As exhibited in the news items below, small practices are not immune to HIPAA scrutiny by the federal government’s Department of Health and Human Services (DHHS)—as investigated by their enforcement agency, the Office of Civil Rights (OCR). Potential violations may be reported to these agencies through complaints by individual patients or through OCR-initiated audits.
April 2, 2019: “Michigan Practice Forced to Close Following Ransomware Attack”
According to this article, when ransomware encrypted the computer system at Brookside ENT and Hearing Center, patient records, appointment schedules, and payment information data became inaccessible.
The attackers claimed they would provide a key to unlock the data if the practice paid $6,500. The owners of the practice decided not to pay the ransom, because “there was no guarantee that a valid key would be supplied after paying.” Instead, “the attackers could simply demand another payment.”
When “no payment was made, the attackers deleted all files on the system ensuring that no information could be recovered.” Apparently, the partners of the Michigan practice “decided to take early retirement rather than rebuild their practice from scratch.”
December 23, 2018: “Pagosa Springs Medical Center Pays $111,400 for HIPAA Violations”
According to this press release, the Pagosa Springs Medical Center (PSMC) “settlement resolves a complaint alleging that a former PSMC employee continued to have remote access to PSMC’s web-based scheduling calendar, which contained patients’ electronic protected health information (ePHI), after separation of employment.” PSMC is a 25-bed critical access hospital in Colorado that, “at the time of OCR’s investigation, provided more than 17,000 hospital and clinic visits annually and employed more than 175 individuals.”
April 18, 2012: Arizona Practice Gets $100k HIPAA Fine
According to this post, a three-year federal investigation of a small Arizona physician group began “following a report that the practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.” The OCR investigation further determined that Phoenix Cardiac Surgery P.C., with offices in Phoenix and Prescott, “had implemented few policies and procedures to comply with the HIPAA privacy and security rules and had limited safeguards in place to protect patients' information.”
DHHS provides guidance for healthcare organizations to mitigate risk.
On December 30, 2018, the Department of Health and Human Services (DHHS) issued guidance on cybersecurity for healthcare organizations, including this report titled, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.” The report is the work product of a task force composed of healthcare and cybersecurity experts who:
- evaluated current threats against healthcare and public health organizations;
- identified common weaknesses within health care; and
- suggested mitigation efforts.
There are four sections to the report—one of which includes guidance for small healthcare organizations and practices on what to ask their IT security vendors. Resources and templates provide additional reference material for healthcare organizations.
Five threats were identified to be very disruptive to small organizations:
- Email phishing attacks,
- Ransomware attacks,
- Loss or theft of equipment or data,
- Accidental or intentional data loss, and
- Attacks against connected medical devices that may affect patient safety.
Seven Policy Recommendations
DHHS specifically recommends that small practices implement the following policies to protect themselves:
- Roles and Responsibilities (of the privacy and security officer[s])
- Education and Awareness (security awareness and privacy training)
- Acceptable Use/Email Use (permissible actions and activities)
- Data Classification (data and critical applications analyses)
- Personal Devices (mobile device use and management)
- Laptop, Portable Device, and Remote Use (workstation use and security practices)
- Incident Reporting and Checklist (suspicious activity monitoring)
For more information on the specifics of each policy, check out the document in full. Then, consider implementing a tool such as SunHawk Consulting’s easy to use HIPAA Check™, which can help you identify potential data breach vulnerabilities in your practice. SunHawk Consulting offers WebPT Members a customized tool that guides them through the risk assessment process and includes seven policies and procedures that encompass topics identified by the healthcare experts and cybersecurity task force when studying small organizations.
Jan Elezian, MS, RHIA, CHC, CHPS, is a director at SunHawk Consulting.