Are your electronic devices HIPAA compliant? Most practices aren't sure

In the aftermath of the recent Anthem hack compromising information of 80 million customers, mainstream newspapers, such as the Denver Post, warn the public that the doctor's office may be "the most dangerous place for identity fraud."

And a recent survey from NueMD indicates that physician practices themselves can't readily provide much reassurance. When asked, "How confident are you that someone at your business is actively ensuring your business' compliance with HIPAA?" just 38 percent of more than 1,000 providers, administrators and medical office staff said they were "very confident." Forty-four percent said they were "somewhat confident" and 19 percent reported they were "not confident at all." There was no notable difference in these confidence levels when responses were broken out by role, according to the report.

Physician practice uncertainty was particularly high surrounding HIPAA compliance of their electronic and mobile devices, use of which is growing more prevalent by the day. For example:

  • HIPAA requires that covered entities catalog and track all of their electronic devices containing PHI, yet only 27 percent of the practice owners, managers and administrators surveyed said they've cataloged 76 to 100 percent of their devices. Meanwhile, 27 percent said they haven't cataloged any and 21 percent didn't know.
  • When asked how confident they were that their electronic devices were HIPAA compliant, only 31 percent of practice owners, managers and administrators surveyed said they were "very confident," while 18 percent said they were "not confident at all."
  • Administrations' confidence that their mobile devices were HIPAA compliant was even lower, with just 18 percent saying they were "very confident" and 30 percent saying "not confident at all."
  • Similarly, troubling proportions of management and office staff alike were unsure whether their electronic communications, including email, texting and social media with patients or among themselves were HIPAA compliant.

Considering that the Office of Civil Rights (OCR) will conduct HIPAA audits of physician practices possibly in the near future (of which only 32 percent of practices were aware before the survey), offices must follow the OCR's advice and "get their house in order" now.

Additional advice for improving HIPAA compliance is contained within the report as well as previous FiercePracticeManagement coverage.

To learn more:
- see the survey
- read the article