Physician groups, particularly smaller ones, often lack the most robust systemic protections, such as encryption, that help to prevent damage from data loss, warns Arthur J. Fried, JD, a healthcare attorney with Epstein Becker Green in New York City.
"Enforcement, and penalties, are on the rise," says Fried.
The Office of Civil Rights of the Department of Health and Human Services, which has responsibility for enforcement of the Health Insurance Portability and Accountability Act (HIPAA), announced its first wave of routine HIPAA compliance audits this year, and three physician practices are among the first 20 audits to be performed, he notes. ?...
"Data breaches take many forms," says Fried. "I have seen instances of patients' charts stolen from physicians' cars."
Data breaches might involve lost laptops and flash drives, improper disposal of paper records, failure to secure paper records, and failure to recognize that financial records also contain medical information as well as Social Security numbers, which also are protected by many state laws, says Fried.
"These can be prevented, or at least the damage mitigated, by up-to-date privacy and security policies, performing a HIPAA self-audit, and regular training," he says.
Physician practice HIPAA policies should include administrative, physical, and technical safeguards, advises Fried.
Self-audits should include a review to determine whether all required policies were current and available, that training occurs regularly, and that compliance was well documented, he says.