Skip to main content

The Best Defense Against a HIPAA Breach Is a Focus on Preparation

doctor checking computerThe appeal of stolen medical records makes our industry a high value target for hackers. When speaking to a group of doctors, I often ask, "who believes they are HIPAA compliant?" The number of hands I see raised rapidly declines as I go through a checklist of requirements.

It’s not if you’re going to be attacked, but when.

On-Demand Webinar: Key Strategies for Ensuring a Profitable Independent Practice
During this one-hour program, practice management expert Debra Phairas discusses how various business models and operational enhancements can increase revenue to help your practice remain successful in today’s competitive marketplace.

Cyber security professionals accept this maxim. We live by this reality – and so should you. As a result, our behavior is focused on preparation – being ready when, not if, we get hit, and so should yours. Officials at the Office for Civil Rights (OCR), those tasked with enforcing HIPAA, have gone on record stating, “there are two types of medical practices out there – those who know they’ve been breached, and those who don’t know it yet." As a healthcare entity (or vendor), part of being prepared is being HIPAA compliant.

A Checklist to Be HIPAA Compliant

  1. Conducting a risk assessment regularly is a requirement. You’ll know you’ve done one when you can provide a Risk Assessment Report that addresses administrative safeguards, physical safeguards, technical safeguards, and organizational and policy and procedure requirements. If you don’t have a current copy of this report – you are not HIPAA compliant.
  2. Recurrent workforce training is the single, most important step you can take for prevention. You need to be training your staff at least annually. Additionally, as soon as a training session is completed, you need to schedule the next one. You should always have a training scheduled on the books.
  3. Address your policies and procedures on a regular basis. We’re seeing an increasing number of violations citing a failure to adhere to stated policies. This is easily prevented by making sure your actions and business practices match your policies.
  4. Implement an ongoing risk management process. This differs from what CAP does for your medical malpractice risk management. The best way to do this is to hire a professional HIPAA compliance company to handle all of this for you.

The only certain way to survive a cyber attack is with a robust backup solution.

It’s not enough to have a local or a remote backup policy, you also need to have current offline copies. The most efficient way to accomplish this is with a business disaster recovery device, BDR for short. Dozens of practices have been saved from potentially catastrophic disaster by making the investment prior to an unforeseen event hitting them. It’s far better to share that story than the story of lost data and hours or days of downtime.  

 

Jeff Mongelli is CEO of Acentec, Inc., a nationwide provider of HIPAA compliance and medical IT management services. If you have any questions about this article or would like recommendations, please contact him for a free consultation at 800-970-0402 or jeffm@acentec.com

The information in this publication should not be considered legal or medical advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a retained attorney.