As a provider of IT managed services to medical practices and other small and medium businesses predominantly in New Jersey, we continue to see numerous examples HIPAA (Health Insurance Portability and Accountability Act) violations that are risking medical practice profitability and viability. We encounter many practices that are not aware the financial and operational risks that they are incurring due to lack of compliance. One of the biggest challenges in the healthcare industry is how to keep electronic protected health information of patients secure. Hackers are targeting small and medium as well as large healthcare providers for their patient data, with increasing rates of cyberattacks. Consequently, HIPAA-related regulatory requirements and enforcement practices have been increasing as well.
New Jersey, in particular, has experienced major HIPAA breaches that have plagued the state’s healthcare providers. According to the U.S. Department of Health and Human Services, the breaches have exposed the health data of over 1 million New Jersey residents since 2009. In 2015, New Jersey’s Governor Christie called for healthcare providers to make greater efforts to keep the electronic health records of patients secure. A new law went into effect in July 2015 requiring all covered entities (healthcare providers, plans, and clearinghouses) to use data encryption software on all electronic devices that contain protected health information. The new law extended HIPAA guidelines, requiring encryption on end user computer systems including laptops, desktops, portable storage devices, and smartphones.
In a recent controversial case, a lawyer is suing New Jersey-based clinical psychology practice, Short Hills Associates, for violating his privacy by releasing ePHI. The lawyer is also attempting to sign up other individuals who have had their privacy violated to participate in a class-action suit against Short Hills Associates.
Last month, New Jersey’s St. Joseph’s Healthcare System reported that employee names, social security numbers, and employee earnings data had been emailed to scammers. In response to increased healthcare spear phishing attacks (e-mail spoofing fraud attempts, seeking unauthorized access to confidential data), the IRS issued a nationwide alert, warning of the increased threat of malware and phishing attacks. According to the IRS, there have been a 400% year-over-year increase in tax season phishing and malware incidents so far in 2016.
Adam Greene, a privacy attorney with law firm Davis Wright Tremaine in Washington, D.C. (and former U.S. Department of Health and Human Services’ Office of Civil Rights attorney), stated recently in a public interview that 2016 could be a record year for HIPAA enforcement actions by federal regulators, both in the number of resolution agreements and in the size of financial settlements resulting from breach investigations.
According to CompliancePro Solutions’ research, the HITECH Act and new state breach laws substantially increased civil penalties for non-compliance with HIPAA policies and other privacy and security laws. The maximum penalty for HIPAA violations was increased from $25,000/year to $1.5 million/year per violation. Willfully ignoring or failing to be compliant can mean mandatory investigations and penalties – initiated by any complaint, breach, or a discovered violation.
In 2016, the U.S. Department of Health and Human Services’ OCR has already issued two enforcement actions. That includes a $25,000 settlement and resolution agreement with a physical therapy provider that disclosed protected health information on its website. Also, a respiratory care provider was fined nearly $240,000 due to inappropriate handling of PHI associated with 278 patients.
Is your Medical Practice Doing What’s Needed to Secure Electronic Protected Health Information (ePHI)?
Kareo’s (medical software provider) 2015 Tech Survey of medical practices showed that only about 1/3 of respondents are conducting a risk analysis associated with securing ePHI. Also, over half are using mobile communication devices in the performance of their jobs – yet only 1/3 are implementing rules for bringing mobile devices to work. Additionally, only 1/3 are storing data on a cloud backup service.
In summary, key things that should be considered to secure your medical practice’s ePHI include:
- Conduct annual Security Risk Assessments
- Utilize HIPAA privacy and security templates
- Provide your workforce with HIPAA training materials
- Track your Business Associate agreements and their patient information protection standards
- Track wrongful disclosure through online tools that assist in investigating and responding to potential wrongful disclosures, while ensuring HIPAA reporting regulations are met
- Implement business-level firewalls, anti-virus, encryption, cloud-based data backup systems, and associated data protection processes
IT services for medical professionals to ensure HIPAA compliance
Considering how much weight your computer network carries when it comes to modern medical practice office, you must turn to trusted IT advisors when it comes to make your practice HIPAA/HITECH compliant.
- Physical and virtual safeguards for ePHI.
- Technical Safeguards
- Tracking/Audit Logs
- Strict Technical Policies
- Security of Network and Transmission
Give us a call now at 201-493-1414 – your Computer Network will thank you!
If you are located in New Jersey or NJ NY area, and are looking for Managed IT services and Computer Support for your Medical Practice – you may have searched the internet for Doctors IT Support, Medical office IT support, Healthcare IT support, IT support for Medical practices, Outsourced IT Support, Healthcare IT support, and Medical Practice Startup — look no further: we are here to provide your medical practice with reliable IT Support.
Specialties: Family Practice IT support, Pediatric Practice IT support, Orthoped