Hello! I’m Roy of Person Centered Tech. We know that you want to focus on your clients, so we provide articles, tools, and continuing education on how to best serve clients in the digital world.
(Sign up for other free articles addressing topics such as: telemental health, HIPAA, and practical technology tools!)
The Office of Civil Rights (“OCR” — the HIPAA People) just recently sent an email to HIPAA nerds like myself announcing a new HIPAA initiative at the local level. They said that their regional offices will start actively investigating small security breaches.
What’s a “small” breach to the HIPAA People?
This is where the “maybe” in my article title comes from.
The HIPAA rules do tell us what “large” and “small” mean. Specifically, a breach that impacts 500 or more individual people is “large.” Small is anything less than that.
In their letter, the OCR gave 5 examples of past times when they investigated and prosecuted small breaches. Of the 5 examples, 2 breaches affected more than 400 individuals; 2 breaches affected about 150 individuals; 1 of the reports didn’t say how many were affected.
Note well that someone who has been practicing for a while could certainly have records, emails, texts, etc. for 100-200 past clients on their computer, in their email, or in other places.
It’s important to note that the investigations cited in OCR’s email happened before the new initiative, so they may or may not be indicative of how small the OCR is willing to go. We know they aren’t made of money and human power, but we also know that they are experiencing an increased impetus to reduce healthcare data breaches across the US.
What is an “investigation?”
When the OCR investigates a reported breach, they will try to determine what happened to cause the breach to come about. They’ll look for how the breach could have been caused by lack of compliance.
However — and this is a huge however — when we’re talking about a security breach investigation, we’re talking about a situation where clients’ health information was actually breached. This is not the OCR coming around and making us jump through hoops in the name of compliance. In these cases, someone probably got hurt and the OCR is looking into it.
I’m not HIPAA compliant yet. What can I do to stop this from happening to me?
The OCR’s letter talked about breach circumstances that will make them more likely to investigate the breach. They seem especially interested in situations where breaches happen because cloud services got hacked, or because equipment got lost or stolen.
Not surprisingly, these are the most common causes of security breaches and the ones we most persistently try to teach people to prevent here at Person-Centered Tech.
We do have two free articles that can help you somewhat to prepare for this: an article on using encryption to protect your gear and an article on using 2-factor authentication to protect email and other cloud services.
The processes behind HIPAA and security breaches — as well as more details on how to prevent a breach that HIPAA requires you to report — are thoroughly explored in Level II of our Digital Confidentiality Course Series.
We also help our paid subscribers to investigate the online services they’d like to use and to make sure their own practice setup is strong and secure. It’s all part of the tech peace of mind we offer through Person-Centered Tech Support.
So using those resources will get me compliant?
The resources listed above can help you find low hanging fruit that you can pick to significantly reduce the likelihood of a security breach that will draw the attention of the OCR. While this kind of risk reduction has the wonderful added bonus of also reducing the risk that your clients will be the victims of a health care security breach, it actually isn’t the process for complying with HIPAA.
If you’re not sure what the actual process looks like, it is well described in our two free CE courses that we offer to our free newsletter subscribers. You can find more information and subscribe here.
We will help you all stay abreast of what’s going on with the new initiative. While it does indicate new liability risks for us, they aren’t immediately emergent risks. So they indicate a need to take action, but not fearful or anxious action. Fear will only make you do it wrong.
Always remember the Person-Centered Tech basic rule: go at the pace that allows you to get it done right and without fear — and keep your days off sacred. :)