Stay Out of the HIPAA Spotlight as OCR Sets Small Breaches in its Sights

December 20, 2016 by Antonio Arias, MBA, CHBME

Topics: Meaningful Use Stage 2, Practice Management, Medical Billing Company

Meeting the many privacy and security stipulations of the Health Insurance Portability and Accountability Act, or HIPAA, is always an important objective for medical practices and provider groups. But sometimes, it’s more important than usual… and now is one of those times.

Ever since the passage and implementation of HIPAA in 2009, the HHS’ Office for Civil Rights (OCR) arm has investigated reported breaches of protected health information (PHI). To date, however, the OCR and its regional offices have focused the majority of their resources on breaches affecting more than 500 individuals.

But in an August 2016 message, the OCR announced the department’s new commitment to investigating smaller breaches and broadening its efforts “to identify and obtain corrective action to address entity and systemic noncompliance” related to PHI data breaches.

Why now? Technological risks are to largely blame: At an October conference, the head of Deven McGraw, Esq., OCR deputy director of health information privacy said that hackers “are smart, and they’re getting smarter every day. It’s a struggle to keep up with them.”

And it’s not just hacking. In our increasingly tech-driven healthcare environment, security vulnerabilities abound – ranging from malware and phishing to the theft or loss of mobile devices. And when organizations fail to understand their risk factors in a holistic way, the threats are multiplied by a lack of awareness.

To keep the OCR from investigating your practice (or worse, sending you toward a settlement and corrective action plan), it’s vital to revisit your data protection measures with an eye for end-to-end patient protection – not just compliance. As organizations plan and launch their 2017 strategies, it’s vital for stakeholders to revisit their HIPAA-driven initiatives with a comprehensive approach.

Assess your vulnerabilities.Consider engaging a data security consultant to perform end-to-end risk analysis on your technological operations and medical billing function. If that’s outside your budget, at least utilize the HIPAA audit protocols understand which HIPAA privacy and security rules the OCR is watching out for, then invest in bolstering your protections in each of those areas.

Prioritize smart policies. You already have security measures in place, but how often do you revisit them? Same goes for your incident response plan, your data backup plan, and even your staff education and training programs. Make sure you have defined strategies in place that include scheduled review and updates every six months (if not sooner).

Hold your team and partners responsible. Is your staff executing day-to-day tasks with security in mind? Or are you turning the other cheek when you spot unlocked laptops, unsecured mobile devices, and open charts lying around in precarious places. Make sure your team follows all applicable policies and procedures, and extend the same diligence to your business associates and all third parties you work with, including your medical billing service.


Are you interested in learning more revenue cycle management tips? Visit our blog! 

...and if you need help from a medical billing company...


Subscribe to Our Blog

Stay in-the-know on trends, best practices, and news affecting the medical billing industry!