6 action steps for HIPAA privacy and security compliance MGMA Stat - April 1, 2020 HIPAA HIT Regulations Sign in to save Robert M. Tennant MA The Medical Group Management Association’s most recent MGMA Stat poll asked healthcare leaders: “Are government-created HIPAA breach resources sufficient?” The majority (36%) answered “unsure,” 22% responded “somewhat,” 22% indicated “no,” and 20% said “yes.” The poll was conducted on February 18, 2020, with 604 applicable responses. Physician practices face numerous challenges in complying with HIPAA Privacy and Security regulations. Adding to that challenge are the constantly emerging threats and shifting federal priorities. Below are action steps practice leaders can take to improve privacy and security within their organization. Should your practice experience a data breach, download our new member-exclusive resource: HIPAA Breach Toolkit. This toolkit is designed to help practice leaders better understand federal data breach policies and requirements. Action steps for HIPAA compliance Review your HIPAA Privacy Notice. Required since 2003, virtually every practice offers their patients a Notice of Privacy Policies (NPP). However, in some cases, this NPP is written in “legalese” and is not easily understood by the patient. Read your NPP from the perspective of the patient. Ensure that your NPP: Meets the minimum requirements set out in the Privacy Rule Is written in a way that is easily understood by your patients Clearly outlines patients’ rights to control their information and their right to access their information Discusses how your practice uses patient data (for example, that you participate in an ACO or health information exchange) Is posted in a patient-accessible area such as a waiting room and on your website. Consider having a layperson review your NPP for its readability and designing your revised NPP after the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) excellent model NPP. Evaluate your practice’s patient right of access policies. OCR has announced that it will “vigorously” enforce patient right of access infractions by practices and others; the agency recently issued two $85,000 fines to providers for not giving patients their medical records. As a reminder, patients can ask: To review or amend their record For a paper copy of their record (while fee limits apply) For an electronic copy of their record For their record to be emailed to them For their record to be emailed to a third party (e.g., law firm). Ensure that staff are fully trained on these patient rights and to avoid introducing viruses, use a practice-supplied device such as a flash drive for patients who request their record on electronic media. Note that practices are now permitted to set fees for sending patient records to third parties. Conduct a complete HIPAA Security Risk Assessment. HIPAA Security Risk Assessments have been mandatory since 2005 and are required for the Promoting Interoperability (PI) component of the Merit-based Incentive Payment System (MIPS). Practices must assess security risks and take appropriate steps to mitigate those risks. Practices can perform this assessment by leveraging risk assessment resources or contracting with a qualified consultant to conduct one. The security assessment should review issues related to practice use of the internet; the potential of an external cyberattack; and the organization’s administrative, physical and technical safeguards. Guard against data loss. Administrative and clinical data are the lifeblood of the practice, and loss of this data could be catastrophic to practice operations. Issues to consider include: Safeguarding the physical security of your mobile devices (smart phones, tablets, laptops) Using encryption software on mobile devices that contain patient information Backing up your data (preferably off-site) Conducting tests of your disaster recovery processes. Mitigate the ransomware threat. Ransomware — malicious software designed to block access to a computer system until a sum of money is paid — is a growing threat to practices. To lessen the chance that you will be affected by a ransomware attack: Ensure that your computer operating systems and antivirus software are up to date Instruct staff not to open emails, attachments or links from unfamiliar senders and report suspicious messages to your internal IT team or external IT vendor Conduct periodic staff tests of email opening behavior. Understand what to do if a data breach occurs. Should your pratice experience a data breach - such as a stolen laptop containing patient information, patient portal data accessible to unauthorized individuals or a successful ransomware attack — it is crucial that you know how to evaluate the breach and make the appropriate notifications to the affected individuals, to HHS and potentially to local media outlets. In determining if an unauthorized disclosure is considered a breach that requires notification, the practice should conduct a risk assessment of the breach or determine if the disclosure falls within one of the exceptions. Make privacy and security issues a priority within your practice. Training should be administered to all clinical and administrative staff and good privacy and security habits should be spelled out in your employee policies. Do not forget to include part-time staff or volunteers in this training and consider a regular schedule of reminders and re-training for all staff. Additional resources: MGMA HIPAA Breach Toolkit MGMA and HHS HIPAA Privacy and Security resources Would you like to join our polling panel to voice your opinion on important practice management topics? MGMA Stat is a national poll that addresses practice management issues, the impact of new legislation and related topics. Participation is open to all healthcare leaders. Results of other polls and information on how to participate in MGMA Stat are available at: mgma.com/stat MGMA Consulting can help you optimize organizational performance with HIPAA regulatory compliance. If you have questions for our consultants, send a message to firstname.lastname@example.org.