As exhibited in the news items below, small practices are not immune to HIPAA scrutiny by the federal government’s Department of Health and Human Services (DHHS)—as investigated by their enforcement agency, the Office of Civil Rights (OCR). Potential violations may be reported to these agencies through complaints by individual patients or through OCR-initiated audits. 

The State of Rehab Therapy in 2019 Guide - Regular BannerThe State of Rehab Therapy in 2019 Guide - Small Banner

April 2, 2019: “Michigan Practice Forced to Close Following Ransomware Attack”

According to this article, when ransomware encrypted the computer system at Brookside ENT and Hearing Center, patient records, appointment schedules, and payment information data became inaccessible. 

The attackers claimed they would provide a key to unlock the data if the practice paid $6,500. The owners of the practice decided not to pay the ransom, because “there was no guarantee that a valid key would be supplied after paying.” Instead, “the attackers could simply demand another payment.” 

When “no payment was made, the attackers deleted all files on the system ensuring that no information could be recovered.” Apparently, the partners of the Michigan practice “decided to take early retirement rather than rebuild their practice from scratch.”

December 23, 2018: “Pagosa Springs Medical Center Pays $111,400 for HIPAA Violations”

According to this press release, the Pagosa Springs Medical Center (PSMC) “settlement resolves a complaint alleging that a former PSMC employee continued to have remote access to PSMC’s web-based scheduling calendar, which contained patients’ electronic protected health information (ePHI), after separation of employment.” PSMC is a 25-bed critical access hospital in Colorado that, “at the time of OCR’s investigation, provided more than 17,000 hospital and clinic visits annually and employed more than 175 individuals.”

April 18, 2012: Arizona Practice Gets $100k HIPAA Fine

According to this post, a three-year federal investigation of a small Arizona physician group began “following a report that the practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.” The OCR investigation further determined that Phoenix Cardiac Surgery P.C., with offices in Phoenix and Prescott, “had implemented few policies and procedures to comply with the HIPAA privacy and security rules and had limited safeguards in place to protect patients' information.”

DHHS provides guidance for healthcare organizations to mitigate risk.

On December 30, 2018, the Department of Health and Human Services (DHHS) issued guidance on cybersecurity for healthcare organizations, including this report titled, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.” The report is the work product of a task force composed of healthcare and cybersecurity experts who: 

  • evaluated current threats against healthcare and public health organizations;
  • identified common weaknesses within health care; and 
  • suggested mitigation efforts. 

There are four sections to the report—one of which includes guidance for small healthcare organizations and practices on what to ask their IT security vendors. Resources and templates provide additional reference material for healthcare organizations. 

Five Threats

Five threats were identified to be very disruptive to small organizations:

  1. Email phishing attacks, 
  2. Ransomware attacks, 
  3. Loss or theft of equipment or data, 
  4. Accidental or intentional data loss, and 
  5. Attacks against connected medical devices that may affect patient safety. 

Seven Policy Recommendations

DHHS specifically recommends that small practices implement the following policies to protect themselves:

  1. Roles and Responsibilities (of the privacy and security officer[s])
  2. Education and Awareness (security awareness and privacy training)
  3. Acceptable Use/Email Use (permissible actions and activities)
  4. Data Classification (data and critical applications analyses)
  5. Personal Devices (mobile device use and management)
  6. Laptop, Portable Device, and Remote Use (workstation use and security practices)
  7. Incident Reporting and Checklist (suspicious activity monitoring)

 For more information on the specifics of each policy, check out the document in full. Then, consider implementing a tool such as SunHawk Consulting’s easy to use HIPAA Check™, which can help you identify potential data breach vulnerabilities in your practice. SunHawk Consulting offers WebPT Members a customized tool that guides them through the risk assessment process and includes seven policies and procedures that encompass topics identified by the healthcare experts and cybersecurity task force when studying small organizations.

Jan Elezian, MS, RHIA, CHC, CHPS, is a director at SunHawk Consulting.

  • Protecting Patient Data: Lessons Learned from the Anthem and Equifax Data Breach Settlements Image

    articleOct 10, 2019 | 6 min. read

    Protecting Patient Data: Lessons Learned from the Anthem and Equifax Data Breach Settlements

    Before 2015, data breaches were mostly confined to retail businesses. However, as more patient information becomes digitized, big data breaches are becoming more common in health care. And hackers don’t discriminate; they target organizations of all types and sizes, ranging from big hospitals to small private practices. So, is there anything a small-to-medium-sized physical therapy practice can do to reduce the risk of a data breach? Performing a HIPAA risk assessment is an excellent first step.  No …

  • HIPAA Q&A: Fulfilling Patient Records Requests and Authorizations for Releasing PHI  Image

    articleOct 30, 2019 | 10 min. read

    HIPAA Q&A: Fulfilling Patient Records Requests and Authorizations for Releasing PHI

    Under the HIPAA Privacy Rule , patients have several rights regarding their medical records, including a right to access, a right to amend, and, in some circumstances, a right to restrict disclosures of their protected health information (PHI). Understanding and complying with those rights is an important component of quality patient care. Furthermore, The DHHS Office for Civil Rights (OCR) is spotlighting the importance of these rights with its Right of Access Initiative. In September, OCR stood …

  • 4 Tactics to Reduce Business Associate HIPAA Risk  Image

    articleSep 5, 2019 | 6 min. read

    4 Tactics to Reduce Business Associate HIPAA Risk

    Here’s a scenario I hope you never have to face: your small physical therapy practice hires a third-party billing company to manage your billing operations. Then, that billing company experiences a massive data breach affecting more than 1,000 of your patients. Because the billing company didn’t have an information security or compliance program in place, it was not aware of the breach for more than six months. Unfortunately, the billing company also did not have insurance, so …

  • A 10-Point Plan for Smart and Secure Electronic Communications with Patients Image

    articleMar 15, 2018 | 8 min. read

    A 10-Point Plan for Smart and Secure Electronic Communications with Patients

    As emails and text messages have become ubiquitous, patient expectations around provider responsiveness have increased. Gone are the days when providers set aside time each afternoon to return calls; now, they can simply respond to their patients’ texts—but should they? Many physical therapists, regardless of their practice model or patient population, are surprised to learn that they may not be allowed to interact with patients in the manner they—or their patients—prefer. These same providers are typically even …

  • Overcome Your Fear: 4 Strategies for Tackling the HIPAA Risk Assessment Image

    articleSep 24, 2019 | 5 min. read

    Overcome Your Fear: 4 Strategies for Tackling the HIPAA Risk Assessment

    Without a doubt, healthcare practices—big and small—find the HIPAA risk assessment daunting. The HIPAA Security Rule requires all covered entities (a.k.a. providers) and business associates (a.k.a. the people and vendors providers do business with) to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic protected health information (ePHI). However, carrying that out often seems insurmountable and impossible. How can any busy healthcare practice be expected …

  • 5 Things Small Practices Need to Know about HIPAA Image

    articleSep 20, 2017 | 9 min. read

    5 Things Small Practices Need to Know about HIPAA

    The Health Insurance Portability and Accountability Act of 1996 —a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size. Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides …

  • How to Deal with a Patient Data Breach (and Avoid One in the First Place) Image

    articleOct 15, 2019 | 7 min. read

    How to Deal with a Patient Data Breach (and Avoid One in the First Place)

    With electronic storage of protected health information (“PHI”) becoming more common, healthcare providers are rightly concerned about ensuring their data and security systems are not breached, and developing an established course of action in the event that their systems are breached.  The most important security precaution that a provider can have in place is a stable system for breach prevention. Otherwise, navigating the field to ensure there are no breaches can be difficult.  Do not place your …

  • A HIPAA Risk Assessment is a Learning Experience Image

    articleOct 23, 2019 | 8 min. read

    A HIPAA Risk Assessment is a Learning Experience

    If you own a small- to medium-sized physical therapy practice, you are most likely preoccupied with daily operations such as paying bills, marketing your practice, and treating patients. You may know about HIPAA at a high-level—and you may also worry from time to time about a data breach. But, compliance and security are complicated; the regulations are written in legalese. Big organizations have resources that you do not in the form of experts—and time—that they can devote …

  • Does the New California Consumer Privacy Act Apply to Your Physical Therapy Practice? Image

    articleOct 4, 2019 | 6 min. read

    Does the New California Consumer Privacy Act Apply to Your Physical Therapy Practice?

    I’m sure by now you’ve heard a rumor that California has enacted the most impactful privacy rule in the nation. Maybe you also heard that California’s privacy rule applies to California residents—and that it does not apply to medical information. And perhaps you’ve wondered if the rule applies to your practice, but you haven’t had time to look into it. Lucky for you, WebPT has created this handy FAQ to educate you about the California Consumer Privacy …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.