Medical records security: Get it right and keep it safe

Editor’s note: Ancil Lea has worked in various aspects of medical software and healthcare marketing for nearly 30 years. He is the former coordinator for the Arkansas Office of Health Information Technology. Opinions, commentary and other essays posted in this space are wholly the view of the author(s). They may not represent the opinion of the owners of Talk Business & Politics.
––––––––––––––

When it comes to keeping your patient’s information safe and secure there are no mulligans or do overs for getting it right, as I just learned from a local medical conference. The fines are coming.

The news I heard at two recent conferences – the Arkansas Medical Group Manager Association (MGMA) conference and a joint conference of the Arkansas chapter of the Healthcare Information and Management Systems Society (HIMSS) and Arkansas Health Information Management Association (ArHIMA) – was sobering. Both conferences reinforced what I’ve come to believe about HIPAA and cyber security, and frightened me and many of the attendees.

The Arkansas HIMSS conference, (which focuses on hospitals and larger clinics around the state) merged this year with ArHIMA since their members are the ones on the front lines of dealing with patient information. The MGMA conference targeted office managers and administrators, so both conferences offered critical information for those working in these vital fields.

I came away from these conferences with two huge takeaways.

At the Arkansas HIMSS meeting, a representative from the Office of Civil Rights gave an informative presentation on HIPAA and violations and fines. (I have a link to her slide deck that I’d be happy to share with anyone who wants it. Just email me at [email protected].)

Her most telling statement about HIPAA fines came when she was talking about audits of clinics and hospitals: “We’re not in this for the money. We want to help put a plan together to bring you into compliance, while you’re paying your fine.”

What I got from this is that there are no mulligans, do-overs, or grace periods. Yikes! As I’ve said before, now more than ever is the time to get everything up to date in this area before you go through one of these audits and incur a seven-figure fine.

From the MGMA conference, I heard an ominous report of something I’ve been predicting for some time now.  The information systems (EHR and PMS) of clinics with fewer than 10 physicians/providers are now being hacked and held for ransom. Not some 200-bed hospital, but small clinics in Arkansas. When this happens, the hackers gain access to patient records, which they can read, copy, and possibly sell. I suspect that more of this is going on than is being reported.

So much for patient privacy.

What makes this even more disturbing is that at least one of these clinics had a reputable IT company helping them with their system, one of the top firms in the state.

So what do you do?

Now – right now – start taking the necessary steps to shore up your systems. Review your Security Risk Assessment and start adhering to it. Make sure your communications between providers and staff are encrypted and secure.

I’d also buy cyber security insurance, but that’s just me.