Does HIPAA scale for a physician practice? Is HIPAA compliance mandatory?

HIPAA sounds like “hippo” for a reason: it’s big, clunky, noisy, and unwieldy. Can, and should, a small physician practice implement HIPAA practices? Is it worth the effort?

Here’s the bad news: If you’re under HIPAA, compliance is mandatory.

The Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) recently went after Anchorage Community Mental Health Services for HIPAA violations. Anchorage paid $150,000 and adopted a corrective action plan for its HIPAA compliance. Anchorage is a five-facility nonprofit that provides behavioral health care services. OCR opened an investigation after receiving notification from Anchorage about a breach of unsecured electronic PHI affected over 2,500 individuals, due to malware that compromised the security of its information technology resources. OCR revealed that Anchorage had adopted sample HIPAA Security Rule policies and procedures, but did not follow its Security Rule HIPAA compliance program. Among other things, Anchorage failed to perform a risk assessment, which would have led them to update their software with patches.

What’s the bottom line? When in doubt, comply with HIPAA. Failure to comply is not an option. Now, remember that even if HIPAA does not technically apply, state laws can apply that mirror HIPAA provisions, and require that the privacy and security of protected health information be … protected. State laws frequently focus on two areas:

• Definition of a breach
• Breach notification procedures

For example, Delaware has laws:

• requiring that any use of PHI be limited to the minimum amount necessary to reasonably accomplish the legitimate health purpose
• requiring individual consent before PHI may be disclosed
• defining “breach” of PHI
• providing breach notification procedures
• specifying “safe destruction” of “personal information,” a category broader than PHI

Delaware’s HIPAA Security page provides these “tips and helpful hints:”

• Do not share passwords.
• Keep stored passwords secure, not on your PC or desk.
• Set a Screen Saver to automatically appear after 10 minutes and use password protect.
• Keep computer monitors that display protected information out of view from others.
• Use strong passwords when possible.
• Do not send unencrypted patient information over the internet, by e-mail or as an attachment in an e-mail. Use encryption if available.
• Do not use unencrypted portable or mobile media such as thumb drives or PDA’s to store protected information.

In other words, compliance steps include:

(1) Adopt a strong HIPAA compliance plan drafted by HIPAA counsel, which includes HIPAA training;

(2) Implement the program (as advised by legal counsel and healthcare IT specialist).

(3) Rinse and repeat. When looking to HIPAA compliance, remember that HIPAA compliance is scalable. Among other things, each company must assess:

• the company’s size, complexity, and capabilities
• technical infrastructure
• costs of security measures
• probability and criticality of potential risks to electronic PHI (ePHI)

You should have your healthcare attorney (and IT specialist) review the scaling.

(4) Also remember that workforce training in HIPAA compliance is mandatory, which is why HIPAA training online is a good option.

Our HIPAA attorneys and healthcare lawyers track HIPAA developments so we can counsel our clients on their HIPAA compliance legal obligations.