As office manager of the Fertility Institute of Virginia, Pattie Carson needed to ensure the practice was compliant with laws related to mobile usage, emails, and security. But keeping up with changing laws while running the busy reproductive endocrinology practice was impractical, if not impossible.
Since Medicare and Medicaid don't cover fertility, the institute opted to continue using paper charts, but it must abide by HIPAA and other privacy and security regulations, Carson tells InformationWeek. She determined that the most affordable and cost-effective solution was to use a third party to conduct risk assessments and provide ongoing compliant services.
"With all the rules and regulations -- they're always changing -- I needed someone to help me, someone who specialized in this," she says. "HIPAA Secure Now gave us a risk assessment and makes sure we're complaint with everything."
In smaller practices the office manager is typically responsible for risk assessment, according to Art Gross, CEO of HIPAA Secure Now, in an interview. Organizations with fewer than 75 employees often outsource IT, with nobody to head compliance. With the advent of Meaningful Use, they're now overloaded with data, he said, but they have little insight into the dangers of backup, disaster recovery, mobile devices, or USB drives.
[Could a massive health record database network help improve healthcare and reduce costs? Read ONC Releases Healthcare Interoperability Roadmap.]
"You talk about a security risk assessment and people look at you as if you're talking French," Gross says. "This isn't something people embrace very easily. You start using words like encryption and disaster recovery. These are concepts a lot of practices truly don't understand. It's not their fault."
The threat of larger fines has increased awareness among smaller practices, however. Since the Omnibus Rule went into effect in March 2013, HIPAA Secure Now saw website activity grow to about 7,000 hits a month from 400, according to Gross, with 10 to 15 people per day signing up for the company's training.
Looking out for patient data is difficult these days, Gross points out, as it's often scattered throughout a doctor's office. "Everyone thinks of patient information as in their EMR, but when we go through and do a risk assessment, we find there's patient information in email, and all that information is sitting in laptops or smartphones or tablets," he says. "They don't realize there's patient information all over, and the risk grows with every device you put that information on."
That was certainly true at the Fertility Institute. Since the practice's physicians increasingly depend on their iPhones and iPads, HIPAA Secure Now ensured that these and other mobile devices were fully encrypted. In addition, the service provider enhanced email security to improve the practice's communication with patients -- a move that enhanced patient satisfaction, according to Carson.
"Before this we were careful -- there was certain information we just didn't send out. [Now] I can send information because it's encrypted," she says. "Some patients, that's how they communicate now. It's a lot quicker for them. [For] some people, with their work schedules, phones are impossible."
Each year HIPAA Secure conducts a risk assessment, auditing the Fertility Institute on areas of improvement, areas that need addressing,
and new rules, based on a questionnaire and Web-based videoconference, Carson explains. Education alone helps address one weakness discovered in the government's expanded audit capabilities.
This year the Department of Health and Human Services (HHS) is expected to launch its HIPAA Audit Program to include business associates. The Office of Civil Rights (OCR) will expand beyond the pilot created with partner KPMG, which focused on 115 providers. Early results of the pilot show that providers have limited awareness of compliance as well as outdated policies and procedures, and that they fail to properly implement policies and procedures.
The complexity of today's systems makes it more challenging for healthcare to audit, says Tim Sedlak, senior product manager at Dell Software, which develops compliance tools, in an interview. "It used to be, you could audit your IT department, and everything was on-site," he says. "Now IT has blossomed and gone in every different direction. You have things like SharePoint and mobile devices, let alone the introduction of cloud-based services. That has a lot of people shaking in their boots. I think we're seeing a lot of concern in those areas."
Often Dell works with IT administrators and IT managers on a mandate from their chief compliance or chief security officer, Sedlak said. "People felt very comfortable even two, three years ago that, 'My IT guys know what to do around HIPAA, HITECH.' Now we've got the introduction of cloud services, SharePoint, Dropbox, SkyDrive, and tablets and smartphones," he said. "People realize they could have [personal health information] everywhere. They're concerned they don't know where data's gone. They're concerned they don't have the controls in the places where data's gone."
More awareness often translates into more funding -- for education, resources, and tools, whether internal solutions or external services. The need to manage and control risk will continue to grow in proportion to the data pouring into healthcare organizations' many devices, networks, and applications.
Nobody wants to be the next data breach headline. But ensuring that cyber security defenses are operating effectively and efficiently is a monumental challenge, given the sheer volume of information coming at us. Here's how to streamline your program. Get the Metrics That Work: Practical Cyber Security Risk Measurements report today (registration required).Alison Diana is an experienced technology, business and broadband editor and reporter. She has covered topics from artificial intelligence and smart homes to satellites and fiber optic cable, diversity and bullying in the workplace to measuring ROI and customer experience. An ... View Full Bio