By Jay Reyero, JD, Partner, ByrdAdatto
Patient privacy and HIPAA go hand-in-hand in any medical setting, including your med spa. While cyberattacks, whether on large hospital systems or small clinics, make for splashy headlines, healthcare providers should not forget to look within when it comes to vulnerabilities.
A recent examination by Verizon of security incidents across 27 countries found that the majority (58%) of healthcare protected health information (“PHI”) data breaches were due to insider threats. (For more information on patient privacy, sign up for our upcoming live webinar. It is free for all AmSpa members.)
The report highlighted several areas that healthcare providers encounter on a frequent basis where risks could arise internally, such as the potential for privilege abuse. Personnel require access to specific PHI to perform their duties but providing such access puts them in position to easily use or access the PHI for other, malicious purposes. This can be especially problematic with disgruntled or recently fired employees. The three steps a healthcare provider should take to protect itself are: (1) Identify; (2) Address; and (3) Audit.
Identification requires healthcare providers to identify all of the vulnerabilities to PHI; not only those risks from the outside, but just as important, those risks from within the organization.
Once a healthcare provider identifies its vulnerabilities, steps should be taken to address each by implementing the appropriate safeguards necessary to protect the PHI, both in terms of technology and internal policies and procedures. Many may recognize this as the first step of any HIPAA compliance plan, which is the Risk Analysis and Management required under the Security Rule.
Finally, healthcare providers must continue to be vigilant against the ever-present threat to extremely valuable data through regular audits of the systems and policies in place to find new vulnerabilities or current vulnerabilities being exploited.
Healthcare providers would be wise to conduct an updated (or first) risk analysis and understand where they stand in the fight against threats to PHI.
For more information on ways to build and run a successful, profitable, and legally compliant medical spa attend one of AmSpa’s Medical Spa & Aesthetic Boot Camps and be the next med spa success story.
ByrdAdatto represents physician practices, dental practices, law firms, medical spas, and other professional services companies throughout the United States. AmSpa members can take advantage of an annual compliance consultation call with the firm.
Jay Reyero, JD, is a partner at the business, healthcare, and aesthetic law firm of ByrdAdatto. He has a background as both a litigator and transactional attorney, bringing a unique and balanced perspective to the firm’s clients. His health care and regulatory expertise involves the counseling and advising of physicians, physician groups, other medical service providers and non-professionals. Specific areas of expertise include Federal and State health care regulations and how they impact investments, transactions and various contractual arrangements, particularly in the areas of Federal and State anti-referral, anti-kickback and HIPAA compliance.