May 28, 2015 — A recent survey on HIPAA compliance conducted by NueMD, Porter Research, and the Daniel Brown Law Group uncovered several issues with compliance in medical practices.
Across the board, numbers relating to compliance or confidence in compliance were too low for comfort, especially within smaller operations. If your practice is struggling to keep up, there are a few easy first steps you can take to button up your compliance program.
HIPAA is more important than ever
You might have noticed a recent uptick in coverage on data breaches within healthcare. While a lot of news emphasizes hospitals and larger organizations, small covered entities are just as liable. And unfortunately, small practices usually don’t have a ton of cash to pay a fine (which can range from $100 to $50,000 per violation, with an annual cap of $1.5 million).
To drive its point home, the Office for Civil Rights is about to embark on their second round of HIPAA audits. At this year’s HIMSS Privacy and Security Forum, Linda Sanches, who heads the audit program, said, “We’ll be looking for periodic risk analysis and evidence of compliance, as well as documentation of policies and procedures being in place.”
With regard to these policies and procedures, you need to have a plan. Your plan should address all facets of your compliance program, including information flow, training procedures, HIPAA officers, breach notifications, and business associate agreements with outside vendors that access your patients’ protected health information (PHI).
One troubling stat from the survey is that only 58 percent of respondents at practices said they have plan. Below are a few key components of a solid compliance plan:
Train everybody at your practice with no exceptions. The survey called attention to several cases in which staff and providers weren’t on the same page as management and owners.
The solution is to periodically train your employees and make sure new staff members receive training during the onboarding process. And don’t forget to have proof—auditors will be looking for it.
Security and privacy officers
These officers are employees who make sure your practice stays in line with HIPAA standards. To get a better feel for their responsibilities, review these two sample job descriptions for Security Officers and Privacy Officers.
Breach notification policies
In the case of a security breach, your practice could be required to take specific action to resolve the issue. A breach could be triggered by occurrences such as the theft of a mobile device containing PHI or unauthorized disclosure of PHI.
“If there are less than 500 individuals involved, the organization must provide written notice to each of those individuals,” said healthcare lawyer Dan Brown. “If more than 500 individuals are affected, the organization has an obligation to notify the press about the breach, as well as the Department of Health and Human Services.”
The survey also indicated that only 45 percent of respondents from practices said they have a formal policy for PHI breach notifications. Auditors won’t be very happy with the other 55 percent.
Business associate agreements
Covered entities are responsible for creating contracts with their business associates to ensure the proper usage of PHI. This sample business associate agreement from HHS.gov states:
“A ‘business associate’ is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.”
For small practices, this could mean medical billing companies, software vendors, or other outside consultants.
At the HIMSS Privacy and Security Forum, Linda Sanches urged covered entities to create a complete list of all of their business associates.
Electronics and mobile devices
Considering the speed at which technology is moving forward, HIPAA implications get a little fuzzy. In many cases, it’s not as easy as saying, “this device is compliant” or not. One thing practices can do easily is catalog all electronic devices that could contain PHI, keep track of where they are and what they contain, and keep the list up to date.
Determining whether electronic devices and communication are compliant will require an in-depth review of how PHI is stored and transferred. Periodic risk analyses will help you find weak points in your flow of PHI and address problems before a breach occurs.
With a risk analysis, the idea is to identify all pathways that PHI can take, whether electronically, on paper, or via outside business associates, and make sure you don’t have any gaps. Proof of risk analyses tell auditors you’re taking compliance seriously. Unfortunately, only 33 percent of respondents from practices reported that they’ve conducted one.
The above tips are a good starting point, but achieving compliance is a big commitment and will require time. To accompany this information, check out this helpful webinar series on HIPAA compliance that offers further insight.
Beyond freely available information on the web, practitioners should contract with healthcare lawyers or HIPAA experts to ensure program compliance. For those with a tight budget, many consultants are open to a “team approach” that will help make the most of internal resources.
Source: ZOG Digital, Inc.