General Surgery Coding Alert

Lockdown physical and virtual access.

HIPAA enforcement actions are bad news for the recipient, but if you're smart, you'll learn from others' mistakes.

Read on to see how experts interpret recent HHS Office for Civil Rights (OCR) actions against Fresenius Medical Care North America (FMCNA) to guide your surgery practice to greater compliance.

Tip 1: Confirm Physical Safeguards are Rock Solid

The HIPAA Security Rule requires you to aggressively protect your practice locations from "unauthorized access, tampering, and theft," according to the OCR.

That means you need to ensure your practice has tight controls over not only electronics like workstations, laptops, mobile devices, and medical equipment to avoid illegal access, but also security for the facilities themselves that stop intruders from damaging and stealing equipment.

Ask yourself these questions about the physical safety of your office and equipment:

• Is there a security system to protect the practice from unlawful entry?
• Are all devices inventoried?
• Is there a list of who has access to the building and the health information technology (HIT)?

Insight: "The high impact cases OCR moves forward with are intended to send a message to the industry," explains attorney Kathleen D. Kenney of Polsinelli LLP in Chicago, Illinois. "With that in mind, I advise our clients to use these cases as learning opportunities.

"Ask 'could this happen to my organization?'" Kenney stresses. "And, if the answer is 'yes,' use it as an opportunity to voluntarily take corrective measures."

Tip 2: Outline Access, Movement, and Removal of Practice HIT

One of FMCNA's sites lacked the proper HIPAA protocols to fully protect its "hardware and electronic media that contain ePHI" from moving in, out, and around the facility, the OCR release mentioned.

Consider these questions related to the "Administrative Safeguards" section of the HIPAA Security rule that specifically reference the movement and control of health IT:

• Have you designated an employee or staff as "security personnel" to oversee your risk management and the HIPAA compliance?
• Are your security protocols in line with your risk analysis and practice needs?
• Do your employees know who the compliance officer and health IT staff are?

Insight: "As devices get smaller and more portable, the potential for lost or stolen or misplaced data increases - and so does the risk for a breach," warns Peter Arbuthnot, regulatory analyst with American HealthTech in Jacksonville, Mississippi. That's why it's essential to clearly state who's in charge of the maintenance, care, and updates of practice technology.

Tip 3: Encrypt ePHI and Maintain Device Control

More and more large-scale breaches fall prey to device management issues that lead to the loss of electronic protected health information (ePHI). The FMCNA case involved failure to implement encryption strategies. When you encrypt and decrypt ePHI, set strong password protection on your mobile devices, and implement at-rest and remote access rules, you are protecting your patients and your livelihood. Check these three questions and see if you risk the exposure of ePHI:

• Is there a plan in place to protect your data if your devices go missing?
• Are you utilizing multifactor authentication and at-rest protocols for your devices?
• Is your data encrypted and decrypted appropriately, meeting Security rule standards?

Insight: "If you do have a breach in your networks, or if a device containing PHI is stolen, proper encryption can be a lifesaver," points out Brand Barney, HCISPP, CISSP, QSA, security analyst with Security Metrics in Orem, Utah. "If your data is properly encrypted using industry-accepted encryption strengths, you don't have a breach. And it's also a requirement for HIPAA."

Resource: For a closer look at the HIPAA Security rule, visit www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html.