Healthcare providers, health plans, healthcare clearinghouses, and their business associates are all required to comply with the HIPAA Rules; however, there are unique challenges for small medical practices. Large healthcare organizations have greater resources to devote to compliance, and can attract and pay for dedicated compliance professionals, in-house IT and cybersecurity staff, cutting-edge cybersecurity solutions, and staff training programs.
Small medical practices have limited resources and are forced to make difficult decisions about where to allocate funds due to budget constraints. Investments in the business that boost revenue and profits often take priority over investments to ensure HIPAA compliance and improve cybersecurity. Small practices often cannot afford to have a dedicated HIPAA Privacy and Security Officer, and compliance duties fall on administrative staff, nurses, and physicians, who have many other responsibilities. There may also not be an in-house IT department to oversee security.
Despite financial constraints, HIPAA compliance and cybersecurity are not optional. The HHS’ Office for Civil Rights (OCR) has made it clear that the size of a practice is irrelevant when it comes to HIPAA compliance. While OCR has previously focused its enforcement efforts on larger practices, in recent years, OCR has taken a keen interest in smaller practices and has imposed several penalties for noncompliance. OCR has made it clear with these penalties that small medical practices can no longer fly under the radar.
The probability of noncompliance being discovered is increasing. While hackers and ransomware groups have historically focused their efforts on attacking larger healthcare organizations with deeper pockets, smaller healthcare practices are increasingly being targeted for the simple reason that they are easier to attack, as they have fewer resources to devote to cybersecurity, and healthcare organizations of all sizes are at risk of insider threats, more so than any other sector.
OCR’s figures show a 239% increase in hacking-related data breaches between 2018 and 2023, and a 278% increase in ransomware attacks. OCR investigates all data breaches affecting 500 or more individuals to determine if they were due to noncompliance, as well as many smaller breaches. Complaints about potential HIPAA violations are also being reported to OCR in record numbers, and OCR has rekindled its HIPAA audit program. Noncompliance has never been more likely to be discovered.
HIPAA Compliance Challenges for Small Medical Practices to Overcome
With fewer resources available to devote to HIPAA compliance, achieving and maintaining HIPAA compliance can be a real challenge for small and medium-sized healthcare providers. While small practices are not expected to invest as heavily in cybersecurity as large healthcare providers, they must ensure that they have appropriate measures, relative to their size, to protect against common cybersecurity threats.
Small medical practices must ensure they have written policies and procedures to demonstrate their good faith effort to comply with the HIPAA Rules. HIPAA compliance is not inherently complicated. The HIPAA Rules are publicly available, and OCR has created many resources to help small practices achieve and maintain compliance, yet there are several areas where smaller practices have compliance programs that fall short of requirements.
Document All HIPAA Compliance Efforts
A lack of documentation to prove HIPAA compliance is all too common. As far as OCR is concerned, if it hasn’t been documented, it didn’t happen. If a complaint or data breach is investigated, the first thing OCR will request is documentation to demonstrate HIPAA compliance in the area under investigation. That may be policies and procedures for responding to patients who exercise their rights under HIPAA, HIPAA and security awareness training records, incident response plans, and patient notifications, or evidence that a risk analysis has been conducted and risks have been reduced to a reasonable and appropriate level. Many financial penalties have resulted from the failure to document the practice’s good-faith effort to comply with the HIPAA Rules. Maintaining accurate documentation is a fundamental requirement of HIPAA.
Conduct Regular Risk Analyses
The most commonly identified HIPAA violation is the failure to conduct an accurate and comprehensive risk analysis. Under OCR’s current enforcement initiative, proof that a risk analysis has been conducted will need to be provided in the event of a data breach investigation. Risk analyses are ongoing requirements that should be conducted annually, and following any material change to policies and procedures, or when new technology is introduced.
The “comprehensive” requirement means that there is a prerequisite to the risk analysis. An accurate and up-to-date inventory of all devices and locations where PHI is stored, maintained, transmitted, or accessed is required, on which the risk analysis can be based. Take advantage of the HHS Security Risk Assessment tool, which has been developed specifically to help small and medium-sized healthcare providers by walking them through the risk analysis process. You must also ensure that everything is documented so you can demonstrate that an accurate and comprehensive risk analysis has been conducted. Naturally, any identified risks and vulnerabilities must be mitigated in a timely manner.
Reduce the Risk of Human Error with Regular Training
Staff training often gets neglected. It can be difficult with a small workforce to take workers away from their work duties and provide regular training on HIPAA policies and procedures, as well as security awareness training. Training should be provided at hire, and refresher training provided annually. Take advantage of training vendors and third-party courses if you lack the internal resources to develop your own training courses.
Training should teach employees about their responsibilities with respect to the privacy and security of PHI, patient rights under HIPAA, social media use, and the correct handling of PHI in all forms. Ensure you provide regular security awareness training covering common threats such as phishing, social engineering, malware, and educate the workforce on security best practices. To develop a culture of compliance, staff members must be given proper education, and through regular training, you will be able to prevent many accidental HIPAA violations. Bear in mind that patients have become a lot more knowledgeable about HIPAA and their rights, and complaints about potential HIPAA violations are being reported in record numbers.
Maintain Business Associate Agreements with All Vendors
With limited resources, small medical practices will naturally need to outsource some functions to third-party service providers such as IT companies, managed services providers, cloud providers, software providers, revenue cycle management companies, and more. A small practice may rely on two dozen or more vendors, and each one that requires contact with PHI must sign a business associate agreement (BAA) before being provided with access to PHI.
The BBA should make clear what the vendor’s responsibilities are under HIPAA, the safeguards that are required to protect PHI, and the requirement to obtain a BAA before using any subcontractor that requires access to PHI. The BAA should stipulate responsibilities and timeframes for reporting security incidents. There are many free templates available on which small practices can base their business associate agreements.
Business associates should be vetted to ensure their security is up to scratch, which can be time-consuming for small practices. Time can be saved by choosing vendors who can provide evidence of their security practices and who attest that their products or services are HIPAA compliant.
Implement Strong Access Controls
Small medical practices are likely to be targeted with phishing, social engineering, and brute force attempts to guess credentials. To counter these threats, practices need to have strong access controls. Each member of the workforce must have unique credentials, password complexity requirements should be set and enforced in line with current NIST recommendations, and multi-factor authentication should be implemented to add an additional layer of security, especially for any Internet accessible account or system.
Maintain and Review Security Event Logs and PHI Access
Even with the best security, cybercriminals may exploit human weaknesses or find a way to access your network. Data encryption at rest and in transit is strongly recommended, and a requirement of HIPAA unless an alternative safeguard is implemented that provides an equivalent level of protection. Regular backups must be performed of all critical data, backups checked to make sure data recovery is possible, and backups should be stored securely off-site. Small practices have been forced to permanently close due to the inability to recover data following a ransomware attack.
HIPAA requires detailed audit logs to be created, maintained, and reviewed to identify access, use, copying, and modification of ePHI. The logs should be continuously monitored, which, for small practices with limited resources, naturally requires automation. Consider partnering with a managed service provider (MSP) or managed security service provider (MSSP) and leveraging their expertise and monitoring capabilities. Without an automated system for monitoring ePHI access logs, including AI-aided detection of anomalous activity, privacy violations can continue for years.
Develop and Test an Incident Response and Business Continuity Plan
Small practices must prepare for the worst and assume that there will be a breach or HIPAA violation. An incident response plan must be developed that includes procedures to follow in the event of a cyberattack or event that damages information systems containing ePHI, or involves potential unauthorized access or disclosures.
The plan must include each individual’s responsibilities, the procedures that must be followed, processes for mitigating damage, and vendors that can assist, such as digital forensics experts and cybersecurity professionals. The plan must be tested to ensure that it is effective and that everyone is aware of their responsibilities. The incident response plan should also include policies and procedures for issuing notifications to the HHS, affected individuals, and the media. Small practices have been fined for breach response failures.
Prioritize Cybersecurity Spending to Get the Biggest Bang for Each Buck
Budgetary constraints at small medical practices mean difficult decisions must be made about cybersecurity, so each security product purchased must have a significant impact on reducing risk. Leverage affordable tools to ensure that email is secured, encrypt data at rest and in transit as far as is possible, and take advantage of HIPAA-compliant service providers rather than trying to build your own security from scratch. Enlist the services of an MSP or MSSP to assist with Security Rule compliance and benefit from their expertise; just make sure the vendor’s responsibilities are clearly stated in the BAA and service level agreement.
Small practices may have to make compromises as their resources may not stretch to cutting-edge security in every area. To get the biggest bang for each buck, the HHS Cybersecurity Performance Goals are a good place to start. They include proven cybersecurity measures that will have the biggest impact on improving your security posture.
Keep Up to Date with Regulatory Changes
Major changes to the HIPAA Rules are relatively infrequent, but there are pending Privacy Rule and Security Rule updates, and minor changes are more frequent. It is the responsibility of small medical practices to keep up to date with regulatory changes, as a lack of knowledge is not a valid excuse for noncompliance. Keeping abreast of any proposed HIPAA changes will give small practice owners plenty of time to make the necessary updates to their policies, procedures, and data privacy and security practices. Regularly check the HHS.gov website for proposed updates and new guidance, and sign up for The HIPAA Journal newsletter to get updates sent directly to your inbox.
HIPAA Compliance is a Continuous Process
HIPAA compliance is a continuous process, not a one-time effort at checking all the compliance boxes, and that naturally requires an investment in time and resources. To ensure compliance is maintained, consider conducting annual HIPAA audits and documentation checks, and regularly review privacy and security policies to ensure that they continue to be effective. Investing time and resources into developing your compliance program will be money well spent.
Steve Alder, Editor-in-Chief, HIPAA Journal
The post Editorial: HIPAA Compliance Challenges for Small Medical Practices appeared first on The HIPAA Journal.