Editorially Independent Content
Robert Weinstock, MD: Hi. This is Dr. Weinstock, and with us today on BEYE is Wes Strickling, the Founder and CEO of Codex Techworks, which provides managed technology services geared to eye care practices. There’s a lot of buzz in ophthalmology and medicine in general around EMR, EHR, HIPAA compliance, digital integration and networking. As an expert in medical IT and recordkeeping, can you tell us how to keep patient data safe and secure at our practices and ensure that we’re in compliance with HIPAA regulations?
Wes Strickling: It helps to focus on the HIPAA compliance aspect of data storage. This will give us an over-arching perspective of where all the information sits. As a covered entity under HIPAA, you're the custodian of the electronic health record system and protected health information at your practice. We know this is part of the official record.
What is less understood is other ancillary pieces of protected electronic health information that’s also at the practice, including the OCTs, fundus photos, your anterior segment photos, and correspondence with other healthcare providers with whom you are co-managing patients.
Dr. Weinstock: Does it include any piece of paper, device, scripts or communication that has any bit of patient information outside of the EHR record?
Wes: Absolutely. Whenever you have patient identifying information along with treatment and/or diagnosis information together in any record, be it written, digital, an image, a voice recording, or some other form, it's protected.
Dr. Weinstock: I think most surgeons understand that all type of information needs to be protected. What are the strategies that we need to adopt to keep us safe from a data breach?
Wes: The process of HIPAA risk assessment, which has been required under HIPAA guidelines since 2005, will go through your practice and determine which pieces of information you need to protect and where they are.
Oftentimes, when you back up your electronic health record, other information, such as the OCT, fundus photos and letters about patients you’re co-managing, can be left out. The HIPAA risk assessment makes sure you’ve got everything covered.
Once you’ve identified your needs, you want to contact a vendor that specializes in the healthcare industry and have them put together a proposal of what it will take to get all of that information protected so it’s HIPAA compliant.
Dr. Weinstock: It seems that we need to designate someone at our practice to make sure our patient information is protected safely behind the firewalls and that nothing has been left out. Can we also have third-party providers, such as your company, come in and manage the entire process for us?
Wes: Absolutely. And even if it's outsourced, the practice administrator needs to stay very involved to make sure everything is being done correctly and that nothing has been missed.
Dr. Weinstock: In the event of an investigation, are we better off saying, "Listen, we followed the right steps in protecting our practice?"
Wes: Yes, absolutely. All of this regulation falls under the U.S. Department of Health and Human Services, specifically the Office of Civil Rights, which performs the audits. When this agency comes to do an audit, a practice that has made every effort to do a full risk assessment and remediation on everything that's been found, is usually given a lower fine, even if there’s been a breach. In fact, this best-faith effort is actually written into the law.
Dr. Weinstock: I got it. When we buy an EHR system, we may think we're all set. But aren’t there other networked components that we also have to secure? And what are the best practices for making the EHR and other devices and systems on the office Intranet HIPAA compliant?
Wes: In managing a modern, paperless practice, there are many i’s to dot and t’s to cross. In addition to standard templates for how healthcare networks should be designed, there is an eye care specific strategy since eye care practices tend to operate more in-house diagnostic equipment than other medical specialties. All of those devices need to be put into the template for a truly secure healthcare network.
Dr. Weinstock: In our practices today, we have a big need for IT, especially since we’re using computers, iPads, EHRs and other systems in our daily operations. What’s the best way to get these systems to communicate and interface with each other while staying HIPAA-compliant?
Wes: Your operation should stay HIPAA-compliant, but this is one area where picking the right provider is imperative. A provider that doesn't fully understand HIPAA requirements will most certainly leave you vulnerable. Generally EHR companies are only going to take care of the structured EPHI, or specific information that’s kept within the system. That doesn’t include the unstructured EPHI, which is the letters, images, and everything else.
Dr. Weinstock: What would you advise eyecare professionals to do to make sure they’re fully HIPAA-compliant and doing everything right?
Wes: On their pre-implementation checklist, the first item that needs to be done is the HIPAA risk assessment because it’s mandated annually. This step will also provide your practice with a valuable visual map of your procedures, processes, devices, and any place that patient sensitive information resides.
Next, make sure you work with a healthcare-specific IT vendor knowledgeable about HIPAA compliance. If the foundation they build your EHR on is poorly designed, it won’t be sustainable in the future, especially as your practice grows and/or expands to other locations.
Dr. Weinstock: It sounds like this due diligence—getting an up-front assessment, and putting together a sound plan—is going to make sure the whole process goes smoothly. Then you can just keep cruising along focused on your work without having to worry that you're at any risk and that everything is protected.
Wes: Since the risk assessments are required annually, it's a good catchall for anything that was missed or added since the initial installation. If a new piece of equipment with EPHI on it was added since the last assessment, you can scoop it up in the next assessment and add it into your template.
Dr. Weinstock: Is this something you can do yourself in-house or do you have to bring the right people to your practice to ensure it’s done right?
Wes: Well, there are guidelines if you want to do it yourself. The U.S. Department of Health and Human Services website offers a lot of resources. The National Institute of Standards and Technology (NIST) has also written specific guidelines on doing the risk assessments. However, it’s a 150-page government document so it will take some work, but you can do it in house.
Dr. Weinstock: Is there anything else that needs to be done to comply with the new regulations?
Wes: Under HIPAA, if you discover a potential issue or an actual breach, those problems must also be remediated annually. Although, only the breaches must be officially reported.
Dr. Weinstock: Okay, very good. Well this has been very helpful. Thank you so much for sharing such great information and for being here with us today on BEYE.
Wes: Thank you for having me.