Healthcare attorney Matthew Fisher on how providers can work toward better compliance policies and avoid common mistakes.
“As soon as you identify issues that could turn into problems, you have to seek help. And don’t try to do it alone,” said Matt Fisher at the HIMSS Security Forum in Boston.
For a healthcare organization to be HIPAA compliant it needs to ensure the right patient controls and rights are in place when it comes to protected health information. But in an age where cyber threats are growing in both sophistication and proliferation, it adds a level of complexity.
HIPAA was established before these cyber threats became such an issue, which can cause some challenges with trying to keep up, said Matt Fisher, partner with Mirick O’Connell, in opening the HIPAA compliance session at the Healthcare Security Forum on Monday.
“The best thing an organization can do is try to stay ahead of the issues,” Fisher said. “As soon as you identify issues that could turn into problems, you have to seek help. And don’t try to do it alone.”
In fact, it’s cheaper to take care of issues up front, than to try and fix it after an incident has occurred, explained Fisher. Some of Fisher’s clients have attempted this route, but the thought process is flawed due to healthcare’s “particular issues and nuances that can cause an organization to foul up.”
For Fisher, there are five large challenges when it comes to ensuring HIPAA compliance.
Firstly, many healthcare providers make the mistake of assuming general insurance is enough to cover cyber incidents. But Fisher said that’s simply not the case.
“Your coverage is based on the premium you pay. When you have general coverage, it’s meant for the other areas of your organization,” said Fisher. “Cyberattacks are also near-certainty at this point, and the insurance company will only make a profit by holding onto money.”
As a result, general insurance isn’t enough. Fisher said insurance companies are still developing its own model for what it will offer for coverage.
“If you’re not fully accurate in what is covered by your policy, you’re wrong about your organization’s security efforts,” said Fisher.
Part of that is performing a risk assessment across the organization — and not attempting to go it alone, said Fisher. When reviewing systems and activities, it’s best to blend outsourcing and insourcing to make sure the assessment is done correctly.
Social media is another area where organizations need to have a plan to make sure all communications are HIPAA compliant. Fisher explained that providers need to have a plan and can’t go into using social media platforms haphazardly.
“As much as social media is just another form of communication, you can always make a misstatement,” said Fisher. “The difference with social media is that once you put something out there, it’s impossible to get it back. Even if you delete it, it can be archived somewhere.”
“It’s about thinking through the different elements to make sure you’re doing what you need to do,” he added. “If you actually think about what you want to do and get the right people involved, you can make a positive impact.”
Another consideration is with business associate agreements. Fisher said he still hears from clients who admit they haven’t read the document before signing. But the issue is that the “BAA is a legal contract — and you’re obligated to comply.”
State laws should be considered, as well.
Providers also often fall victim to vendors that claim to be ‘HIPAA-certified.’ But here’s the problem: These companies are deceiving organizations, as “there’s no such thing as being designated HIPAA compliant or certified. A product, by itself, cannot be compliant,” said Fisher.
“HIPAA applies to covered entities and business associates,” said Fisher. “Relying on statements from vendors will just lead you into trouble… Security can be an issue, and there will be troubles that arise, but you always have to ask questions.”