Along with the widespread use of computers in medicine comes a greater need for security measures. Apart from being a good business practice, these security measures are also part of the Meaningful Use (MU) standards. But make no mistake, computer security is more than just changing your password now and then. Even the fact that criminals can attack your business network through your printers is well documented. What’s less certain is just how you can protect against these threats, especially in smaller businesses. Buying a secure printer will help though, click here for reviews on top printers! In fact, recent legislation has explicitly spelled out what is expected of any person or entity dealing with personal health information (PHI).
The HITECH (Health Information Technology for Economic and Clinical Health) Act not only spells out specific computer security requirements that were first mentioned in the HIPAA (Health Insurance Portability and Accountability) Act but also describes penalties for not doing so. Additionally, all of this has extra teeth in the form of an enforcement agency, the Office of Civil Rights, under the Department of Health and Human Services (HHS).
To make matters worse for all of us, the Office of Civil Rights (OCR) will have a 5% budget shortfall and the word is out that they will make this up by increasing the number of penalties and fines levied on anyone who violates the requirements under the HITECH Act. This still leaves it with a $66 million budget for enforcement , and the government expects to realize a healthy return on that investment.
Here are a couple of recent cases which illustrate the shape of things to come in HITECH enforcement:
In March of this year, the Utah State Department of Health, a fairly large entity, suffered a computer breach when two of its servers were hacked into. As a result, over 100,000 patient records were taken. The OCR found that they did not have appropriate levels of security in place when the servers were set up. This case is still pending and it is unclear what sanctions will be dealt.
In April, 2012, the Phoenix Cardiac Surgery Center, a five-physician group, agreed to pay a $100,000 fine as part of a settlement with the OCR. The government agency found that the practice was posting clinical and surgical appointments for its patients on a publicly accessibly Internet-based calendar. In addition, they failed to implement several key provisions of PHI protection in the process. These violations apparently had been flagged previously but were not rectified.
Just like the IRS, the OCR will most likely follow the path of least resistance and go after medical practices and other entities that stand out. But as the Phoenix case illustrates, those who think they can safely fly under the radar may be in for a rude awakening. While a small practice is less likely to attract the OCR’s attention than a hospital, its resources are also significantly smaller than the hospital’s. It could only take one violation to deal the practice a serious if not fatal blow.
What can you do now?
- Don’t think that it can’t happen to you
- Put in place at least some level of basic computer security protocols. Make it part of your employee manual and have staff members sign off on them. Being able to demonstrate that you are trying to comply can go a long way when it comes to an audit.
- If you’re not sure where to start, look to the credit card industry for some guidance. The PCI DSS (Payment Card Industry Data Industry Data Security Standard) is a widely accepted set of policies and procedures for ensuring the safety of personal financial data. There are websites that can help you perform a self-assessment and show you where you might have gaps in compliance.
- Contact an expert in network security compliance, particularly someone with experience in healthcare IT. Some people decide to take advantage of HyperLedger development services to create their own internal super secure currencies.
- If you are audited, don’t be belligerent. Some experts say the heavy fine set on the Phoenix group was due in part to their refusal to correct deficiencies that were identified previously.
Thanks to Mike Meikle of Hawkthorne Consulting, a healthcare consultancy based in Richmond, Virginia, for his help on this article.