Managing Your Practice

Don’t forget HIPAA


In the struggle to understand and comply with new regulations, it’s easy to neglect older ones. Recently, I suggested reviewing your practice for potential Occupational Safety and Health Administration violations, which can be far more costly than anything MACRA has in store.

The same goes for HIPAA since HIPAA violations can be just as costly, in view of renewed governmental enforcement and some disturbing trends in completely unrelated government agencies.

Dr. Joseph S. Eastern practices dermatology and dermatologic surgery in Belleville, N.J.

Dr. Joseph S. Eastern

As I wrote some time ago, the Office for Civil Rights (OCR) – which is responsible for enforcing HIPAA rules – launched a permanent audit program last year (Dermatology News, March 2016, page 62). You may recall the story of the Massachusetts dermatology group that lost a thumb drive containing unencrypted patient records, which cost them $150,000 in fines, even though there was no evidence that the information was ever found or exploited. That and similar examples signal the importance of reviewing your practice’s HIPAA compliance on a regular basis.

Your most basic review should be a yearly examination of every part of your office where patient information is handled to identify potential violations. Examples discovered in my office included computers at our front desk whose screens were visible to patients checking in or out; laptops that were left on counters overnight; emails between staff involving patients or their care; and documents slated for shredding that remained in a “to shred” bin for days. All of these issues were easily solved at minimal cost – respectively, screen protectors, locking all laptops after hours, new email rules, and eliminating the “to shred” bin, forcing immediate shredding of all sensitive documents. Make sure you correct any problems you find before the OCR auditors come calling. You can compare your office’s compliance status against the recommendations listed on the OCR website.

Where safeguarding protected health information is concerned, you must now assume the worst-case scenario: Previously, when protected health information was compromised, you would have to notify the affected patients (and the government) only if there was a “significant risk of financial or reputational harm.” But now, any incident involving patient records is assumed to be a breach, and must be reported. Failure to do so could subject your practice to significant fines.

The biggest vulnerability in most practices is probably mobile devices carrying patient data; and that’s where the disturbing new trend comes in: Governments, both foreign and domestic, have developed an interest in the personal data on your devices. Travelers, including American citizens, now are being pressured into giving Customs and Border Protection officers access to their cellphones and laptops at airports.

As a physician, you can invoke HIPAA in such situations, since your devices likely contain patient data in some form. But rules may vary depending on where you are traveling to or from, and officials in other countries are not bound by U.S. HIPAA constraints.

So, how do you protect patients’ (and your personal) information from invasive searches? First, encrypt all of your data; encryption software is cheap, readily available, and easy to use. (I recently posted a list of inexpensive encryption applications on the website.) Desktop apps such as BitLocker or Apple’s FileVault let you encrypt your entire hard drive, requiring a password for decryption. (As always, I have no financial interest in anything I mention here.) To avoid surrendering the password, write it down and give it to a friend, then contact that person after crossing the border. It is easier to say you didn’t memorize it, as opposed to refusing to provide it – and nobody can compel you to reveal a password you don’t know.

Experts also recommend disabling the fingerprint sensor on your smartphone; customs officials have successfully used warrants to compel people to unlock their cellphones with a fingerprint. Because of your right to remain silent, it would be difficult (but not impossible) for them to force you to share your phone’s passcode.

A better alternative, in my view, is to travel with devices that have never contained any of your patient or personal data in the first place. Invest in a cheap phone and computer to use only when you are abroad; you don’t want your nice equipment lost or stolen, anyway. A budget Android phone that works with foreign SIM cards can be had for about $100; basic laptops run $500 or less.

Dr. Eastern practices dermatology and dermatologic surgery in Belleville, N.J. He is the author of numerous articles and textbook chapters, and is a longtime monthly columnist for Dermatology News. Write to him at

Next Article:

Medicaid reform: Work-based waivers may not fly

Related Articles

  • Managing Your Practice

    Don’t forget about OSHA

    Given the bewildering array of new bureaucracies that private practices have been forced to contend with in recent years, it’s easy to forget...