NOV-DEC 2018

MedEsthetics—business education for medical practitioners—provides the latest noninvasive cosmetic procedures, treatment trends, product and equipment reviews, legal issues and medical aesthetics industry news.

Issue link:

Contents of this Issue


Page 39 of 68 | NOVEMBER/DECEMBER 2018 37 Eager to protect his name, the surgeon had pounded out a response with the reasons the patient didn't get her desired result, citing her high BMI and alcoholism. "This is a perfect example of what happens when you allow your emotions to take over," says Adatto. His client's problems were com- pounded by the fact that he practiced in one of the many states, including California, Illinois and Texas, that has its own patient privacy laws, which are far more stringent than the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) patient privacy rules. The patient fi led a civil lawsuit that was eventually settled out of court, and the plastic surgeon was slapped with heavy fi nes at the federal level. While the moral of this particular story is to take a breath—and perhaps speak with your attorney—before responding to negative reviews, the increased use of technology—in- cluding electronic medical records, social media and email in aesthetic practices coupled with the proliferation of cyber- security concerns worldwide, means that medical practices must familiarize themselves with state and federal patient privacy rules and regulations. BASIC REQUIREMENTS Since 2003 HIPPA has required practices to have a privacy offi cer on staff. A HIPAA privacy offi cer oversees the devel- opment, implementation, adherence to and maintenance of privacy policies and procedures to ensure the safe use and handling of protected health information (PHI) in compli- ance with both HIPAA and state regulations. Practices must also have a written patient privacy compliance plan that spells out all the policies and procedures the practice follows to protect its patients' healthcare information and conduct periodic risk assessments. "Many practices either never complied with HIPAA, in that they have not conducted a risk analysis or established the required compliance plans. Or they did so some years ago, but have never updated either the risk analysis nor the compliance plan," says Joseph E. Guimera of Los Angeles- based Guimeralaw Cybersecurity. "Periodic risk analyses and evaluation and modifi cation of the compliance plans are both required by HIPAA, not to mention they are good security measures that help practices keep up with new threats that arise each day." For most small practices, an annual risk analysis is rea- sonable and meets HIPAA requirements, says Jen Stone, MSCIS, CISSP, QSA, a security analyst with Security Metrics in Salt Lake City. "A lot of practice managers look at risk analysis as burden- some," says Guimera. "HIPAA laws and regulations and recommendations may be burdensome, but they serve a purpose. You can never guard against everything, but you can minimize your exposure by taking the time to formulate a written plan regarding how to deal with threats and breaches, appoint a privacy offi cer and create written procedures and policies for the entire staff." In addition, you need to provide initial and ongoing staff training. "You need to know if your employees actually fol- low the rules, and every time you get a new team member, you need to make sure they are aware of the compliance protocols," says Alex Thiersch, director of the American Med Spa Association (AmSpa) in Chicago. BIGGEST THREATS TO PATIENT PRIVACY Despite fears about external hackers, the biggest privacy risks come from within, says Guimera. "Health care is the only industry where internal threats are greater than external threats. Employee training is often lacking, and you have employees who make mistakes or, in some cases, act maliciously because they've been terminated or they are dis- gruntled about something," he says. "You also have to con- sider the people who come through your offi ce: sales reps, vendors, business associates and the patients themselves." Guimera recounts some of the things he has seen when visiting practices, including desks with computer screens or tablets open with patient information on them and Post-It notes with passwords written on them stuck to computers. He also recalls a recent site visit to a client's offi ce where someone failed to double-check a fax number and sent a patient's records to an unknown fax machine. "People don't think about the fact that their laptop or tablet may have the medical history and personal information of 500 to 1,000 patients on it."

Articles in this issue

Links on this page

Archives of this issue

view archives of Medesthetics - NOV-DEC 2018