Online HIPAA Tool From TMA One Option to Help Secure Patient Information, Stay
Practice Management Feature — October 2015
By Joey Berlin
If a patient blows off one of those relentless Windows
update notifications in the middle of a busy day, the consequences might be
minimal. But if you ignore the notifications at your office, the results could
medical practice does that, Katie Lay says, its adherence to the HIPAA Security
Rule can become outdated in nearly an instant.
can be compliant at 10 am, and by 10:30 you're not compliant anymore because
you didn't update your Windows security," said Ms. Lay, cofounder of Fayetteville,
Ark.-based HIPAA Risk Management (HRM). "That little annoying thing pops
up in the corner and says 'Windows Security Update, please restart your
computer,' and you just knock it down all day long — that is
implications of not addressing HIPAA compliance and security holes are
potentially catastrophic. Perhaps even scarier, recent research makes a patient
data breach look next to inevitable, with one survey showing more than 90
percent of health care organizations have experienced a data breach in the past
state, and private-product options exist to help practices boost their HIPAA
compliance and keep patient information secure. The Texas Medical Association
is offering one such product — the Online HIPAA Security Manager from HRM — at
a discounted rate for members.
Whether a practice is large, small, or in between, research
suggests data breaches are overwhelmingly commonplace — and costly.
The Ponemon Institute released its "FifthAnnual Benchmark Study on Privacy and Security of Healthcare Data" last
May. Ninety-one percent of the health care organizations in the study
experienced a data breach in the past two years, and 40 percent had experienced
more than five data breaches in that time frame. In a separate study, Ponemon
found that globally the average medical data breach costs $363 per patient
record — significantly more than the $154-per-record average for all other industries.
Naturally, medical data breaches
don't inspire patient confidence. A survey by Austin-based research company
Software Advice earlier this year found more than half of respondents, 54
percent, said they were "moderately likely" or "very likely"
to change physicians as a result of a patient data breach. In the same study,
21 percent of respondents say they withheld personal information from their
doctors due to data security concerns.
Ms. Lay says a recent electronic
health record (EHR) vendor's breach illustrates the need for documentation.
Fort Wayne, Ind.-based EHR vendor NoMoreClipboard announced in June it had
discovered an attack on its system the previous month. The attack compromised
patient data for nearly 200 practices and other entities, including one of
"Even though our client did
not cause the breach, they still have to file a breach report. They have to
notify their patients," Ms. Lay said. "Because it was over 500
individuals [affected], they have to notify local media."
Breach Notification Rule requires practices that experience a breach to notify
the affected individuals by mail or email. If the practice has insufficient or
out-of-date contact information for 10 or more individuals, it must either post
a notice on its website for at least 90 days or provide notice to major print
and broadcast media located near those the breach likely affected. For more
information, visit the U.S. Department of Health and Human Services' (HHS') Breach
Notification Rule webpage.
breach affects 500 or more individuals, a practice must provide notice to media
that serves the state or jurisdiction where the individuals live, and it also
will land the practice on the HHS "wall of shame."
NoMoreClipboard is reimbursing
clients for the cost of breach notification and providing credit monitoring to affected
people. Ms. Lay says if the third-party vendor can't cover those costs, the practice
has to do it.
"So even if you don't cause
the problem, you still have to follow all the steps, and you have to have your
documentation in line because you filed a breach report; you will be required
to have that documentation," she said. "So you don't even have to
mess up anymore to be under scrutiny."
in compliance has become more complicated over the past five years, says
Abilene family physician D. Allen Schultz, MD, who maintains a cloud-based EHR
system. (See "TMA HIPAA Privacy Webinars.") He's never had a data
breach, and he's doing his best to keep it that way — even as compliance
requirements continue to wipe out smaller practices like his.
A member of
TMA's Ad Hoc Committee on Health Information Technology, Dr. Schultz says
smaller-shop physicians are increasingly selling their practices and becoming
members of larger health care organizations, rather than endure the costs and
difficulties of complying with HIPAA and other government mandates.
"It's kind of the [government's]
mentality of, if you put the requirement in, then they'll either have to comply
or go out of business, and somehow they'll figure out a way to comply if they
still want to have their own practices — as opposed to, 'We've identified a way
how you can comply, and these are the fines if you don't comply,'" he
Ms. Lay says the standard once-a-year HIPAA risk analysis
isn't enough for practices to make sure they're compliant and secure; leaving
it all up to the information technology (IT) department and/or the practice's
HIPAA security officer doesn't get the job done either. She says 65 percent of
HIPAA Security Rule standards and specifications are administrative, not
technical, and documentation is key in the event of a breach. (See "NewTool Helps With HIPAA Compliance.")
"If you're relying on your IT
vendor, yes, they can put in place for you the technical measures to protect
your computers, to protect your servers," she said. "But if you don't
have the full compliance program, the actual process to show your work, all of
the resources, including the money you've spent and the time you've put in, are
not going to matter because you won't be able to prove your compliance."
HIPAA Security Manager breaks the HIPAA security questions into organized, more
digestible sections. A program dashboard lets the practice know where security
and compliance vulnerabilities exist, displaying a likelihood, potential
impact, and threat score for each one.
The tool also helps practices
develop periodic risk management plans, offers security training, and documents
all compliance audits and updates. HRM customizes the security manager to the
size of the practice. If the client needs a conversation with experts to answer
a question, or if there's a HIPAA issue that a couple of mouse clicks can't
solve, HRM has experts available during business hours.
"Our clients know they've been
doing what's required of them because they can pull up the screen, and they can
see all the little green check boxes with the date and that everything is current,"
Ms. Lay said.
Dr. Schultz says he began using the
Online HIPAA Security Manager in July. By using it, he says he's doing
everything he can to maximize data security.
"From what I've seen of this
HIPAA [tool], it is a good way to implement practices that will achieve the
result of protecting patient data," he said.
Discount prices for TMA members
start at $99 per month. Physicians and practices interested in learning more
about the Online HIPAA Security Manager and obtaining the TMA member discount
can visit the TMA website. For more information about HIPAA
privacy and security compliance, visit the TMA HIPAA Resource Center.
The Certification Option
The advent of the SECURETexas compliance certification
program — the nation's first state program of its kind — allows practices to
soften the potential blow of state fines and penalties that result from a data
As a result
of 2011 passage of House Bill 300 by then-Rep. Lois Kolkhorst (R-Brenham), the
Texas Health Services Authority (THSA) developed electronic security and
privacy standards designed to comply with all related state and federal laws,
including HIPAA and the Texas Medical Records Privacy Act. HB 300 also mandated
the creation of the certification program. The bill stipulated that if a Texas
covered entity, such as a physician, violates the Texas Medical Records Privacy
Act, its certification status would be a mitigating factor courts and state
agencies would have to consider in determining civil or administrative
penalties. At the state level, the law
allows for civil penalties up to $5,000 for each negligent violation in a year,
$25,000 for each knowing or intentional violation, and $250,000 for each
violation where the violator knowingly or intentionally used protected health
information for financial gain.
contracted with the Health Information Trust Alliance (HITRUST) to develop
SECURETexas. While SECURETexas certifies health plans, hospitals, and other
covered entities, it is putting the final touches on its product for small
practices. James Stefan Walker, MD, said in August his practice, Corpus Christi
Medical Associates, was in the process of beta-testing a smaller-practice
version of the SECURETexas program.
is trying to make a product that's affordable enough and small enough but still
has some of the cool features that they're offering hospitals," he said.
"So we are working through the beta-testing process with them involving
our own six-provider practice's assessment and attempting to certify. Within
the next couple of months, we should have that done."
urging, SECURETexas has reduced pricing of its certification product so it is
affordable for small physician practices, and Dr. Walker says he's optimistic
about SECURETexas becoming a valuable tool. According to the pricing chart on
its website, securetexas.org, certification costs $1,500 for practices with one
to 25 employees.
David C. Fleeger,
MD, a member of TMA's Board of Trustees and the THSA Board of Directors, says
in contrast to smaller practices, larger medical entities usually have IT
departments that can handle software like the current version of SECURETexas.
"We want to make sure that we
do it right when we bring it out," he said of the small-practice version. "So
we're working through the system, having a physician go through the system and
try to find out where the weak points are. What are the things that are hard to
do in a small practice? And to be quite honest, the instructions, manuals, that
kind of thing, have to be a little less technical if it was me or my office
manager doing it than if you've got a trained IT professional going through
these things. So those kind of things are needing to be rewritten and
Office of the National Coordinator for Health Information Technology (ONC)
offers another security risk assessment option with a downloadable freeassessment tool.
Dr. Schultz says one frustration he
has with security compliance programs is that while they mitigate a practice's
risk, they don't provide a real measure of "safe harbor" protection
for a practice that suffers a data breach.
"I really do think that you need
to promote best practices and limit liability," he said. "I think
that complete safe harbor is not reasonable and is probably not productive with
respect to the people who have suffered the loss. Certainly, they need some
satisfaction, and so there has to be some restitution should you lose data. But
I do really feel like it ought to be the type of restitution that you're able
to get insurance for."
The Texas Medical Liability Trust
(TMLT) offers cyber liability protection for medical professionals to cover
network privacy and security, regulatory fines and penalties, costs of
notifying patients, and other costs related to potential data breaches. Minimum
levels of coverage are provided at no extra charge to TMLT policyholders.
Optimism still exists about the future of data security and
HIPAA compliance, even with the continued emergence of stories such as the
Dr. Walker says it's important for practices
to obtain SECURETexas certification eventually because they need to have the statutory
protection that comes from showing they've done everything they possibly can to
be ready for a data breach. He says health information exchange (HIE)
technology hasn't taken off among Texas physicians, in part because of fears of
hackers getting the data. He says he's personally not yet comfortable
participating in an HIE largely because of that fear.
are going to happen," he said. "They have happened. I think they're
only going to happen with more frequency, not less. But doctors want to be able
to get out there and actually feel confident about doing HIE activities, which
is hard to do as yet."
urging, the Texas Legislature this year passed House Bill 2641, which gives
important new liability protections to physicians using HIEs. It covers any
inappropriate disclosure of patient information by an HIE or by another
physician or health professional.
says HRM tells its clients when a breach happens, it doesn't have to
immediately ruin their day or prompt panic.
"Around the country, doctors
are having to close their doors because of one HIPAA breach. One incident
doesn't have to cost you your practice," she said. "HIPAA security
doesn't have to be this overwhelming burden. Just like when you are renovating
a home, or you start with this pile of something that you don't know what to do
with, [if you] involve the right people, have the right tools and the right
experts, you can build something that works specifically for you."
Dr. Schultz says he has hope for
the future of data security; if he didn't, he says, he wouldn't still be working
as an independent physician.
"But I think the important
thing is that the message needs to get out there," he said. "Number
one, there is a serious risk and a serious threat. Number two, take action now,
and don't wait for the perfect product because the perfect product doesn't
exist. And number three, talk to people about this sort of thing. Raise their
awareness so that we can get products and get legislation that give us the
tools to protect our patient population like we want to do."
Joey Berlin can be reached by phone at (800) 880-1300, ext.
1393, or (512) 370-1393; by fax at (512) 370-1629; or by email.
New Tool Helps With
The Online HIPAA Security Manager is available to TMA
members at a discount as a benefit of membership. The tool includes:
- An easy-to-navigate online format to help track
- Comprehensive HIPAA risk analysis;
- A dashboard to track risks to security and
- Access to HIPAA experts who can identify
deficiencies and make recommendations;
- Automatic documentation of HIPAA activities;
- Online HIPAA security training for employees;
- An audit checker that can provide compliance
documentation with the click of a button.
Back to article
TMA HIPAA Privacy Webinars
The TMA Education Center offers webinars for physicians to
train their staff on HIPAA privacy laws, including:
- Complying with HIPAA and Texas Privacy Laws,
which provides an overview of HIPAA compliance and answers frequently asked
- HIPAA Training for Medical Office Staff, which
covers training staff on compliance at both the state and federal levels.
Back to article
October 2015 Texas Medicine Contents
Texas Medicine Main Page