HIPAA For MSPs by David Sims HIPAA, HHS, OCR, and PHI
00:00:00 00:00:00

Today’s podcast is a little different from our normal ones. We are covering a wide variety of subjects involving HIPAA, OCR, HHS, and PHI rather than one specific topic.

One subject we’ve recently covered is keeping your employees out of your PHI, and obviously that does not always happen. Manual audits can only check so many things, but products that audit through algorithms and programs like SPHER can do a much more thorough analysis of your logs.

Snooping Around PHI

Recently, there have been a couple of stories about snooping in the news. The first was at Stamford Podiatry Group, PC where it was discovered that a third-party had access to their PHI logs for quite some time, from February 22 to April 14 to be exact. The party was in their system for so long that they were able to access all of the available records. This means that they had to alert all 40,491 patients of their breach. A similar situation happened when an NFL trainer had a laptop that had thousands of players medical records on it stolen. If they would have had a program that monitored their patients’ PHI, it could have notified them within 48 hours of the first breach and the situation could have been much smaller or totally avoided.

The most common form of snooping is from your employees. On June 3rd, 7 employees from ProMedica had access to PHI and medical files that they had no reason to see. Because of the breach, ProMedica decided that they would need to have regular audits for their PHI logs, and have their employees complete extra training, isn’t that nice? Employee snooping happens most often when a person who is famous checks into the clinic. Sometimes attacks on your information come from the outside, but many times they come from your own employees. While employees do snoop, many employees are vigilant and report to their compliance officer when they detect a breach within the system.


Having a cloud company protect your data is often times more than what you are doing for security.PHI

However, Practice Fusion, a free cloud program, in 2012 sent emails to consumers for reviews of the program in their clinic. The patients were given a text box where they put information about their prescriptions and health records. The patients then mistakenly sent their personal information to the company, thinking that they were only sending it to their doctor. Once this was discovered, the company could not publish their reviews because they contained PHI. The FTC is settling with the vendor in this case, not OCR or HHS. All in all, just make sure you know what you are doing when you give your information out to companies.

BUT… we are big proponents of the cloud!

Third party patches

Everything you use on your computer besides the operating system is a third-party application, so you have to make sure they are patched.

OCR has found that only ⅕ of companies are doing security checks and patches on their software. This means many software  applications are vulnerable to penetration and therefore so are all of your records, not just PHI. There are a lot of security issues that happen daily, so this is a problem. There are tools that monitor and patch software  products for you. Patch management is one of the top system management tools that will help keep your computer safe. You need to do regular risk analyses on any third-party applications you install on your system. A great way to do this is hire a HIPAA compliant IT provider that will run the analysis for you and give you regular reports.