• Compliance Matters

    A Guide to Safeguarding Patient Information

    From the federal government, an excellent map to navigating HIPAA's privacy, security, and breach-notification rules.

    Criminal attacks now are the number-one cause of data breaches in health care—up 125% in the past 5 years alone. Forty-five percent of the health care organizations surveyed by the Ponemon Institute, a leading research center on matters related to privacy and data protection, reported "criminal attack" as the root cause of data breaches—with "lost or stolen computer device" (43%) and "unintentional employee action" (40%) trailing close behind.1  

    Whatever the cause, the cost of data breaches is substantial to both health care organizations and their patients. "We estimate that data breaches could be costing the industry $6 billion," wrote the authors of Ponemon's report, which was released in May. "The average cost for health care organizations is estimated to be more than $2.1 million." While the 90 health care organizations surveyed by Ponemon are much larger entities than is any given physical therapy clinic, "no health care organization," the research firm warns, "is immune from data breach."

    Ponemon further notes that the number of individuals victimized by medical identify theft has nearly doubled in 5 years, to 2.3 million, with some victims reporting an average expense of $13,500 to restore their credit, reimburse health care providers for fraudulent claims, and correct inaccuracies in their health records.

    Physical therapy practice owners would do well to heed a few other facts and figures related to this combustible mix of criminal activity, human error, and negligence, says Deborah Crandall, JD, senior regulatory affairs specialist in APTA's Public Affairs Unit. "Under provisions of the 2013 HIPAA [Health Insurance Portability and Accountability Act] Omnibus Final Rule for safeguarding the privacy and security of protected health information [PHI]," she notes, "if there's a data breech, it can cost the health care provider anywhere from $500 to $1.5 million per violation per year. Small providers are not exempted. And what's more," Crandall adds, "if an investigation of the breach reveals that policies, procedures, and other safeguards were absent or insufficiently updated, the fines may go up."

    HIPAA offers an array of federal protections for patient information held by covered entities (such as physical therapy clinics) and their business associates (providers of legal, actuarial, accounting, consulting, data aggregation, information technology, and other supporting services). The regulations include privacy, security, and breach notification rules.

    It's complicated, Crandall concedes. There's a long list of things that physical therapist (PT) and physical therapist assistant (PTA) practice owners must do to be in full compliance. She lists such steps as "conduct a risk assessment and analysis, have security policies and procedures in place, assess risk on an ongoing basis, and adhere to mandated procedures for mitigating breaches and reporting any that occur." APTA links PTs and PTAs to a wealth of compliance resources on its website. Crandall earlier this year devoted an entire PT in Motion Compliance Matters column to a single mode of communication security: mobile technology.2

    Which brings up another point. "There's a misconception that protection of health information applies only to patient information in the EHR [electronic health record]," Crandall says. "But it can include PHI that's texted to a PT's cellphone, stored on a laptop computer, or contained in a printed document that's sitting in your filing cabinet." The Office of the National Coordinator for Health Information Technology put it this way: "Whether patient information is on a computer, in an EHR, on paper, or in other media, providers have responsibilities for safeguarding the information by meeting the requirements of the [HIPAA] rules."3

    So, what's a practice owner to do? If only a single document were available, a starting point, that includes the key elements and outlines what is needed for successful compliance. The good news, Crandall says, is that such a document now exists—the Guide to Privacy and Security of Electronic Health Information.

    Compact But Comprehensive

    "I was excited when this guide came out, because it's got so much meat to it," Crandall says. "It does a great job of laying out the primary requirements under the final rule. If PTs and PTAs download just 1 document off APTA's HIPAA page [www.apta.org/HIPAA/], it should be this."

    The guide is compact—just 62 pages—but within it lie the answers, or links to the answers, to most of the questions physical therapy practice owners are likely to have. Crandall gives a couple of examples.

    "One of the questions I get asked constantly," she says, "is, 'Where can I find an NPP template?'" That stands for Notice of Privacy Practices, the HIPAA-required document that tells patients the ways in which the health care entity is securing PHI. The guide not only contains an entire chapter on understanding patients' health information rights, but it also provides links (on page 23) to customizable NPP templates.

    "Here's something else that's hugely important," Crandall says, turning to chapter 6, titled "Sample Seven-Step Approach for Implementing a Security Management Process." "We get a lot of questions at APTA on the best ways to do this. The guide does a great job of putting this process together in 1 place."

    Security management steps described include selecting a team (including a designated security officer); documenting processes, findings, and actions; performing a security risk analysis; developing an action plan; managing and mitigating risks; attesting to the completion of requirements; and implementation of ongoing security measures. "If providers do all of these things," Crandall says, "they will go far toward ensuring the safety of their patients' PHI."

    The guide is dotted with helpful boxes and tables. Leafing through the document, Crandall highlights a few: "Example of Records to Retain" (on page 40); "Tips for a Better Security Risk Analysis" (page 41); "Examples of Potential Information Security Risks with Different Types of EHR Hosts" (page 43); and "Comparison of Secured and Unsecured PHI" (page 58).

    "Implementing the steps in this guide is important for any physical therapy practice because even just 1 breach—depending on the reasons for it and the number of patients affected—could put the provider out of business," Crandall says. "Whereas, if there's evidence that the practice has complied with HIPAA rules to the best of its abilities, the potential civil penalties may be greatly reduced, and monetary liability may be minimized."

    Add Attorney and Stir

    There are a few caveats, however.

    A disclaimer at the bottom of the guide's cover states, "The information contained [herein] is not intended to serve as legal advice, nor should it substitute for legal counsel. The guide is not exhaustive, and readers are encouraged to seek additional detailed technical guidance to supplement the information contained herein." All of that may sound obvious, but Crandall advises physical therapy practice owners to take the disclaimer to heart.

    Not only is the information contained in the Guide to Privacy and Security of Electronic Health Information of limited utility if readers don't supplement it with other information provided by the government and by APTA on its HIPAA and Health Information Technology (www.apta.org/FederalIssues/HIT/) web pages, but "strictly focusing on federal compliance is unwise, given that some states have privacy laws—whether or not they specifically reference HIPAA—that may go above and beyond HIPAA privacy and security requirements," Crandall notes.

    For that reason, she strongly advises that physical therapy practice owners consult an experienced health care attorney in their state. "The cost of retaining an attorney at the front end of security planning is substantially less," she points out, "than the expense should you experience a security breach and be found negligent—or worse, intentionally negligent."

    That noted, Crandall concludes, "If physical therapy providers follow the procedures outlined in this guide and heed the additional guidance of a health care attorney expert in that state's health laws, they can feel pretty confident that they're doing things the right way. And most important, their patients and clients can feel reassured about the steps being taken to safeguard their protected health information."

    Eric Ries is associate editor. He can be contacted at ericries@apta.org.


    1. Ponemon Institute LLC. Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. https://www2.idexpertscorp.com/fifth-annual-ponemon-study-on-privacy-security-incidents-of-healthcare-data. Accessed May 15, 2015.
    2. Crandall D. Using mobile technology in patient care? PT in Motion. 2014;6(11):6-9.
    3. Office of the National Coordinator for Health Information Technology. Guide to Privacy and Security of Electronic Health Information. Version 2.0. Washington, DC: US Department of Health and Human Services; 2015. http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf. Accessed May 15, 2015.


    Click on "For Providers & Professionals" for information on the benefits, implementation, and privacy and security of electronic health records.

    Links to privacy and security information from the Department of Health and Human Services, APTA summaries, related resources, podcasts, and videos.

    News, updates, background, summaries, and APTA comments on the federal government's health information technology (health IT) "interoperability roadmap," the health IT strategic plan for 2015-2020, physical therapists and health IT, and more.

    Examples of Records to Retain

    Contents should include, but not be limited to, the following:

    • Your policies and procedures
    • Completed security checklists
    • Training materials presented to staff and volunteers; any associated certificates of completion
    • Updated business associate agreements
    • Security risk analysis report
    • Electronic health record audit logs that show both use of security features and efforts to monitor users' actions
    • Risk management action plan or other documentation (that shows appropriate safeguards are in place throughout your organization), implementation timetables, and implementation notes
    • Security incident and breach information

    (Source: US Department of Health and Human Services Office of the National Coordinator for Health Information Technology's Guide to Privacy and Security of Electronic Health Information)

    Leave a comment: