Top 10 Problems Medical Directors Face Under the HITECH Act

As the director of a busy medical group, it is your responsibility to ensure that all of your members understand and maintain complex HIPAA security standards. This safeguards your medical group’s reputation, both within the medical community and in the eyes of your clients. However, you’re not an IT expert. With the high number of tech-centric HIPAA requirements (known as the HITECH Act), how can you relax, knowing that you’ve covered everything and that you’re protected in the case of a HIPAA audit?


1 Information Security Program Management   A serious problem in the medical community is record security. Many times, I have been in doctor’s offices or hospitals and have seen unattended charts and files, as well as unlocked, active computers. I’ve even seen blank prescription pads scattered around! Data-savvy medical groups should create a “clean desk” policy for members. This means that group members should ensure that their physical files, computer files, and other documents are stored in a secure manner whenever they are not around.

Removable Device Restrictions To keep medical records safe, create restrictions and policies for the use of USB drives, as well as rewritable CDs and DVDs.

Doctors work long, exhausting hours and new EHR software requires a lot of data entry. Though your group members may be tempted to bring files home to complete them, you can’t be assured that their home or personal computers are safe enough to protect those records.

3 Risk Identification and Assessment   There are a lot of people who can access your offices. Consider that at any given time your offices are open to cleaners, security, patients’ friends and family, patients themselves, repair people, other independent contractors… the list goes on. To protect your medical group from unauthorized data access (whether intentional or unintentional), secure your training materials, your network, your software, your documents, and everything else you can think of. Cover all your bases by determining where all your sensitive information is located, then determine what kinds of risks each location creates for your data safety.

4. Employee Training, Management, and Responsibilities   Doctors are really dedicated to their professions. Even with policies and restrictions in place, one of your group members may decide to break the rules to get more done. Make it clear to your members that the rules are not to be broken – and have clear, enforced penalties for anyone who does break the rules. Everyone’s reputation is on the line.

5. Internal Information Security   These days, it’s so commonplace to send sensitive data over email or to store it in the cloud, that it can be easy to forget that these transmission or storage methods might not actually be safe. Encrypt your data at all times. This means that it needs to be secure while it is:

  • In use
  • At rest
  • Being transmitted

6. Up-to-Date Network ProtectionTo keep your records safe, make sure that that your systems have adequate virus and malware protections, and that your firewall is strong. The Internet is a dangerous place, filled with traps. We all know this. To keep your records safe, make sure that that your systems have adequate virus and malware protections, and that your firewall is strong.

7. Retention and Destruction of Personal Information   What happens with old, outdated records or record storage systems? For instance, if you update your office computers, do you have a process for wiping all the data off of the old computers? When getting rid of old storage methods or equipment, you should break the hard drives or scratch the discs so that no one can get at your data.

8. Overseeing Service Providers   Sometimes you have to get your computers fixed – and usually it’s an emergency when you do. If you’re in a crunch, you don’t want to have to worry that your data will be compromised while technicians are repairing your systems. Be clear in advance that your service providers know how to protect your information and that they have rock-solid information protection policies of their own.

9. Data Breach Incident Reporting   Hackers and viruses are very sophisticated these days and can steal information without you even noticing. If your systems are hacked or if they’re exposed to viruses / malware, that poses a security risk and you should know about it. Immediately. Make sure that you have a threat monitoring system in place, and make sure that you monitor your system 24 hours a day, 7 days a week.

10. Business Continuity and Disaster Recovery   Your profession has a unique understanding of the fact that emergencies are almost always unexpected. Your clients carry health insurance to protect them when they face a medical emergency, you should have a plan in place to protect your systems against weather disturbances, fire, flood, theft, and other critical data loss situations. Build a comprehensive Business Continuity and Disaster Recovery plan that includes procedures for data storage backups, as well as chains of command, plan and backup testing, and employee training.

In closing As a healthcare professional, you know that an ounce of prevention is worth a pound of cure. With this list of the ten most common data security issues that you’ll face, you’ll be better prepared to protect the patient data you’re responsible for — and in the event of an audit, you may even save millions of dollars.

Learn How You Can Protect Yourself with a Network Security Assessment:

This handy list describes the top ten data security issues that medical group directors struggle with. Hilary Buckley, the author, works with NetUp IT, a market-leader in business continuity protection and planning. With a focus on the needs of medical groups and other highly regulated industries, NetUp has a long-standing tradition of protecting business data… no matter what.

Contact NetUp IT at

“Choosing insurance is a tremendous responsibility, and we are delighted to assist in that process. We consider your needs personally, and intelligently.”