HIPAA Q&A: You’ve got questions. We’ve got answers!
HIM-HIPAA Insider, November 16, 2015
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
Submit your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com and we will work with our experts to provide you with the information you need.
Q: I work for a small medical imaging company. We work hard to ensure we comply with HIPAA. From what I have read, we should “make every reasonable attempt at protecting ePHI,” according to HIPAA. It seems as if that statement leaves room for various interpretations from person to person and site to site. However, nearly every day I read about major medical centers being fined because of breaches caused by hackers.
In my opinion, there is no defense from any hacker who is motivated to break into your site, no matter what security you have in place. I’m sure these major medical centers had security in place as well, yet the fines persist. So obviously I am concerned about whether I am doing enough to protect the ePHI at this medical imaging center.
What is the definition of a “reasonable attempt”? Is it left to the auditor’s interpretation?
I have a mock audit coming up, and I’m sure any obvious deficiencies will be pointed out. I assume these major medical centers had their mock audits as well. It concerns me. A fine levied against most of the small imaging centers in America could be devastating. What can I do to prepare for this audit?
A: There is no concrete definition of “reasonable.”
The HIPAA Security Rule was written to be flexible and to address security requirements for entities as small as a single-provider practice and as large as a multistate health plan. What is considered reasonable for a small imaging center, though, is likely not the same as what is reasonable for a large medical center.
The bottom line is that you need to evaluate what your risks are and implement reasonable security practices. For example, it would be considered sound security practice to encrypt email containing PHI and mobile devices that use and disclose PHI. On the other hand, it would not be reasonable for a small imaging center to implement a costly audit tool. It is still important to review audit logs, but a solution that is considered a reasonable security safeguard for a large medical center would not be for a small imaging center.
If you conduct a thorough risk analysis, address all the requirements of the Security Rule, and document your efforts, it is unlikely that you will be fined for your practices by OCR. It is true that if someone really wants to steal PHI and has the resources to accomplish the task, there is a good possibility it will be stolen. There is no such thing as risk-free security. You just need to implement a sound, documented security program.
Entities that have been fined often wonder if they should have done more. If an investigation occurs and OCR finds an entity has not implemented sound security practices such as performing a risk analysis or encrypting laptops, there’s a high likelihood of a fine being levied. On the other hand, if you can demonstrate you made reasonable efforts to secure PHI, you will likely not run afoul of OCR.
As far as audits go, it is a good idea to remember that the final audit protocol for the next round of audits has not been published. If you are participating in a mock audit, make sure that it’s not solely based on the audit criteria from the OCR pilot HIPAA audits. It should be more of a compliance audit and should cover more than just security. You also need to assess whether you are compliant with the HIPAA Privacy Rule.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Ore., answered this question for HCPro’s Briefings on HIPAA newsletter. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
Related Products
Most Popular
- Articles
-
- Don't forget the three checks in medication administration
- Practice the six rights of medication administration
- The consequences of an incomplete medical record
- Nursing responsibilities for managing pain
- Note similarities and differences between HCPCS, CPT® codes
- CMS seeks comment on quality measures
- Q&A: Primary, principal, and secondary diagnoses
- Neurological checks for head injuries
- ICD-10-CM coma, stroke codes require more specific documentation
- Prevent dehydration with nursing interventions
- E-mailed
-
- Tip: Report drugs with HCPCS code, revenue code 636
- Sneak peek: Evidence-based practices can help improve, enhance case management skills
- Know the medical gas cylinder storage requirements
- Hold a scavenger hunt to prepare for survey
- Clear up confusion surrounding observation services
- Assisted living home owner bills Medicaid from unlicensed facility
- Searched