Planet HIPAA had this great article that shared 5 tips to ensure an effective HIPAA program. The reality is that HIPAA is a pretty flexible program that in many cases is open to some interpretation by the medical practice. There are exceptions, but HIPAA is generally about reducing risk as opposed to strict compliance. That’s reflected in this list of 5 tips from Planet HIPAA:
1. Conduct a Risk Assessment/Analysis
2. Create, Review and/or Update all HIPAA policies and procedures
3. Provide Workforce HIPAA Education
4. Conduct regular HIPAA Audits
5. Use Security Technologies
Most of the items on the list aren’t rocket science. However, my guess is that most medical practices will go through this list and realize that they have work to do. Whether it’s not doing a HIPAA risk assessment regularly (yes, sadly this still happens), or whether it’s not documenting or training, most practices will have something they could improve when it comes to HIPAA compliance. How’s your practice doing? My guess is you know where you’re lacking.
My favorite tip on this list was to use security technologies. HIPAA has some really good elements that help a practice protect PHI, but HIPAA does not equal secure. There is plenty more that a medical practice needs to do to ensure that their practice is secure and protected against the malware, ransomware, viruses, and other online threats that exist and are bombarding their IT infrastructure from every angle. HIPAA is required by law, but security beyond HIPAA is required to avoid a cybersecurity disaster in your organization.
The sad reality for many small practices is that they aren’t keeping up with the HIPAA requirements. This was illustrated by this story from Dr. Jayne:
One of my friends admitted that she had her work laptop stolen and didn’t report it to anyone despite it containing protected health information. That sort of thing is one of the perks (or hazards, depending on how you look at it) of owning your own practice and not fully understanding the huge number of laws that impact our practices. At least she realized after attending the conference that she should have taken additional action.
Dr. Jayne described most small medical practices’ feelings perfectly when she said the “perks (or hazards, depending on how you look at it)” of owning your own practice. Ignorance is bliss until you’re stuck on the front page of the paper or in some lawsuit. I’ll never forget the doctor who told me “They won’t throw us all in jail.” Maybe not, but they won’t be afraid to send you all fines.
An ounce of prevention is worth a pound of cure. This seems quite appropriate when it comes to HIPAA and security in a medical practice.