Over nearly three decades, Dallas pediatrician Joseph Schneider, MD, has watched health care slowly become more electronic.
As a founding member and past chair of the Texas Medical Association’s Health Information Technology Committee, he’s learned where electronic protected health information (ePHI) – anything from a patient’s name to biometric measures like fingerprints and photo identifiers – is most at risk.
“One of our staff members had old work files from another practice saved on his personal computer. He didn’t realize how that would put private information at risk, or how he could be in noncompliance of HIPAA rules by keeping old files. Mistakes like that just stem from confusion surrounding electronic regulations, like the HIPAA Security Rule,” said Dr. Schneider, a member of the Child Health Informatics Advisory Committee for the American Academy of Pediatrics.
As technology emerged and pushed medicine to move away from paper processes and rely more heavily on electronic information systems to pay claims, answer eligibility questions, provide health information, and conduct other administrative and clinical functions, so too did regulations like the HIPAA Security Rule.
While this meant the health care industry could be more flexible and efficient, widespread use of electronic technologies increased the potential for security risks and regulation confusion, Dr. Schneider says.
“Today, physicians use electronic health records (EHRs) for almost everything, from claims to care management. And it makes us fast and more knowledgeable,” he said. “But I’ve seen the jump from paper to technology, and how some small practices struggled to keep up with changing regulations.”
Federal agencies appear to be listening to concerns like Dr. Schneider’s.
To aid small and medium-sized practices in complying with the HIPAA Security Rule, federal officials have updated their risk assessment tool designed to help practices identify areas where ePHI is at risk. (See “What Counts as Protected Health Information?” page 39.)
Version 3.4 of the HIPAA Security Risk Assessment (SRA) Tool, released in September by the U.S. Office of the National Coordinator for Health Information Technology (ONC) and the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, is free to physicians and practice managers.
Shannon Vogel, TMA’s associate vice president of health information technology, says the updated tool can help practices identify where information is at risk – across all technology used in health care settings.
“I’ve heard physicians say their electronic health record vendor is HIPAA-compliant, therefore they are. And that’s not necessarily true,” she said. “There are vulnerabilities even with your internet, Wi-Fi, phone system, your computer and software, and other ways beyond your EHR. This tool can help discover where your practice is most vulnerable.”
Austin internist Manish Naik, MD, chair of TMA’s Committee on Health Information Technology, adds the updated tool can help practices assess these additional risks.
“A technology-secure practice goes beyond what the technology vendors provide, and a security risk assessment will help you identify organizational weakness that can be strengthened over time,” he said.
Maintaining compliance
According to HHS, all ePHI “created, received, maintained, or transmitted” by a practice is subject to the HIPAA Security Rule. To comply with the HIPAA Security Rule, all practices must:
- Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit;
- Identify and protect against reasonable threats to the security or integrity of the information;
- Protect against improper uses or disclosures of ePHI;
- Ensure compliance by their workforce; and
- Implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.
The updated tool is designed to aid practices with those regulations and requirements for physicians participating in Medicare’s Merit-Based Incentive Payment System (MIPS), who must attest to completing or updating a security risk assessment annually for MIPS’ promoting interoperability component.
Use of the tool does not mean a practice is compliant with the HIPAA Security Rule or other federal, state, or local laws and regulations, per ONC. But it does assist with the rule’s requirement for practices to conduct risk assessments to ensure they are compliant with HIPAA’s administrative, physical, and technical safeguards.
Dr. Schneider recommends using the tool in tandem with outside experts, like TMA’s Practice Management Services, to ensure comprehensive compliance (www.texmed.org/Consulting).
“One way to ensure compliance is to work with an expert, and TMA has a whole team of those with the skills and expertise to keep your practice safe,” he said. “I look to TMA first because I know they’ll maximize the benefit of using their services and maximize the value of my practice. The tool is helpful, but the experts are there for support just in case.”
The new HIPAA tool, compatible with most Windows desktop applications, informs users how to complete security risk assessments through multiple-choice questions and threat evaluations. References, supplementary guidance, and risk-assessment reports are available to save and print after the assessment is completed.
Version 3.4 contains several key updates based on user feedback, including:
- A remediation report, which allows users to log efforts taken by their practice to address risks;
- A new glossary and tips section, where users can learn more information about risk assessments and the tool’s features; and
- Bug fixes, usability enhancements, and references to the 2023 edition of the Health Industry Cybersecurity Practices publication.
Dr. Schneider believes this tool is first step in the right direction. Still, he warns practices to stay vigilant for threats.
“This is a dangerous world, and there’s all sorts of things that I wish we didn’t have to do to protect our information,” Dr. Schneider said. “But as we go electronic, we must make sure that our records are safe and protected.”