The Path to Paperless

Computer Security Lapses Can Be Costly

You risk being hacked. You also could be hit with a big fine.

By Peter J. Polack, MD, FACS

Along with the widespread use of computers in medicine comes a greater need for security measures. Apart from being a good business practice, these security measures are also part of the Meaningful Use (MU) standards. But make no mistake, computer security is more than just changing your password now and then. In fact, recent legislation explicitly spells out what is expected of any person or entity dealing with personal health information.

The HITECH Act not only sets down specific computer security requirements that were first mentioned in HIPAA, but also describes penalties for not doing so. All of this also has extra teeth in the form of an enforcement agency, the Office of Civil Rights (OCR), a part of HHS.

Be warned. The OCR will have a 5% budget shortfall and OCR may make this up by increasing the number of penalties and fines levied on anyone who violates HITECH. This still leaves it with a $66 million budget for enforcement — money on which OCR expects to see a return.

Examples of Security Lapses

Here are a couple of recent cases that illustrate the shape of things to come in HITECH enforcement:

In March of this year, the Utah State Department of Health, a fairly large entity, suffered a computer breach when two of its servers were hacked into. As a result, over 100,000 patient records were taken. The OCR found that the agency did not have appropriate levels of security in place when the servers were set up. This case is still pending and it is unclear what sanctions will be dealt.

In April 2012, the Phoenix Cardiac Surgery Center, a five-physician group, agreed to pay a $100,000 fine as part of a settlement with the OCR. The OCR found that the practice was posting clinical and surgical appointments for its patients on a publicly accessible Internet-based calendar. This, apparently after also being warned that its security was in need of being upgraded.

One Violation Can Sink a Practice

Just like the IRS, the OCR will most likely follow the path of least resistance and go after medical practices and other entities that stand out. While a small practice is less likely to attract the OCR's attention than a hospital, its resources are also significantly smaller than the hospital's. It could only take one violation to deal the practice a serious if not fatal blow.

What can you do now?

• Don't think that a government action can't happen to you.
• Put in place at least some level of basic computer security protocols. Make it part of your employee manual and have staff members sign off on them. Being able to demonstrate that you are trying to comply can go a long way when it comes to an audit.
• If you're not sure where to start, look to the credit card industry for some guidance. The PCI DSS (Payment Card Industry Data Industry Data Security Standard) is a widely accepted set of policies and procedures for ensuring the safety of personal financial data. There are Web sites that can help you perform a self-assessment and show you where you might have gaps in compliance.
• Contact an expert in network security compliance, particularly someone with experience in healthcare IT.
• If you are audited, don't be belligerent. Some experts say the heavy fine set on the Phoenix group was due in part to their refusal to correct deficiencies that had been previously identified. OM

Thanks to Mike Meikle of Hawkthorne Consulting, a healthcare consultancy based in Richmond, Va., for his help on this article.

Peter J. Polack, MD, FACS, is co-managing partner for Ocala Eye, a multisubspecialty ophthalmology practice located in Ocala, Fla. He is also founder of Emedikon, an online practice management resource for physicians and administrators.