In 2010, the federal government published a guide, titled Basic Security for the Small Healthcare Practice, complete with best practices and checklists to help small providers achieve and maintain HIPAA compliance.1
This year, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR)—following a critical report of its HIPAA compliance audit and enforcement practices—is focusing on audits of covered entities (including physicians) of all sizes and their business associates.2
Legal Advice
Rachel Yaffe, a healthcare attorney with McDonald Hopkins LLC, suggests physicians utilize the checklists in the guide to “do an internal check-up, to see whether you’re hitting these big-ticket items and following policies and procedures.”
Consulting a healthcare attorney with HIPAA compliance expertise is one way for physicians to ensure they are ready to undergo an audit, which can carry penalties if the OCR finds violations of the HIPAA Privacy, Security and Breach Notification Rules.
Ms. Yaffe also indicated physicians must have written HIPAA policies and protocols in place and train their employees and staff. They must also have a designated privacy officer. A risk analysis of the practice could help in the event of an audit.
“If you are investigated and you can show you’ve taken internal proactive measures to comply with HIPAA, that will be positively received by the OCR,” Ms. Yaffe says.
Ms. Yaffe adds that the OCR’s expectations are tailored to the nature and size of the particular practice being audited. “The OCR recognizes that the policies, procedures and technologies implemented by a small physician practice are going to be different than those implemented by a large health system.”
One Rheumatologist’s Point of View
Richard Brasington, MD, FACP, professor of medicine and rheumatology fellowship program director at Washington University in St. Louis School of Medicine, has seen his hospital take a number of steps to ensure compliance, which include implementing a HIPAA-secure email system and establishing a patient portal for patient–provider communications.
“I do think it’s good for us to be attentive and always be thinking about how we are protecting patient privacy and confidentiality,” he says of the OCR audits. “But I don’t think anyone finds they never make violations.”
However, he believes most health professionals already strive to protect patient health information. “We can’t be looking over our shoulder constantly,” he says. “We should be using common sense when protecting patient information.”
The Trouble with Texting
Texting, Ms. Yaffe says, is one way physicians leave themselves vulnerable; for example, “the on-call physician texting the treating physician Patient X’s protected health information, albeit in an effort to better Patient X’s care,” she says. “Many are communicating using personal cell phones, which are likely not secure.”
