only must providers have a strong commitment to prevention, but they must also establish a detailed program that determines who does what and when after the inevitable breach occurs.
Rita Bowen, MA RHIA, CHPS, SSGB, is Senior Vice President and Privacy Officer at HealthPort, a provider of release of information services and technology, audit management technology and health information technology.