Revisiting data security in an evolving tech world.
By Eric Cardin, PT, MS
This year heralds the 20th anniversary of Congress’ passage of the Health Insurance Portability and Accountability Act (HIPAA). Two decades later the protection of health information and privacy continues to be an important issue among private practitioners. As much as HIPAA has become a household name, a new or established practice can potentially overlook the necessary steps needed to protect their clients and limit their liability related to handling sensitive data. Over the course of its life, HIPAA has centered around the “privacy rule” and the “security rule.” It is important to check in with these regulations, their clarifications, and subsequent updates (see Health Information Technology for Economic and Clinical Health [HITECH] Act below) to ensure compliance and increase peace of mind when it comes to data security and privacy.
The “security rule” requires “appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”1 New private practice physical therapists are tasked with understanding and complying while established therapy practices should revisit their plans to ensure compliance. Compliance must be thought of as an ongoing and evolving process. After all, iPhones, iPads, “The Cloud,” Smartwatches and the ubiquitous “selfie” were yet to arrive when HIPAA went into effect. What will technology bring in two, three, or ten years from now?
First, the private practice physical therapist should conduct a risk assessment. It is important to consider how protected and private information is being handled and anticipate possible lapses in security. A thorough risk assessment helps identify possible ways protected information might be compromised. Basic documentation of an assessment demonstrates a reasonable effort to maintain and secure private health information. A risk assessment can be followed by a complete analysis of what is currently being done or could potentially be done to overcome the risk found during the risk assessment. This analysis of current security and the inherent risks found surrounding the protection of private information is the cornerstone of compliance.
Administrative, Physical, and Technical safeguards
Administrative safeguards: In general, these are the administrative functions that should be implemented to meet the security standards. These include assignment or delegation of security responsibility to an individual and security training requirements. Clear policies regarding reporting security incidents are a required part of these safeguards. Efforts should be made to train the entire team to understand and enforce the plans. Compliance plans should also address data backup, disaster recovery, and contingency plans.
Physical safeguards: In general, these are the mechanisms required to protect electronic systems, equipment, and the data they hold, from threats, environmental hazards, and unauthorized intrusion. They include restricting access to protected health information and retaining off-site computer backups. Cloud computing offers cheap and nearly limitless storage and backups. Understanding how information you handle is stored is a key part of selecting an electronic medical records (EMR) vendor. Simple physical safeguards include the computer or device to “lock” after a period of nonuse. However, compliance and enforcement require staff to buy-in and be educated by the management team.
Technical safeguards: In general, these are primarily the automated processes used to protect data and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that protected information or encrypting and decrypting data as it is being stored and/or transmitted. Mandatory password changes, protected/private Wi-Fi networks, clear policies regarding “bring-your-own-device,” and education regarding secure home networks are all important parts of technical safeguards.
In 2009, the HITECH Act further defined requirements and strengthened enforcement and penalties for noncompliance. The government strengthened enforcement and penalties related to data security in this Act after a culture of lax compliance developed nationally regarding the protection of health and private information. The HITECH Act enables the government to impose large monetary penalties for those covered entities found to be in “willful neglect.” This can seem like an ambiguous term, but it presents an opportunity for a prepared provider to establish a basic plan for compliance. The Act also defined when patients and the government must be notified of a “breach” of protected information. This definition can be summarized into including basically any unprotected or compromised information that requires the patient to be notified and larger scale incidents that require the government to be notified.
The interaction of regulation, technology, and security can be a complex web of requirements. Regular review of policies, procedures, training together with documentation, and efforts to educate employees are an important part of compliance. Information to assist private practice physical therapists, summarized here, is available across multiple internet resources, including www.hhs.gov, www.healthIT.gov, and the American Physical Therapy Association (APTA) website.
1. www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule. Accessed Nov. 2015.
Eric Cardin, PT, MS, is the executive director of South County Physical Therapy, Inc. He can be reached at firstname.lastname@example.org.