Don’t gamble with your patients’ information and take HIPAA compliance seriously.
In late 2015, the U.S. Department of Health and Human Services (HHS) called for the Office for Civil Rights (OCR) to strengthen enforcement efforts of compliance standards, including compliance with HIPAA Privacy and HIPAA Security guidelines.
This request came after the release of healthcare compliance- related studies, which demonstrated significant vulnerability to patients, providers, and practices.1
The studies revealed reasons to be increasingly concerned about patient privacy, such as inappropriate access to or disclosure of protected information, data breaches, exposure to fraud, identity theft, medical record theft, and other harmful occurrences.
These issues also pose significant risk to practices in the form of damaged practice and patient relationships, investigations, and audits as well as costly penalties.
The many conveniences that come with technology also come with responsibilities to healthcare facilities. Though patient privacy has long been an important topic in healthcare, a lack of enforcement has largely left this crucial element on the back burner in many practices.
Furthermore, advancements in technology have also compounded risk and vulnerability, making compliance a priority.
In the past, the patient privacy risks mentioned above were pretty much limited to the possibility of a person walking into a practice and taking off with patient files. Risk, in that case, was limited to the number of patient records a person could carry out the door. Therefore, basic opening and closing procedures together with a responsible workforce were sufficient protections.
While there were other risks to consider, such as claims being mailed out to the wrong payer, in general the risks and the potential impact to a large group of patients were minimal.
Now businesses are operating in a world where masses of protected health information (PHI) are created, maintained, stored, and transmitted electronically. This extends beyond EHR software and includes scanning, email, electronic claims transmission, backup and storage, portable devices (e.g., smartphones and tablets), instant messaging, and social media.
Access is no longer limited to someone being physically on site to carry information off, but can now occur from just about anywhere, from mishandlings inside a practice to cybercriminals outside the U.S. Also, the number of patients at risk of unauthorized exposure could potentially include your entire patient database.
As mentioned, the OCR has the urgent task of ensuring that compliance is a priority for healthcare providers. In their assessment, the reason compliance is not a foremost concern in many healthcare facilities is partly because enforcement efforts by investigative organizations have been lacking.
To resolve this gap, the OCR has teamed with more agencies and implemented protocols that allow them to conduct more investigations, quickly respond to potential reports or findings of non-compliance, and sharpen the sting to noncompliant covered entities with fines and other types of penalties.
The OCR is highly motivated to make this a priority, not only to preserve the integrity of PHI but also to collect millions of dollars each year from penalties assessed for noncompliance.
Some of the steps the OCR is taking to improve oversight of covered entities include:
- Fully implementing the permanent HIPAA audit program,
- Developing a more efficient method to search for and track covered entities, and
- Expanding outreach and education efforts, including targeting the healthcare industry.
The OCR has been proactive in its approach and successful due to covered entities (from all medical specialties) lagging in appropriate training, implementation, and evaluation of customized compliance plans. Current investigations are focused on many areas, including:
- Confirm the covered entity has recently completed a comprehensive Security Risk Assessment.
- Confirm action items identified within the Security Risk Assessment have been completed or are on a reasonable timeline to completion.
- If the organization has not implemented any of the addressable security standards, confirm within the organization policies and procedures why the addressable implementation standard was not reasonable and appropriate, and what alternative security measures were implemented.
- Ensure the organization has implemented an appropriate breach notification policy that meets standards.
- Ensure healthcare providers have implemented the Notice of Privacy Practices per the methods required by HIPAA privacy regulations.
- Verify healthcare providers have appropriately implemented policies and procedures to preserve the integrity of PHI (both electronic and otherwise), including internal workforce PHI communications.
- Confirm appropriate training has been performed and appropriately logged.
- Confirm that appropriate policies and procedures for security safeguards are in place per the administrative, physical, and technical safeguard guidelines.
- Confirm appropriate inventory and inventory security logs are completed, up to date, and meet requirements.
- Confirm appropriate backup systems, disaster recovery plans, and other activity monitoring plans are in place.
Practices must understand the risks they are taking if compliance is not a priority. Again, the risks to your patients and your practice can have a costly and stressful ripple effect. Although implementing a compliance program may seem daunting at first, once in place you’ll find maintaining it is straightforward, and it will be more cost effective than the alternative.
Obtain support and guidance if needed to develop and maintain a compliance program and be a proactive participant in compliance plan development. Purchasing a prepackaged binder with the intent of customizing it is unlikely to suffice for most practices, and can be damaging in the event of an audit.
There are many software and training options out there that can help you navigate the complexities of HIPAA compliance. Heed the warnings and ensure compliance in your practice.
Brandy Brimhall, CPC, CMCO, CCCPC, CPCO, CPMA, has been serving chiropractic since 1999. She holds certifications in coding, compliance, and auditing. She has firsthand experience with billing, documentation, administrative, and compliance implementation and management within the chiropractic practice. She continues to serve the profession as the director of compliance services and director of education with ChiroCode Institute. She can be contacted at firstname.lastname@example.org or email@example.com.
1 Gottlieb DF, Pimental AC, Zacharias EG. “HHS Office of Inspector General Calls for Increased Oversight and Enforcement of HIPAA.” McDermott Will and Emery. www.mwe.com/en/thought- leadership/publications/2015/11/hhs?Publicatio nTypes=0c37aff3-0fa4-487b-ae40-09ee0164a996. Published Nov. 2015. Accessed July 2016.