Featured Articles: General News

Protecting Patient Information: Four Focus Areas for Community Health Centers

Monday, October 14, 2019   (0 Comments)
Share |



In the past three years, headlines proclaiming healthcare data breaches or HIPAA breach penalties have become a near-daily staple. In 2018, there were over 500 health data breaches reported to HHS and the media.


It has become increasingly clear that cybersecurity is a risk factor in healthcare, sometimes with devastating consequences. As a recent example, a California medical clinic announced in September that they would be closing their doors permanently due to a ransomware attack, after they found they were unable to restore their backup data. Following HIPAA security requirements and related best practices are vitally important for healthcare providers.


Health centers, perhaps more than other organizations, have been aware of and accountable to the HIPAA Security Rule requirements to protect patient information since 1996 when legislation was passed. Some other organizations may have been able to avoid inspection of their HIPAA compliance, but these requirements have long been a factor in HRSA guidelines and audits.


Health centers must remain vigilant in ensuring their employee training and safeguards are adequate for today’s workflows, technologies, and threats. We have a responsibility to our patients to protect their information. The financial and public relations impact of a major breach can be destructive.


Here are four focus areas for health centers to ensure they are protecting their organizations and their patients.

  1. Build a culture of compliance and instill a healthy level of paranoia.

Building a culture of compliance requires more than annual training. Clinics can support their employees with ongoing awareness activities. Some groups utilize a tip-of-the-week email or a 5-minute talk in team meetings.


Employees should feel they will be supported when reporting an inadvertent breach event. In many cases, a clinic can focus on workflow improvement to help employees avoid the error in the future. This underlines the organization’s commitment to protecting their employees and their patients.


Healthcare organizations are also running “phishing expeditions,” testing employees with suspicious emails which solicit their password or other confidential information. These exercises are followed by targeted training. Phishing continues to be a common point of entry for hackers, sometimes leading to destructive ransomware events. Once your employees are reviewing their emails with a healthy level of paranoia, you’ve taken a significant step in reducing risk in this area.


An HHS guideline stated, “Protecting patients through good information security practices should be as second nature to the healthcare organization as sanitary practices.”


2. Complete an organization-wide security risk analysis.


The HIPAA Security Rule requires all HIPAA-covered entities to conduct a regular security risk analysis (SRA). Payment programs such as the CMS Merit-Based Incentive Payment System have established an annual cadence as a standard for SRAs. Conducting a complete privacy and security risk analysis is a critical step for health centers to identify opportunities and focus areas.



The lack of an organization-wide security risk analysis is a factor in penalties issued by the Office of Civil Rights. The OCR called this out in a $400,000 penalty against a community health center in 2017. “Prior to the breach incident, (the health center) had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis.”


Platforms such as Medcurity offer a guided SRA to help an organization understand and assess their risk, and then track remediation all year. Medcurity can be used as an on-demand, self-service tool, or Medcurity professionals can come onsite for an audit from a third party perspective. Following the SRA, clinic leaders can manage their HIPAA compliance tasks and risk levels with executive dashboards, and assign team members to specific tasks or categories.


3. Audit and enforce your business associate agreement policy.


Through significant penalties this past year, the Office of Civil Rights has brought attention to the criticality of executing business associate agreements (BAAs). Healthcare providers have been penalized for vendors’ breaches, where there was no BAA in place. Health centers must have a BAA policy established that outlines process, ownership, and review period.


To support what is commonly a paper process, Medcurity released an online BAA management tool this year. Agreements can be created, customized, and sent for electronic signature. Through the platform, all BAAs are tracked in one location and can be sent out for refresh and e-signature on a schedule in accordance with your policy.


Beyond the BAA, some organizations are taking a more active role in managing vendor risk. Your business associates should be able to produce a recent security risk analysis, a back-up disaster recovery plan, and any other documentation you need to validate their HIPAA compliance efforts.


4. Review technical controls in light of today’s threat environment.


Health centers that have established information security basics such as an adequate firewall and maintained anti-virus should continue to evaluate and mature their security measures. In supplementation to the Security Risk Analysis (#2), health centers should strongly consider a network penetration test or more comprehensive vulnerability network scan.


Mobile devices have become widely adopted in clinical environments; these devices are easy to lose and vulnerable to theft. The related risk must be addressed with policies, encryption, and remote management. A health system in Texas was penalized more than $4m due to an unencrypted laptop and several thumb drives being stolen. Clear policies should be established to define allowable use and appropriate controls. Mobile devices that cannot support encryption should not be used.


For years, community health centers have led the way in healthcare innovation. To protect the organization and their patients, health center leaders must ensure that privacy and security are recognized indisputably as aspects of the primary mission.





Joe Gellatly is the CEO and co-founder of Medcurity, Inc. Medcurity.com is the online platform for conducting HIPAA Security Risk Assessments, creating and maintaining policies, and managing business associate agreements.


Medcurity can be reached at (509) 867-3645, or through our website, Medcurity.com






NWRPCA welcomes and regularly publishes white papers and articles submitted by members, partners and associates with subject matter expertise. The appearance of any guest publication in our Health Center News database represents the views of the author and does not constitute endorsement by NWRPCA of the stated opinions or perspectives, nor does it suggest endorsement of the contributor's products or services.

Membership Software Powered by YourMembership  ::  Legal