When the Health Insurance Portability and Accountability Act (HIPAA) became effective on April 14, 2001, there were no HIPAA police per se.
But revisions of the HIPAA rules throughout the past decade haven’t stirred most DCs toward compliance with HIPAA privacy and security rules.1,2
As a case in point, have you updated your practice’s HIPAA manual to comply with the 2013 HIPAA final omnibus rule?3 Is your policy updated regularly per your current policy requirements?
Whether you have adopted certified electronic health record (EHR) software and collected stimulus funds or not, do you perform an annual security risk analysis on your systems? Do you and your staff receive HIPAA training annually? If you are not staying vigilant with HIPAA policies, then your practice is neither safe nor secure.
Just because your practice may be small doesn’t mean you are exempt or are flying below the HIPAA radar either. Worse yet is the misconception that HIPAA police do not exist.
Office of Civil Rights
Employees at the Office of Civil Rights (OCR) don’t have business cards or stationery stating they are the HIPAA police, but they absolutely function in that respect. And HIPAA law should be taken seriously; the fines for violations range from $100 up to $50,000 per violation, which could push penalties into amounts that a doctor of chiropractic simply cannot afford to absorb.
In today’s healthcare framework, you are faced with the possibility of audits from Medicare and other third-party payers for coding and documentation errors. Add to this mix all the technology and regulatory changes in healthcare over the past 10 years and you have a condition affecting a wide range of providers called “change fatigue.”
Simply put, change fatigue can cause you to disengage and “check out” of reality. And the reality is that an audit could hit most offices and carry the potential for a large fine.
The vulnerable practice
The key danger facing chiropractic offices is in the security risk analysis section of the HIPAA Health Information Technology for Economic and Clinical Health (HITECH) act, which has been called “the teeth and claws of HIPAA.”
Practices need to conduct this analysis on a yearly basis to avoid a letter or—worse—a visit from OCR investigators. So what constitutes a security risk analysis?
The security risk analysis
A security risk analysis consists of three key types of safeguards: administrative, technical, and physical. These safeguards help providers protect against and react to security incidents regarding their electronic patient health information (ePHI). A security risk analysis is intended to ensure that patient information remains confidential and available in times of need.
Each year, or when changes to your practice or electronic systems occur, you must review and update the prior analysis for changes in risks. Under the Meaningful Use programs, reviews are required for each EHR reporting period.4
Administrative safeguards: This part of the security risk analysis are the policies and procedures that direct and guide you and your practice in how you protect your ePHI. These policies define the type of data you need to protect, how the plan will be developed, and the implementation of the security plan. Administrative safeguards ensure a review of security procedures already in place, evaluate the risk of each procedure, and help form a documented action plan should a risk arise.
Technical safeguards: These are the policies and procedures that control the use of your computer systems, protecting and restricting access to patient information. These will vary among clinics based on the technology in place. At a minimum, they should cover audit controls, unique identity access, emergency access of patient data, and encryption of data.
Physical safeguards: These will include the policies and procedures that protect your electronic systems and buildings where ePHI is stored. Your physical safeguards should protect your ePHI from internal and external threats, environmental hazards, and unauthorized access.
Face the challenge
Even if the HIPPA police aren’t knocking at your door today, the likelihood of it happening continues to increase. Keeping your patients’ ePHI safe and secure is your job as a clinician.
New technologies have their benefits but they also bring more complexity to practice. In this day and age, doctors of chiropractic should realize the necessity of working with outside organizations that can help them build successful systems in their practice. Implementing the required policies and procedures takes time, effort, and collaboration with EHR vendors, clinic staff, technology vendors and support, as well as third-party consultants who can provide safety and security for your patients’ records.
Resist the impact of change fatigue and take action instead. This will provide you with the peace of mind and restful sleep you need and deserve. Face the challenges head on and begin to have fun in practice
Ted A. Arkfeld, DC, MS, CPC, is the founder and president of the National Academy of chiropractic coders (NACC), the first national association specifically for the education and certification in chiropractic coding. He is now chief of risk management at Best Practices Academy and can be reached through bestpracticesacademy.com.
1 HHS.gov. “The HIPAA Privacy Rule.” https://www.hhs.gov/hipaa/for- professionals/ privacy. Updated Sept. 19, 2016. Accessed Sept. 12, 2016.
2 HHS.gov. “The HIPAA Security Rule.” https://www.hhs.gov/hipaa/for- professionals/ security/index.html. Updated Sept. 19, 2016. Accessed Sept. 12, 2016.
3 HHS.gov. “Omnibus HIPAA Rulemaking.” http://www.hhs.gov/hipaa/for- professionals/ privacy/laws-regulations/combined-regulation-text/omni bus-hipaa-rulemaking. Updated Sept. 19, 2016. Accessed Sept. 12, 2016.
4 Health IT.gov. “Top 10 Myths of Security Risk Analysis.” https://www.healthit.gov/providers-professionals/top-10-myths-security- risk-analysis. Updated Sept. 19, 2016. Accessed Sept. 12, 2016.