Focus on HIPAA Compliance as the OCR Targets Smaller Breaches

In the coming months, physician practices may find themselves thrust into the HIPAA spotlight thanks to an Office for Civil Rights’ (OCR) email announcement in August that it would soon target data breaches affecting fewer than 500 individuals.

“We’re doing more investigations of smaller breaches … I think you’re going to see more of that in terms of entities with whom we enter corrective action plans,” reiterated Deven McGraw, Esq., OCR deputy director of health information privacy at the 88^th annual American Health Information Management (AHIMA) conference held October 16-19 in Baltimore, MD. McGraw spoke during a two-day Privacy and Security Institute workshop focusing on new trends in cybersecurity.

Hacking is one of the biggest problems. “Hackers are smart, and they’re getting smarter every day. It’s a struggle to keep up with them,” said McGraw. Other vulnerabilities include failure to manage identified risk, lack of transmission security, and improper disposal of protected health information (PHI) just to name a few.

Malware, phishing, and theft/loss of mobile devices also pose threats, said Mark Dill, CISM, CRISC, principal consultant at tw-Security, who spoke during the AHIMA Privacy and Security Institute.

Unfortunately, physician practices remain particularly vulnerable in this new age of electronic health information. In fact, they’re the covered entity that’s most frequently required to take HIPAA corrective action, according to recent OCR enforcement data.

8 strategies for physician practices
The good news is that practices can take steps proactively to mitigate risk. Dill provided several strategies:

1. Know your vulnerabilities. Perform a risk analysis using the HIPAA audit protocol. This protocol clearly identifies the specific performance criteria that the OCR uses as it assesses provider compliance with each section of the HIPAA privacy and security rules. Also, take a look at the security risk assessment tool developed collaboratively by the Office of the National Coordinator, OCR, and the HHS Office of the General Counsel (OGC). The tool is designed to help guide healthcare providers in small- to medium-sized offices conduct risk assessments of their organizations.
2. Educate your staff. Do all staff members understand the implications of clicking on suspicious links or opening suspicious email attachments? Some providers proactively choose to ban all personal webmail and surfing on company devices to mitigate risk, said Dill.
3. Ensure technical protection. This requires use of the following:
   • Advance persistent threat tools
   • Email filters
   • Intrusion prevention systems
   • Reputable antivirus software
   • Updated security patches
   • Web security gateways
4. Look for other areas of vulnerability. For example, are any laptops or workstations located directly near an exit? If so, this could be a recipe for disaster in terms of theft/loss, said Dill. Do all laptops timeout after a brief period of inactivity so patients and/or other staff don’t have access? These are just a few of the questions that physicians must consider.
5. Establish a data backup plan. How secure is your plan, and does it actually work when you activate it?
6. Create a bit coin wallet. Bit coins are the currency that hackers demand during a ransomware attack so providers can regain access to their own data. McGraw reminded conference attendees that ransomware of unencrypted data meets the OCR’s definition of a breach. This means that physicians must notify individuals whose protected health information is breached unless the physician determines that there’s a low-risk of compromise. The determination and rationale must be clearly documented, she added.
7. Create an incident response plan. When a security incident occurs, who will you notify and when? Document this plan, and test it in advance to make sure it works, said Dill.
8. Hold your business associates (BA) accountable. Ensure that you have a BA agreement in place for all applicable vendors. Does this agreement include breach/security incident obligations? When signing a BA contract, include requirements such as, ‘The BA will have 30 days to address any vulnerabilities before the contract becomes null and void,’ and ‘The BA may not decrease its security profile without the provider’s explicit permission.’

The best way to prepare for a HIPAA audit is to be proactive using a variety of free tools that are available to help providers. Identify and address vulnerabilities head on before the OCR comes knocking.