The expression “waiting for the other shoe to drop” appears to have originated in the early 1900’s and is often associated with the arrival of a seemingly inevitable event. I speculate we are at that point in terms of ramped up HIPAA compliance enforcement. The recent Anthem data breach shined a significant spotlight on how vulnerable health information technology can be without the proper safeguards in place.
The Office for Civil Rights (OCR), the U.S. Department of Health and Human Services agency responsible for HIPAA oversight, has made a lot of noise about being more aggressive in enforcement of the regulations. You would think it is time for the proverbial other shoe to drop. But not so fast. With limited resources, there is only so much OCR can do. That needs to change. It will and probably soon.
There is now, and has been for a while, a lot at stake in terms of making sure healthcare providers and business associates have safeguards in place to properly secure patients’ protected health information. If major healthcare plans like Anthem are not making sure they are meeting all the HIPAA required implementation specifications, what can be said for smaller healthcare providers?
The Ponemon Institute recently released its “Fifth Annual Study on Medical Identity Theft.” Among the findings, the study discovered that “consumers expect healthcare providers to be proactive in preventing and detecting medical identity theft.” What was surprising is that “many respondents are not confident in the security practices of their healthcare provider.” Another interesting outcome of study was that “79 percent of respondents say it is important for healthcare providers to ensure the privacy of their health records,” and almost half of those respondents said “they would consider changing healthcare providers if their medical records were lost or stolen.”
The results of the Ponemon study must be a wakeup call for healthcare providers. Can you afford to have half of your patients leave your practice if a breach occurs? As a healthcare provider, don’t be surprised if patients start asking about how you are securing their protected health information (PHI). With all the recent data breaches in retail stores like Target, Sony PSN and Home Depot, consumers realize the vulnerabilities associated with the use of credit cards. As these same consumers seek healthcare services, it will be only a matter of time before questions are asked about safeguarding PHI.
As a healthcare provider or business associate, make sure you are doing everything you can to protect health information. It goes way beyond a checklist. A robust HIPAA compliance program must be in place, regardless of the size of your practice or business. If you cannot meet all the HIPAA requirements by doing it in-house, consider outsourcing this responsibility. Take the burden off the plate of your office or practice manager or designated HIPAA officer.
There is still time before that other shoe drops.