Home

  • Home
    • » e-Newsletters

Revisit security rule compliance in your small practice

HIPAA Training Advisor, June 29, 2006

Although the security rule compliance date passed more than a year ago, your small practice isn't-and never will be-finished with its security obligations. Rather, compliance is an ongoing process that section 164.308(a)(8) of the rule requires you to embody via periodic security evaluations.

"Your practice is dynamic and your security needs to keep pace with it," noted Roger Wernow, president of Indiatlantic, FL-based RMW Associates, during the recent CMS audioconference, "Security Management for Small Practices-One Year Later."

Penalties for noncompliance aren't the only threat to small practices. The cost of lost patients and bad publicity in a community could put your practice out of business if it suffers a security breach. Failing to address certain sections of the security rule (e.g., contingency planning) can also jeopardize your business in the event of a disaster.

Avoid this by taking the following steps:

  1. Respond to changes
    Prevent these outcomes by dusting off the risk assessment that you initially performed in response to the HIPAA security rule. "You set up the basics a year ago, now it's time to manage the changes," Wernow said.

    These changes may include

    • a new facility
    • a new electronic medical record (EMR) system
    • an updated practice-management system
    • new staff
    • hardware upgrades

    In particular, a recent EMR upgrade should raise a red flag because it means that you will store more data electronically (e.g., lab results, billing information, patient/ provider e-mails, etc.) than you did using a simpler practice-management system. Consider security solutions such as encryption and develop a contingency plan that addresses the switch from paper to bits and bytes.

    Also review the types of incidents that have occurred at your practice already, and be skeptical of what might initially appear to be an overly rosy security picture. "If you don't have a list of security incidents after a year, you're probably not taking good notes," Wernow said. Then decide whether your response to these incidents was adequate.

  2. Embrace security advancements
    A reevaluation may not only reveal these security lapses, but it can also point you to new opportunities, because security enhancements that were previously too costly might now be affordable.

    For example, hardware firewalls are significantly less expensive than they were several years ago. Biometric access mechanisms, virtual private networks, and Internet-based backups might also now be feasible for your practice.

    Examine these changes and any transitions or upgrades that you made during the past year for security snags. Even simple system version updates or bug fixes can mean additional data content, log-in changes, or different data backup needs. And don't rely on vendors to understand these complexities. "Who owns your practice? Not your vendor, consultant, or IT [information technology] guy," Wernow said. As helpful as these people are, they can't see the big security picture at your practice, he explained.

  3. Avoid four common mistakes
    A security evaluation can also show you some of the mistakes that you and others at your practice have made, Wernow said. These include the following:

    • Common mistake #1: Lax access controls. Establishing role-based access in a small office may seem overwrought. However, think not only of access within your office, but also of the access that outside associates (e.g., an accounts receivables collection agency) have. For example, a collector with an administrative account could easily access patient PHI without your knowledge.
    • Common mistake #2: Inadequate termination procedures. Immediately terminating the access of those who no longer work at your practice is an important security measure. Maintaining a user's identification or using the same generic usernames and passwords as you did when the person worked there creates an instant security risk.
    • Common mistake #3: Overconfidence in backup copies. "Most of you don't miss doing your backup, but how many of you try to restore [your systems] from a backup?" Wernow asked. In the case of a system foul-up or natural disaster, trusting backup tapes that you haven't tested is risky. Perform periodic full-system restore tests to ensure business continuity.
    • Common mistake #4: Lack of restrictions on personal Internet use. Bar employees from going to public e-mail Web sites and stress that online shopping is unacceptable, Wernow recommended. These behaviors can open up your practice to hackers, viruses, and malware that pose significant security risks. Insufficient restrictions could also allow employees to send unauthorized e-mail containing PHI. Instead, consider setting up old personal computers on a separate network in a public area (e.g., a break room) for staff to conduct personal business on their break time. The security benefits are impressive, and the cost of an extra router is minimal.

Editor's note: Adapted from "Revisit security rule compliance in your small practice," Briefings on HIPAA, June 2006.

Most Popular