Our partner Elizabeth Litten and I were once again quoted by our good friend Marla Durben Hirsch in her recent articles in Medical Practice Compliance Alert entitled “Misapplication of Internet Application Triggers $218,400 Settlement” and “Protect Patient Data on the Internet with These 6 Steps.”  The three of us together were able to come up with a number of ideas to assist physicians in improving the likelihood that protected health information (“PHI”) will be more secure. The full text can be found in the August 17, 2015 issue of Medical Practice Compliance Alert, but a synopsis of our input is included below.

Internet applications and files should be included in a physician practice’s HIPAA compliance plan, or a violation may result.  As an example, St. Elizabeth’s Medical Center (“SEMC”) in Brighton, MA recently settled several potential HIPAA violations for $218,400 with the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”).  One of the incidents involved SEMC’s use of an unauthorized internet-based document. The size of this settlement highlights the concerns of OCR about misuse by healthcare providers of internet-based document sharing or other applications.

Some steps to protect patient data on the internet include the following:

  1. Review the internet applications your practice uses. Litten says, “Take steps such as encryption to protect the data when it’s shared, transmitted and stored.”
  2. Ask the application’s manufacturer about its security safeguards. “If a manufacturer claims that (its application) is HIPAA protected, ask what that means,” Litten urges.
  3. Investigate all internal and external complaints and concerns. Kline says, “Expect the government to find out about PHI exposed on the Internet from a third party.”
  4. Keep track of the steps you take to identify and fix the problem. “You do better if you have a history that you endeavored to comply with HIPAA,” says Kline.
  5. Provide a mechanism by which employees can report concerns anonymously. Kline suggests, “You need a private place where people feel they’re not being watched.”
  6. Don’t allow staff to use unauthorized public networks. “Don’t open documents in, say, a Starbucks,” warns Litten.

In summary, in order for physicians to protect their practices, they must be certain that they understand HIPAA obligations with respect to privacy and security in the context of internet application usage.