HIPAA Regulatory Alert

Survey shows physicians not ready for HIPAA

Fewer than 50% perform background checks

Rhode Island’s Seacrest DocSecurity surveyed more than 500 physicians nationwide late in 2003, questioning them on requirements that insurance companies ask for before underwriting physicians and hospitals for insurance, and concluded that while physicians generally believe they are HIPAA-compliant, in fact they have only met a portion of the HIPAA requirements, leaving them vulnerable to lawsuits.

"Records, quite literally, are the lifeblood of a medical practice," the company’s report says, "and doctors take, keep, and transmit those records in any of a number of ways, from walking a folder down the hall to faxing them to consulting physicians to storing information in centralized, digital directories. Protecting the information in all of these different forms is easier said than done."

Among the survey’s findings:

• 36.2% of those surveyed said that because they or their employees have been through privacy training, they are HIPAA-compliant. Seacrest says typical training programs don’t even touch on the digital or physical security aspects of HIPAA and don’t take into account the maintenance and destruction of records as specified by the law.

• Fewer than 50% of the physicians surveyed perform background checks on employees. Seacrest points out that physicians' offices are small businesses and as the business owners, the physicians are responsible for the actions of their employees. "If a staff member steals medical information and sells it to a third party, it is the doctor/owner who is responsible for that action," the company says. Seacrest says that physicians should not confuse a background check with a reference check when considering new employees. A true background check, it says, would involve discovering and assessing any criminal activity a potential employee was involved with. It notes estimates that as many as 14% of hospital employees have criminal records.

• Nearly 40% of physicians surveyed do not secure electronic data transmissions. At the very least, according to Seacrest, physicians should be taking steps to keep hackers from accessing files as they are being transferred. It’s one thing if the practice is using e-mail for simple office transactions, but file transfers often contain billing information, which requires diagnosis coding that is personal information. "Not encrypting the data is similar to dropping a bill in the mailbox without an envelope," the company says. "The fact that four in 10 don't bother with encryption is disturbing."

Even at this late date, 14% of practices said they had not isolated or locked file cabinets or record rooms, and 27% said that fax machines were not kept in a secured, locked area.

Additional information is available from Seacrest at (401) 851-2022 or e-mail info@seacrestdocsecurity.com.