Monday, March 14, 2016
HIPAA Compliance or Security – Which is your lodestar?
By: Susan (Zeisler) Pretnar President at KeySys Health LLC
When the focus of HIPAA Risk Management efforts by healthcare entities is simply to comply with documentation requirements to assuage a judgment of ‘willful neglect’ or ‘non-compliance’ in an audit, the spirit of HIPAA is completely lost. In the absence of HIPAA police or the experience of a breach, many fail to see the distinction between compliance and security, or the value of either one.
In truth, almost no routine HIPAA compliance audits have been completed. A few audits were instigated because of major breaches and a small number of covered entities were audited as a pilot several years ago. Those audits only exposed the lack of commitment to both HIPAA compliance and security. Sadly, the only bellwether we have is the thousands of Meaningful Use desk audits that reinforce the notion that you should be guided by compliance, not security, when it comes to managing protected health information. MU audits demand only the evidence of a risk assessment, and sometimes a plan, based on the findings. Never mind actually implementing anything in the plan.
Security, specifically cyber security, is all the rage, yet there is minimal commitment to investing resources to secure electronic protected health information, including using encryption or something so simple as training. ePHI that is not securely created, stored and transmitted in the vast healthcare ecosystem exposes practices to the risk of breach for lax management of digital information. Hackers are having as much success with phishing emails and phone calls to employees who have not been trained to recognize bogus requests for information and dangerous links.
A thorough risk assessment should indicate how vulnerable the practice will be if HIPAA required or addressable safeguards are not in place. Every practice is different. Recommended controls are irrelevant for some (we don’t’ have a wireless network) and a game changer for others (we allow everyone to use their personal mobile devices). No practice is without risk and no technology is stagnant. Unless you conduct a baseline risk analysis, and reassess routinely, it will be difficult to determine which risks you can accept and which risks should be mitigated quickly, ie. those that will improve your security posture.
Glaring lapses in clinical risk management can result in physical harm to the patient. Foregoing or ignoring administrative, technical and physical controls that are basic safeguards for patient data can expose the patient to financial harm or mental distress. Patients, not HIPAA, should be motivating practices to concentrate on security not just compliance.
There are myriad solutions to technical weaknesses in IT infrastructure that can thwart the casual hacker and make it difficult for the professionals. Neglecting staff training that reinforces security policies and procedures and arms employees with knowledge to stop social engineering phishing schemes only compounds vulnerability from technical weaknesses. That’s not rocket science: it’s basic business sense.