Discounted Online HIPAA Tool From TMA One Option to Help Secure Patient Information, Stay in Compliance

 Texas Medicine Logo(2)

Practice Management Feature — October 2015

Tex Med. 2015;111(10):33-38.

By Joey Berlin 
Reporter

If a patient blows off one of those relentless Windows update notifications in the middle of a busy day, the consequences might be minimal. But if you ignore the notifications at your office, the results could be costly.

If a medical practice does that, Katie Lay says, its adherence to the HIPAA Security Rule can become outdated in nearly an instant.

"You can be compliant at 10 am, and by 10:30 you're not compliant anymore because you didn't update your Windows security," said Ms. Lay, cofounder of Fayetteville, Ark.-based HIPAA Risk Management (HRM). "That little annoying thing pops up in the corner and says 'Windows Security Update, please restart your computer,' and you just knock it down all day long — that is noncompliance."

The implications of not addressing HIPAA compliance and security holes are potentially catastrophic. Perhaps even scarier, recent research makes a patient data breach look next to inevitable, with one survey showing more than 90 percent of health care organizations have experienced a data breach in the past two years.

Federal, state, and private-product options exist to help practices boost their HIPAA compliance and keep patient information secure. The Texas Medical Association is offering one such product — the Online HIPAA Security Manager from HRM — at a discounted rate for members.

Compliance Complications

Whether a practice is large, small, or in between, research suggests data breaches are overwhelmingly commonplace — and costly.

The Ponemon Institute released its "FifthAnnual Benchmark Study on Privacy and Security of Healthcare Data" last May. Ninety-one percent of the health care organizations in the study experienced a data breach in the past two years, and 40 percent had experienced more than five data breaches in that time frame. In a separate study, Ponemon found that globally the average medical data breach costs $363 per patient record — significantly more than the $154-per-record average for all other industries.

Naturally, medical data breaches don't inspire patient confidence. A survey by Austin-based research company Software Advice earlier this year found more than half of respondents, 54 percent, said they were "moderately likely" or "very likely" to change physicians as a result of a patient data breach. In the same study, 21 percent of respondents say they withheld personal information from their doctors due to data security concerns.

Ms. Lay says a recent electronic health record (EHR) vendor's breach illustrates the need for documentation. Fort Wayne, Ind.-based EHR vendor NoMoreClipboard announced in June it had discovered an attack on its system the previous month. The attack compromised patient data for nearly 200 practices and other entities, including one of HRM's clients.

"Even though our client did not cause the breach, they still have to file a breach report. They have to notify their patients," Ms. Lay said. "Because it was over 500 individuals [affected], they have to notify local media."

The HIPAA Breach Notification Rule requires practices that experience a breach to notify the affected individuals by mail or email. If the practice has insufficient or out-of-date contact information for 10 or more individuals, it must either post a notice on its website for at least 90 days or provide notice to major print and broadcast media located near those the breach likely affected. For more information, visit the U.S. Department of Health and Human Services' (HHS') Breach Notification Rule webpage

If the breach affects 500 or more individuals, a practice must provide notice to media that serves the state or jurisdiction where the individuals live, and it also will land the practice on the HHS "wall of shame."

NoMoreClipboard is reimbursing clients for the cost of breach notification and providing credit monitoring to affected people. Ms. Lay says if the third-party vendor can't cover those costs, the practice has to do it.

"So even if you don't cause the problem, you still have to follow all the steps, and you have to have your documentation in line because you filed a breach report; you will be required to have that documentation," she said. "So you don't even have to mess up anymore to be under scrutiny."

But staying in compliance has become more complicated over the past five years, says Abilene family physician D. Allen Schultz, MD, who maintains a cloud-based EHR system. (See "TMA HIPAA Privacy Webinars.") He's never had a data breach, and he's doing his best to keep it that way — even as compliance requirements continue to wipe out smaller practices like his.

A member of TMA's Ad Hoc Committee on Health Information Technology, Dr. Schultz says smaller-shop physicians are increasingly selling their practices and becoming members of larger health care organizations, rather than endure the costs and difficulties of complying with HIPAA and other government mandates.

"It's kind of the [government's] mentality of, if you put the requirement in, then they'll either have to comply or go out of business, and somehow they'll figure out a way to comply if they still want to have their own practices — as opposed to, 'We've identified a way how you can comply, and these are the fines if you don't comply,'" he said.

Full-Service Help

Ms. Lay says the standard once-a-year HIPAA risk analysis isn't enough for practices to make sure they're compliant and secure; leaving it all up to the information technology (IT) department and/or the practice's HIPAA security officer doesn't get the job done either. She says 65 percent of HIPAA Security Rule standards and specifications are administrative, not technical, and documentation is key in the event of a breach. (See "NewTool Helps With HIPAA Compliance.")

"If you're relying on your IT vendor, yes, they can put in place for you the technical measures to protect your computers, to protect your servers," she said. "But if you don't have the full compliance program, the actual process to show your work, all of the resources, including the money you've spent and the time you've put in, are not going to matter because you won't be able to prove your compliance."

The Online HIPAA Security Manager breaks the HIPAA security questions into organized, more digestible sections. A program dashboard lets the practice know where security and compliance vulnerabilities exist, displaying a likelihood, potential impact, and threat score for each one.

The tool also helps practices develop periodic risk management plans, offers security training, and documents all compliance audits and updates. HRM customizes the security manager to the size of the practice. If the client needs a conversation with experts to answer a question, or if there's a HIPAA issue that a couple of mouse clicks can't solve, HRM has experts available during business hours.

"Our clients know they've been doing what's required of them because they can pull up the screen, and they can see all the little green check boxes with the date and that everything is current," Ms. Lay said.

Dr. Schultz says he began using the Online HIPAA Security Manager in July. By using it, he says he's doing everything he can to maximize data security.

"From what I've seen of this HIPAA [tool], it is a good way to implement practices that will achieve the result of protecting patient data," he said.

Discount prices for TMA members start at $99 per month. Physicians and practices interested in learning more about the Online HIPAA Security Manager and obtaining the TMA member discount can visit the TMA website. For more information about HIPAA privacy and security compliance, visit the TMA HIPAA Resource Center.

The Certification Option

The advent of the SECURETexas compliance certification program — the nation's first state program of its kind — allows practices to soften the potential blow of state fines and penalties that result from a data breach.

As a result of 2011 passage of House Bill 300 by then-Rep. Lois Kolkhorst (R-Brenham), the Texas Health Services Authority (THSA) developed electronic security and privacy standards designed to comply with all related state and federal laws, including HIPAA and the Texas Medical Records Privacy Act. HB 300 also mandated the creation of the certification program. The bill stipulated that if a Texas covered entity, such as a physician, violates the Texas Medical Records Privacy Act, its certification status would be a mitigating factor courts and state agencies would have to consider in determining civil or administrative penalties. At the state level, the law allows for civil penalties up to $5,000 for each negligent violation in a year, $25,000 for each knowing or intentional violation, and $250,000 for each violation where the violator knowingly or intentionally used protected health information for financial gain.

THSA contracted with the Health Information Trust Alliance (HITRUST) to develop SECURETexas. While SECURETexas certifies health plans, hospitals, and other covered entities, it is putting the final touches on its product for small practices. James Stefan Walker, MD, said in August his practice, Corpus Christi Medical Associates, was in the process of beta-testing a smaller-practice version of the SECURETexas program.

"HITRUST is trying to make a product that's affordable enough and small enough but still has some of the cool features that they're offering hospitals," he said. "So we are working through the beta-testing process with them involving our own six-provider practice's assessment and attempting to certify. Within the next couple of months, we should have that done."

At TMA's urging, SECURETexas has reduced pricing of its certification product so it is affordable for small physician practices, and Dr. Walker says he's optimistic about SECURETexas becoming a valuable tool. According to the pricing chart on its website, securetexas.org, certification costs $1,500 for practices with one to 25 employees.

 David C. Fleeger, MD, a member of TMA's Board of Trustees and the THSA Board of Directors, says in contrast to smaller practices, larger medical entities usually have IT departments that can handle software like the current version of SECURETexas.

"We want to make sure that we do it right when we bring it out," he said of the small-practice version. "So we're working through the system, having a physician go through the system and try to find out where the weak points are. What are the things that are hard to do in a small practice? And to be quite honest, the instructions, manuals, that kind of thing, have to be a little less technical if it was me or my office manager doing it than if you've got a trained IT professional going through these things. So those kind of things are needing to be rewritten and redone."

The federal Office of the National Coordinator for Health Information Technology (ONC) offers another security risk assessment option with a downloadable freeassessment tool.

Dr. Schultz says one frustration he has with security compliance programs is that while they mitigate a practice's risk, they don't provide a real measure of "safe harbor" protection for a practice that suffers a data breach.

"I really do think that you need to promote best practices and limit liability," he said. "I think that complete safe harbor is not reasonable and is probably not productive with respect to the people who have suffered the loss. Certainly, they need some satisfaction, and so there has to be some restitution should you lose data. But I do really feel like it ought to be the type of restitution that you're able to get insurance for."

The Texas Medical Liability Trust (TMLT) offers cyber liability protection for medical professionals to cover network privacy and security, regulatory fines and penalties, costs of notifying patients, and other costs related to potential data breaches. Minimum levels of coverage are provided at no extra charge to TMLT policyholders. 

Raising Awareness

Optimism still exists about the future of data security and HIPAA compliance, even with the continued emergence of stories such as the NoMoreClipboard breach.

Dr. Walker says it's important for practices to obtain SECURETexas certification eventually because they need to have the statutory protection that comes from showing they've done everything they possibly can to be ready for a data breach. He says health information exchange (HIE) technology hasn't taken off among Texas physicians, in part because of fears of hackers getting the data. He says he's personally not yet comfortable participating in an HIE largely because of that fear.

"Breaches are going to happen," he said. "They have happened. I think they're only going to happen with more frequency, not less. But doctors want to be able to get out there and actually feel confident about doing HIE activities, which is hard to do as yet."

At TMA's urging, the Texas Legislature this year passed House Bill 2641, which gives important new liability protections to physicians using HIEs. It covers any inappropriate disclosure of patient information by an HIE or by another physician or health professional.

Ms. Lay says HRM tells its clients when a breach happens, it doesn't have to immediately ruin their day or prompt panic.

"Around the country, doctors are having to close their doors because of one HIPAA breach. One incident doesn't have to cost you your practice," she said. "HIPAA security doesn't have to be this overwhelming burden. Just like when you are renovating a home, or you start with this pile of something that you don't know what to do with, [if you] involve the right people, have the right tools and the right experts, you can build something that works specifically for you."

Dr. Schultz says he has hope for the future of data security; if he didn't, he says, he wouldn't still be working as an independent physician.

"But I think the important thing is that the message needs to get out there," he said. "Number one, there is a serious risk and a serious threat. Number two, take action now, and don't wait for the perfect product because the perfect product doesn't exist. And number three, talk to people about this sort of thing. Raise their awareness so that we can get products and get legislation that give us the tools to protect our patient population like we want to do."

Joey Berlin can be reached by phone at (800) 880-1300, ext. 1393, or (512) 370-1393; by fax at (512) 370-1629; or by email.

 SIDEBAR  

New Tool Helps With HIPAA Compliance

The Online HIPAA Security Manager is available to TMA members at a discount as a benefit of membership. The tool includes:  

  • An easy-to-navigate online format to help track security compliance;
  • Comprehensive HIPAA risk analysis;
  • A dashboard to track risks to security and compliance;
  • Access to HIPAA experts who can identify deficiencies and make recommendations;
  • Automatic documentation of HIPAA activities;
  • Online HIPAA security training for employees; and
  • An audit checker that can provide compliance documentation with the click of a button.   

Back to article 

SIDEBAR

TMA HIPAA Privacy Webinars

The TMA Education Center offers webinars for physicians to train their staff on HIPAA privacy laws, including:  

  • Complying with HIPAA and Texas Privacy Laws, which provides an overview of HIPAA compliance and answers frequently asked questions. 
  • HIPAA Training for Medical Office Staff, which covers training staff on compliance at both the state and federal levels.  

  Back to article

October 2015 Texas Medicine Contents
Texas Medicine Main Page

Last Updated On

August 23, 2016

Related Content

HIPAA

Joey Berlin

Associate Editor

(512) 370-1393
JoeyBerlinSQ

Joey Berlin is associate editor of Texas Medicine. His previous work includes stints as a reporter and editor for various newspapers and publishing companies, and he’s covered everything from hard news to sports to workers’ compensation. Joey grew up in the Kansas City area and attended the University of Kansas. He lives in Austin.

More stories by Joey Berlin