As exhibited in the news items below, small practices are not immune to HIPAA scrutiny by the federal government’s Department of Health and Human Services (DHHS)—as investigated by their enforcement agency, the Office of Civil Rights (OCR). Potential violations may be reported to these agencies through complaints by individual patients or through OCR-initiated audits. 

Down with Denials! 5 Claim Fixes to Make Sure Your PT Clinic Gets Paid - Regular BannerDown with Denials! 5 Claim Fixes to Make Sure Your PT Clinic Gets Paid - Small Banner

April 2, 2019: “Michigan Practice Forced to Close Following Ransomware Attack”

According to this article, when ransomware encrypted the computer system at Brookside ENT and Hearing Center, patient records, appointment schedules, and payment information data became inaccessible. 

The attackers claimed they would provide a key to unlock the data if the practice paid $6,500. The owners of the practice decided not to pay the ransom, because “there was no guarantee that a valid key would be supplied after paying.” Instead, “the attackers could simply demand another payment.” 

When “no payment was made, the attackers deleted all files on the system ensuring that no information could be recovered.” Apparently, the partners of the Michigan practice “decided to take early retirement rather than rebuild their practice from scratch.”

December 23, 2018: “Pagosa Springs Medical Center Pays $111,400 for HIPAA Violations”

According to this press release, the Pagosa Springs Medical Center (PSMC) “settlement resolves a complaint alleging that a former PSMC employee continued to have remote access to PSMC’s web-based scheduling calendar, which contained patients’ electronic protected health information (ePHI), after separation of employment.” PSMC is a 25-bed critical access hospital in Colorado that, “at the time of OCR’s investigation, provided more than 17,000 hospital and clinic visits annually and employed more than 175 individuals.”

April 18, 2012: Arizona Practice Gets $100k HIPAA Fine

According to this post, a three-year federal investigation of a small Arizona physician group began “following a report that the practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.” The OCR investigation further determined that Phoenix Cardiac Surgery P.C., with offices in Phoenix and Prescott, “had implemented few policies and procedures to comply with the HIPAA privacy and security rules and had limited safeguards in place to protect patients' information.”

DHHS provides guidance for healthcare organizations to mitigate risk.

On December 30, 2018, the Department of Health and Human Services (DHHS) issued guidance on cybersecurity for healthcare organizations, including this report titled, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.” The report is the work product of a task force composed of healthcare and cybersecurity experts who: 

  • evaluated current threats against healthcare and public health organizations;
  • identified common weaknesses within health care; and 
  • suggested mitigation efforts. 

There are four sections to the report—one of which includes guidance for small healthcare organizations and practices on what to ask their IT security vendors. Resources and templates provide additional reference material for healthcare organizations. 

Five Threats

Five threats were identified to be very disruptive to small organizations:

  1. Email phishing attacks, 
  2. Ransomware attacks, 
  3. Loss or theft of equipment or data, 
  4. Accidental or intentional data loss, and 
  5. Attacks against connected medical devices that may affect patient safety. 

Seven Policy Recommendations

DHHS specifically recommends that small practices implement the following policies to protect themselves:

  1. Roles and Responsibilities (of the privacy and security officer[s])
  2. Education and Awareness (security awareness and privacy training)
  3. Acceptable Use/Email Use (permissible actions and activities)
  4. Data Classification (data and critical applications analyses)
  5. Personal Devices (mobile device use and management)
  6. Laptop, Portable Device, and Remote Use (workstation use and security practices)
  7. Incident Reporting and Checklist (suspicious activity monitoring)

 For more information on the specifics of each policy, check out the document in full. Then, consider implementing a tool such as SunHawk Consulting’s easy to use HIPAA Check™, which can help you identify potential data breach vulnerabilities in your practice. SunHawk Consulting offers WebPT Members a customized tool that guides them through the risk assessment process and includes seven policies and procedures that encompass topics identified by the healthcare experts and cybersecurity task force when studying small organizations.

Jan Elezian, MS, RHIA, CHC, CHPS, is a director at SunHawk Consulting.

  • 4 Tactics to Reduce Business Associate HIPAA Risk  Image

    articleSep 5, 2019 | 6 min. read

    4 Tactics to Reduce Business Associate HIPAA Risk

    Here’s a scenario I hope you never have to face: your small physical therapy practice hires a third-party billing company to manage your billing operations. Then, that billing company experiences a massive data breach affecting more than 1,000 of your patients. Because the billing company didn’t have an information security or compliance program in place, it was not aware of the breach for more than six months. Unfortunately, the billing company also did not have insurance, so …

  • 5 Things Small Practices Need to Know about HIPAA Image

    articleSep 20, 2017 | 9 min. read

    5 Things Small Practices Need to Know about HIPAA

    The Health Insurance Portability and Accountability Act of 1996 —a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size. Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides …

  • A 10-Point Plan for Smart and Secure Electronic Communications with Patients Image

    articleMar 15, 2018 | 8 min. read

    A 10-Point Plan for Smart and Secure Electronic Communications with Patients

    As emails and text messages have become ubiquitous, patient expectations around provider responsiveness have increased. Gone are the days when providers set aside time each afternoon to return calls; now, they can simply respond to their patients’ texts—but should they? Many physical therapists, regardless of their practice model or patient population, are surprised to learn that they may not be allowed to interact with patients in the manner they—or their patients—prefer. These same providers are typically even …

  • The Ultimate ICD-10 FAQ Image

    articleSep 1, 2015 | 21 min. read

    The Ultimate ICD-10 FAQ

    Yesterday, we hosted the largest webinar in WebPT history . Thousands of rehab therapy professionals attended the live session, which focused on ICD-10 coding examples . As expected, we received a lot of questions. Below is a collection of the webinar’s most frequently asked questions. The Seventh Character Craze What is the seventh character? The seventh character didn’t exist in ICD-9 , so it’s caused a great deal of confusion. Essentially, it’s a mechanism for applying greater …

  • CMS Audits: Who, What, and Why Image

    articleSep 6, 2019 | 10 min. read

    CMS Audits: Who, What, and Why

    This post comes from Ascend 2019 speaker Mary R. Daulong, PT, CHC, CHP, President and CEO of Business & Clinical Management Services, Inc. Want to see Mary speak about audits during a live interactive session? Register for Ascend here . Curious about the rest of the speaker lineup? Check it out here . Does it seem like there have been more audits of therapy documentation and billing recently? It is not a figment of your imagination ; …

  • 7 Things to Do When Medicare Requests Your Patient Records Image

    articleOct 10, 2018 | 5 min. read

    7 Things to Do When Medicare Requests Your Patient Records

    October is finally upon us, which means it’s time for spooky memes , pictures of Corgis in costumes , trick-or-treating, and a scary story or two. If you’re a physical therapist, occupational therapist, or speech-language pathologist, though, there are few tricks more bone-chilling than the prospect of a Medicare audit . But, here’s a treat: being audited by Medicare doesn’t have to be a fright fest. Just make sure you follow these tips: 1. Have a procedure …

  • Is Your Practice HIPAA-Compliant? [Quiz] Image

    articleDec 12, 2018 | 1 min. read

    Is Your Practice HIPAA-Compliant? [Quiz]

    Back in 1996—long before the days of social media and smartphones—Congress passed the Health Insurance Portability and Accountability Act (HIPAA) as a means of governing the manner in which providers, insurers, and business associates collect, share, and use patient protected health information (PHI). Ultimately, it’s in everyone’s best interest to ensure that patient information remains private, but adhering to all HIPAA rules can be a daunting task for even the most seasoned provider—especially in the age of …

  • Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans Image

    webinarFeb 23, 2017

    Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans

    Copayments, coinsurances, unresolved balances—oh my! Any one of these can cause headaches for healthcare providers, but as healthcare reform efforts shift more and more financial burden to insurance beneficiaries, today’s practitioners are increasingly facing all three. And these challenges are not only hurting their patient acquisition and retention rates, but also their bottom lines. Tired of spending time verifying benefits only to lose those patients to copay sticker shock? Stuck in a constant cycle of pursuing past-due …

  • Is Your Healthcare Practice HIPAA-Compliant on Social Media? [Quiz] Image

    articleNov 22, 2016 | 1 min. read

    Is Your Healthcare Practice HIPAA-Compliant on Social Media? [Quiz]

    Using social media for your healthcare practice is a great way to connect with your patients on a more personal level. And while that’s exciting—and awesome—it also comes with some risks. After all, when you put your practice out there on the good ol’ World Wide Web, you have to take even more care to protect your patients’ privacy and comply with all HIPAA regulations . So, in the spirit of testing your social-media savvy, take this …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.