• E-mail
• Print
• RSS

HIPAA Q&A: You’ve got questions. We’ve got answers!

HIM-HIPAA Insider, November 16, 2015

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Submit your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com and we will work with our experts to provide you with the information you need.

Q: I work for a small medical imaging company. We work hard to ensure we comply with HIPAA. From what I have read, we should “make every reasonable attempt at protecting ePHI,” according to HIPAA. It seems as if that statement leaves room for various interpretations from person to person and site to site. However, nearly every day I read about major medical centers being fined because of breaches caused by hackers.

In my opinion, there is no defense from any hacker who is motivated to break into your site, no matter what security you have in place. I’m sure these major medical centers had security in place as well, yet the fines persist. So obviously I am concerned about whether I am doing enough to protect the ePHI at this medical imaging center.

What is the definition of a “reasonable attempt”? Is it left to the auditor’s interpretation?
I have a mock audit coming up, and I’m sure any obvious deficiencies will be pointed out. I assume these major medical centers had their mock audits as well. It concerns me. A fine levied against most of the small imaging centers in America could be devastating. What can I do to prepare for this audit?

A: There is no concrete definition of “reasonable.”

The HIPAA Security Rule was written to be flexible and to address security requirements for entities as small as a single-provider practice and as large as a multistate health plan. What is considered reasonable for a small imaging center, though, is likely not the same as what is reasonable for a large medical center.

The bottom line is that you need to evaluate what your risks are and implement reasonable security practices. For example, it would be considered sound security practice to encrypt email containing PHI and mobile devices that use and disclose PHI. On the other hand, it would not be reasonable for a small imaging center to implement a costly audit tool. It is still important to review audit logs, but a solution that is considered a reasonable security safeguard for a large medical center would not be for a small imaging center.

If you conduct a thorough risk analysis, address all the requirements of the Security Rule, and document your efforts, it is unlikely that you will be fined for your practices by OCR. It is true that if someone really wants to steal PHI and has the resources to accomplish the task, there is a good possibility it will be stolen. There is no such thing as risk-free security. You just need to implement a sound, documented security program.

Entities that have been fined often wonder if they should have done more. If an investigation occurs and OCR finds an entity has not implemented sound security practices such as performing a risk analysis or encrypting laptops, there’s a high likelihood of a fine being levied. On the other hand, if you can demonstrate you made reasonable efforts to secure PHI, you will likely not run afoul of OCR.

As far as audits go, it is a good idea to remember that the final audit protocol for the next round of audits has not been published. If you are participating in a mock audit, make sure that it’s not solely based on the audit criteria from the OCR pilot HIPAA audits. It should be more of a compliance audit and should cover more than just security. You also need to assess whether you are compliant with the HIPAA Privacy Rule.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Ore., answered this question for HCPro’s Briefings on HIPAA newsletter. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

• E-mail to a Colleague
• Print
• RSS
• Archive