Just Googling the words “HIPAA violations” is enough to make any practitioner or CEO of the 700,000 individual organizations covered by the Health Insurance Portability and Accountability Act lose sleep.
HIPAA violations are ruining companies both from a financial and from a reputation standpoint. Headlines like “Group slapped with $6.8M HIPAA fine” and “HIPAA data breaches climb 138 percent” have decision-makers at these firms scrambling to protect themselves from becoming the subject of one of these articles.
But where do they turn for a solution? Most HIPAA organizations cannot afford their own dedicated IT department and have to rely on contracted IT service providers for their IT support. However, The Fourth Annual Benchmark Study on Patient Privacy and Data Security found that 40 percent of healthcare providers are “not confident” in the ability of their contractors and subcontractors to manage sensitive patient information.
If you are a covered entity, how do you find a provider you can trust? What criteria can you use to select an IT service provider you can trust?
We asked Ryan Rosencranz, owner of FullScope IT, a trusted Baltimore area Managed Service Provider specializing in HIPAA-compliant IT solutions to give us some suggestions.
Ryan started off saying, “My advice to anyone managing a healthcare practice is to look at the reputation and track record of each IT company they were considering to manage their IT systems. Do they have any other HIPAA covered entities as clients? How many? How long have they been providing HIPAA-compliant solutions? Have any of their clients been cited for HIPAA violations? Has the IT company ever been cited?”
“Then I would ask what tools, both technical and non-technical they had to audit HIPAA compliancy. Make sure they are willing to help you develop and enforce strict HIPAA-compliant IT policies within your organization especially in regards to secure remote, protecting backup data, and the use of mobile devices which seems to be the weakest link for HIPAA covered entities. This includes providing the tools to encrypt back up data and laptops as well as the ability to remotely lock, locate and even wipe clean the data on mobile devices in the event they are stolen or lost.”
In a recent HIPAA violation case, the HHS Office for Civil Rights has settled with two organizations for a combined $1,975,220 penalty after their unencrypted computers were stolen.
Rosencranz emphasized, “You should also have any candidate IT provider detail for you what policies and procedures they have in place to ensure their own HIPAA-compliance. The rigor of their own HIPAA- compliancy will be a good indicator of the professionalism and attention to detail they will exercise when taking care of yours. In addition to a compliance monitoring and reporting process they should be doing a complete self-audit at least quarterly.”
In fact, HIPAA evaluation standard § 164.308(a)(8) does require covered entities, including IT service providers responsible for sensitive patient information, to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or audits. Most small to medium healthcare providers outsource the evaluations because they just don’t have the resources to do the evaluations themselves.
But Rosencranz cautions, “While most IT services are seen as a price-driven commodities, HIPAA compliance support is not the area of your business where you want you want to be bargain shopping. A thorough baseline HIPAA Audit, when done right, is very intensive process and should run about $1000 for a small medical office and up to $5000 for a large multi-doctor location. Then quarterly audits should run around half those prices. That might sound like a lot of money but having correctly documented, third-party HIPAA-compliancy audit reports in place will prove invaluable if your entity is ever investigated for liability or willful neglect in a suspected breach of sensitive patient data.”
In closing Ryan told us, “I have to admit I was very surprised and concerned when I first saw the results of the Bench Mark Study on Patient Privacy and Data security. The fact that 4 out of 10 healthcare providers don’t trust their contractors and subcontractors doesn’t reflect well on the IT industry. In fact, I started calling my HIPAA-compliancy clients right after I saw the study results just to do a client climate survey and address any concerns they might have. Fortunately for us, all the clients I got a chance to speak to confirmed that we have their full trust and confidence. I can’t say why other healthcare professionals don’t have the same level of trust in their IT providers. I just know there are reliable IT service providers who can provide superior HIPAA-compliant IT support for healthcare providers and other covered entities. You just need to know what to look for and what questions to ask.”
To find out more about Ryan Rosencranz and his IT company visit http://www.fullscopeit.com.