Written by David Mercy
Director of Business Development for IT Support LA
“First do no harm” is a concise summary of intent, although not the actual wording present in e Hippocratic Oath. Doctors in any medical field have TWO responsibilities in this respect to their patients. First: e physical well-being of the patient. Second: e well-being of their information.
Physicians are often more concerned with the treatment of their patients, and rightly so, however, HIPAA regulations and fines should also be taken quite seriously. Violations often happen inadvertently, but they can still place a great burden your practice. A patient will seek a second opinion immediately if their faith in their physician’s medical abilities becomes suspect, but what about the theft of their personal information? Breach of that trust can also lose a patient and incur negative ‘word of mouth’ affecting your practice and your standing in the community.
Since the passage of the HITECH Act in 2009, the network of government offices concerned with Health Information Technology has been given the authority to establish programs presiding over a number of areas to improve health care, and the main enforcement arm of this body is HIPAA, which is expanded and given more teeth with which to punish violators every year since. In July of 2016, e Health and Human Services’ Office for Civil Rights (OCR) greatly stepped up its auditing program. As Government agencies do, once they start levying fines and generating payments, they smell money. Just make sure that lovely green fragrance isn’t coming out of your medical offices.
Watch out for this side note: If you are sent an email by the OCR concerning an audit: It should come from ‘OSOCRAudit@hhs.gov’. Check the address carefully – if it has an extra dash and ‘us’ at the end, as in ‘OSOCRAudit@hhs-gov.us’, it is a Phishing scam encouraging you to click a malicious link (do not click).
“I’VE GOT INSURANCE” … BUT: ARE YOU COVERED FOR HIPAA FINES?
Maybe, maybe not: Read the wording on your Cyber Liability or Data Breach Insurance policy carefully. You may be covered for some HIPAA fines, but not all, and although you may have $1,000,000 in coverage, there is often a ‘sublimit’, like a deductible, which could be $200,000, which monies you may still be responsible for. With many HIPAA fines being in the neighborhood of $50,000, that’s a hit directly on your own pocketbook.
CIVIL MONETARY PENALTIES:
Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.
$100 – $50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year.
HIPAA violation had a reasonable cause and was not due to willful neglect.
$1,000 – $50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year.
HIPAA violation was due to willful neglect but the violation was corrected within the required time period.
$10,000 – $50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year.
HIPAA violation was due to willful neglect but was not corrected.
$50,000 or more for each violation, up to a Maximum of $1.5 million for identical provisions during a calendar year.
Note that fines have gone well above these limits: Advocate Health System: $5.55 million. CIGNET: $4.3 million. N.Y. Presbyterian Hospital/Columbia University: $4.8 million (N.Y. Presbyterian hit again for $2.2 million 6 years later). Triple-S $3.5 Million. University of Mississippi Medical Center: $2.75 million. Oregon Health & Science University: $2.7 million. Plenty of others have paid the $1.5 million and above.
There have been prison sentences and terminations to consider: 6 doctors and 13 employees of UCLA Medical Center were fired for merely looking at Britney Spears medical records when they had no legitimate reason to do so. Better to look at her album covers and not kill your career.
DATA PROTECTION: THE FIVE MOST CRITICAL DO’s and DON’Ts
DO encrypt ALL patient information. Data should automatically encrypt when it’s backed up to the cloud, but you need to ensure that all data on your office network is encrypted as well. Faithfully encrypting your data makes some of the following irrelevant.
DON’T leave unencrypted data on mobile devices (laptops, iPads, iPhones etc.) Just ONE example: e theft of one of these devices with unencrypted ePHI incurred a $50,000 fine for a Hospice in Idaho. If found to have poor risk analysis and office policies, like a Massachusetts Eye and Ear Infirmary, fines could reach $1,500,000.
DO take care with passwords: Make them hard to guess (1234 or 4321 just doesn’t cut it) – make it easy for YOU to remember: ‘My anniversary is May 23’ becomes Mai523 – it’s harder to crack, plus you’ll never forget your anniversary. Don’t write them down, share them or use the same password for everything, because when cyber thugs crack it, they have the keys to your kingdom and the looting begins.
DO take notice of ANY email anomalies: If something is off, different than the norm, a red flag needs to go up – a different format for a vendor; if there’s a link or attachment where usually there isn’t one, for example in a PDF file; any message from within your company that is unusual – someone may have spoofed (copied) the email address. THINK TWICE before clicking any links or attachments!
DO keep all patient data safe, whether on paper or on the network. Nothing left in an unattended area, on a copy machine, fax and particularly at the reception area. You need to protect patient information in every format, no matter where it is.
For a complete list, please visit www.itsupportla.com/- cyber-security-dos-and-donts/ In all honesty, many medical professionals don’t seem that concerned about HIPAA, but you should be. Once you’ve been stung by a massive fine, you are on the OCR’s radar, which is not a good place to be. Aside from chipping away at the profitability of your practice, neglect of any kind will negatively impact your reputation. It takes no more to be HIPAA compliant than it does to ensure that your network, in general, is secured against attack. Don’t wait for theft or a Ransomware lockdown of your data to cause you to act. An ounce of prevention is, after all, worth a pound of cure.
This article was written by David Mercy the Director of Business Development for IT Support LA If you would like to contact David you can give him a call at 818-797-5302.