HIPAA rule violations can cost physician practices — monetarily, operationally and with regard to reputation. In extreme cases, HIPAA violations can result in a practice being excluded from Medicare or even jail time.
In April 2016, Raleigh (N.C.) Orthopaedic Clinic agreed to pay a $750,000 settlement for an alleged HIPAA violation. According to the HHS, the clinic handed 
over protected health information for around 17,300 patients to a potential business partner without entering into a business associate agreement. In addition to paying the settlement, the clinic was required to revise its policies and procedures related to this incident.
"It's very important for physician practices to recognize their role in protecting patient information, in all forms, from unauthorized disclosure and to invest in services that safeguard their electronic information systems that handle patient information," says David Holtzman, JD, CIPP, vice president of compliance strategies, Cynergistek. "This means that, at minimum, they should have a comprehensive information security risk assessment that looks at all of the technology that creates, stores or transmits patient information to identify threats and vulnerabilities."
Challenges to HIPAA compliance
Remaining compliant to HIPAA rules and regulations can be challenging for a number of reasons. According to Aaron Tantleff, partner and intellectual property lawyer with Foley & Lardner LLP, the HIPAA Security Rule does not actually provide guidance with respect to any particular method of storage or transmission of electronic patient health information, or ePHI. This means that healthcare organizations have flexibility when it comes to HIPAA compliance solutions, but it can also be a daunting task, especially due to the proliferation technology and third-party solutions.
"In some cases, it becomes nearly impossible for a vendor to be able to determine what information, if any, has become vulnerable to a security incident," says Mr. Tantleff.
Interoperability, or lack thereof, among technologies and systems also makes HIPAA compliance a challenge for physician practices.
"Given the number of different parties and different solutions interacting with each other, there may be an instant where two or more solutions are unable to communicate. In some cases, the type of encryption is incompatible and ePHI may end up being transmitted in an unencrypted manner," says Mr. Tantleff.
Additionally, healthcare organizations today are required to do more, with less. This means organizations may not be able to hire and retain enough properly trained staff members to ensure HIPAA compliance.
Low hanging fruit of HIPAA compliance
Here are eight best practices for ensuring HIPAA compliance:
1. Encrypt health information. Encrypt laptops and other devices, like smartphones, that have ePHI stored on them. The Office for Civil Rights reports that nearly two-thirds of all large breaches involving ePHI are the result of laptops and other portable devices with unencrypted health information that were lost or stolen, notes Mr. Holtzman.
2. Set up passwords or authentication requirements for software applications and device. Cyber criminals are masters at breaking through weak passwords. "In today's reality, weak passwords equate to leaving the front door unlocked, but closed," says Mr. Tantleff. Fortify your devices and solutions with strong passwords that include different elements, such as numbers or special characters.
3. Do not entertain gossip in your facility. A healthcare organization can find itself in violation of HIPAA when a staff member shares classified information about a patient. This can occur quite innocently in the form of gossip or chit-chat. A staff member may share information about a patient with a friend believing that "it's only one person" and "no one will find out," says Mr. Tantleff. Make sure staff members know what is at stake if they reveal patient health information to an unauthorized person.
4. Properly train your staff members on HIPAA. "Raise awareness throughout your medical practice of how staff and physicians can use sound practices and activities to reduce the threat from hackers and cyber criminals," says Mr. Holtzman. For example, teach staff to be suspicious of emails that ask the user to click on a link or ask for sensitive information, such as usernames and social security numbers. These types of emails can expose the practice's information system to malware that enables cyber criminals to infiltrate the system.
5. Put incident response plans into place. Ensure that these plans are current, understandable and accurate. Train your staff members and test the plan so every person knows their roles and feels comfortable in their responsibilities, says Mr. Tantleff.
6. Be vigilant about third-party business agreements. HIPAA rules require physician practices to sign a business associate agreement with any contractor or vendor that will create, store or transmit their ePHI.
"Get a better understanding of how your contract with a vendor will protect and safeguard your practice's health information," says Mr. Holtzman. "As you are considering a new relationship with a vendor, ask whether they perform security risk analyses of their information systems that handle PHI or if they have designated privacy and security officials and what type of training they give their employees."
Look into what provisions are in place for when the relationship with the vendor ends, which includes how will your PHI be returned or destroyed.
7. Avoid improper PHI disclosure. Be aware of the numerous ways in which information can get into the wrong hands. It could be as simple as mixing up a name or patient ID, and then an unauthorized individual gains access to patient health information, says Mr. Tantleff. Put processes into place to avoid these simple mistakes.
8. Designate a HIPAA champion. Designate and empower an individual or leader in your organization to review, evaluate and investigate your organization's HIPAA compliance efforts.
"These individuals can take the time to review and stay up-to-date with the education and guidance materials offered through the OCR and Office of the National Coordinator for Health Information Technology," says Mr. Holtzman. "Or consider a having a third party with expertise in health information privacy and security periodically perform assessments to evaluate your organization's compliance."