Don’t let security take a backseat to other major initiatives like ICD-10 and Meaningful Use.

Caleb Clarke, NueMD
By: Caleb Clarke
Over the past decade, healthcare providers across the country have steadily adopted electronic health records as a way to improve patient care and bring the industry up to speed with the latest technologies. However, the industry has yet to perfect its data security measures and was the target of several major data breaches in 2014. As the year begins, physicians have a lot on their plates. They’re preparing for the transition to ICD-10 and adjusting their workflows to attest to Meaningful Use requirements; but these initiatives shouldn’t keep providers from making data security a top priority in 2015.

Upcoming HIPAA audits

Now is the time for practices to fine-tune their security measures because the Office of Civil Rights will likely be conducting another round of HIPAA audits. The agency planned to initiate audits in the fall of 2014, but decided to postpone them to make an update to their web portal. An official start date has yet to be announced, but industry experts agree that practices should start preparing for audits as soon as possible. This is especially crucial for small physician practices, as surveys have shown these providers struggle the most with compliance.

In October 2014, NueMD conducted a survey of more than 1,100 healthcare professionals to gauge their knowledge of HIPAA and preparedness for an audit. The results showed that only 32% of respondents were aware of upcoming HIPAA audits prior to taking the survey and just 35% said their business had conducted a mandatory HIPAA risk analysis.

The first step in preparing for a HIPAA audit is to create a detailed compliance plan. This is simply a written set of policies and procedures addressing all mandatory aspects of compliance within the practice. It should include documentation on how data is stored and transmitted, the responsibilities of security and privacy officers and the practice's response plan in case of a security breach.

Additionally, the survey found that 58% of survey respondents had a HIPAA compliance plan, and while that number may sound encouraging, it’s still pretty low considering it’s a basic aspect of compliance and one of the first things auditors will look for. Similar data was found in a different HIPAA compliance survey conducted by SecurityMetrics, where 45% of healthcare professionals stated they don’t have a formal HIPAA Risk Analysis Report and Risk Management Plan.
Practices who have not already documented the various aspects of compliance under HIPAA should do so as soon as possible in 2015.
The fines for HIPAA violations can add up quickly and could be detrimental to practices that are not prepared.

By following regulations of the Health Insurance Portability and Accountability Act, providing thorough HIPAA training for staff and being diligent about the security of healthcare mobile devices, practices can protect their sensitive data and avoid hefty fines from the Office of Civil Rights.

To learn more about HIPAA compliance, check out these helpful resources.

Caleb Clarke is the Director of Strategic Development, Sales and Marketing at NueMD with more than 15 years of operational, sales and marketing experience across a broad range of companies. Prior to joining NueMD, he worked in the healthcare industry at a Managing General Underwriter and later at a managed care organization.