No More Mr. Nice Guy - July 2012

When I first read the regulations known as “HIPAA,” I worried about the stiff penalties that could be leveled against health care providers.  Apparently, I wasn’t the only one who thought the penalties were draconian.  To calm all of us “worriers” down, the government issued publications assuring us that the HIPAA police were there to help us come into compliance and not to penalize us.  Now, it is clear that things have changed.

A few years ago, two doctors opened a cardiac surgery clinic.  It was a small operation.  It got a lot smaller this year after the clinic had to pay a $100,000 HIPAA fine.  I’m sure the doctors also paid out many thousands of dollars to the lawyers who represented them during the HIPAA investigation – not to mention the cost of the time taken from their practice as they responded to the government investigation.  Reading the “Resolution Agreement” between the government and the doctors, I could see how easily any small practice could fall victim to a similar fate.  This is how it began.

In an effort to provide better patient care and more efficient services, the practice contracted with an Internet scheduling company so that patients could check the office surgery schedule on-line.  I’m sure that the doctors assumed that the service provider was aware of HIPAA and had taken necessary steps to provide security for the patient information posted on the surgery schedule.  Unfortunately, the clueless company made the on-line scheduling information available to the public.  Even worse, the doctors didn’t think about requiring the Internet company to sign a Business Associate Agreement.  HIPAA requires covered health care providers to have these agreements with people working for them who have access to patient information.  The contracts require those persons to treat the information confidentially.

Eventually, a patient learned that the “confidential” scheduling information was available to the general public and the HIPAA police rode in like the US Calvary in some corny western.  Like the Calvary, they destroyed the enemy.  Not a shot was fired, but the big guns of the U.S. government took their toll.

Ask yourself the following questions to see if you are also at risk for a HIPAA attack:

1. Do I have a signed business associate agreement with every person or business  who has access to patient information in my possession?  For example, has my lawyer signed a business associate agreement?  My accountant?  My IT company?
2. Have I provided HIPAA training to each of my employees who has access to patient information?  Do I have documentation of that training?
3. Have I identified a “Security Official” and a “Privacy Officer” at my office?  Is that in writing?
4. Do I have a written “Risk Assessment Process?”  Have I conducted a “risk assessment” to identify potential problems with maintaining privacy of patient information?  Is that assessment in writing?  Is it regularly updated in writing?  Does it contain an inventory of every system in the office that stores patient information?  Does it identify risks relating to each system?  
5. Do I ever email patient charts?  If so, are those emails encrypted?

The HIPAA police also discovered that the clinic sometimes emailed confidential patient information to its doctors’ private email accounts.  This might happen if a physician got a call about a patient in the middle of the night.  The doctor might need to see the patient chart to respond to an emergency.  He could access it on his home computer.  The clinic had not given any thought to insuring the security of those home computers.

It is very important to be especially careful about patient information that your employees access away from the office.  Are your employees sending emails and texts to patients?  Is the content of the email or text put into the patient’s file?  By whom?  How quickly?  Are you sure that the cell phones your employees use to send those emails or texts are password protected?  Are your employees able to access patient information on their home computers?  What do you know about the security of those computers?

In my humble opinion, technology has rendered privacy illusory.  My mother’s advice remains the best I’ve heard concerning privacy.  She used to say, “Don’t ever do or say anything you would regret reading about on the front page of the News and Disturber!”