consistently or blatantly do not follow privacy/
security rules (i.e., sanction training).
4 Collaborate and Communicate with All Staff
The issue of maintaining data security does
not fall on one person or department. Rather,
it is a collaborative effort by every person in
the practice. Every person should know who
the security and/or privacy officer is. And, yes,
you must have a privacy officer and a security
officer, as a health department in the State of
Washington learned. Lack of monitors and failure to notify 1,600 patients that their breached
data was posted on a public website led to a
Make it easy to contact the privacy/security
officer, perhaps with an email address on an
intranet site. And adopt a non-retaliation policy
so there are no repercussions for reporting
lapses in security.
5 Perform Internal Audits and Third-Party Reviews
In addition to privacy/security measures, your
practice also has a business continuity plan,
doesn’t it? Business continuity and disaster
recovery are topics for another article, but like
business continuity/disaster recovery (BC/DR)
plans, your privacy and security measures should
be monitored on at least an annual basis. You
can outsource the entire audit or perform some
of the tasks in-house.
At least, perform proactive reviews on policies
and procedures related to security and privacy,
both the physical security of devices as well as
the data they contain. Don’t overlook low-tech
devices such as fax and copy machines as well
as hardcopy patient records you may still keep.
If your practice has experienced compliance
issues, look closely to discover the root causes
of each. What could you have done differently to
prevent it? Then, update your privacy/security
plan with what you learned.
6 Measure Your Effectiveness Just as you track patients with chronic conditions, track your practice’s compliance with the
regulations. Physicians and other stakeholders
should understand the importance of maintaining
data security to the future health of the practice.
If your practice doesn’t yet have a mature privacy
and security infrastructure, create an action plan
OCR has stepped up its enforcement actions in the past few
years, and HIPAA settlements hit record levels in 2016. In that
year alone, the agency settled with 12 agencies and won a civil
monetary penalty against another for a total of 13 actions and
nearly $23 million in payments.
In many cases, OCR prefers to settle without financial penalty.
However, according to a January 2017 article in the HIPAA Journal, penalties “are reserved for the most severe violations of
HIPAA rules, when widespread noncompliance is discovered,
or in cases where healthcare organizations have blatantly
disregarded HIPAA rules.”
While often overlooked, safeguarding data that flow into and out
of your practice daily is a critical consideration. It’s as important
as ensuring that patients are seen in a timely fashion and that
insurance claims are filed frequently to maintain cash flow.
The future of your practice could hinge on the quality of your
security and privacy plans and how you react to a breach or
with goals and timelines for compliance. Investigate unmet goals to determine why and how to
improve in the future.
Scott Schimpf is vice president of technology for
Alpha II, where he re-architected the data center and
managed the development of fully Active/Active production environments located in Tallahassee, Florida,
and Denver, Colorado. Mary Cremeans is lead project
manager and compliance officer for Alpha II.