Neither a cash practice nor a sophisticated EHR system excuses you from HIPAA compliance.
In the healthcare world, HIPAA is the law of the land. No matter what exception you assumedly fall under, you are not exempt from its rule. And that includes cash practices.
Practicing physicians must meet two sets of HIPAA standards. There are privacy rules that apply to all practitioners and patient health information (PHI) in any form, including paper. In addition, security rules apply to all practitioners who store or transmit PHI electronically. This includes copy and fax machines that store information on a hard drive, and computers that house information, even if they are not used to file insurance and only contain “data at rest.”
In 2014, Parkview Health Systems made a costly mistake when company employees left 71 cardboard boxes containing patient files unattended in a physician’s driveway. Unfortunately, home delivery flat rates don’t apply in the case of a HIPAA breach. The story ends with an $800,000 settlement—and that’s not all.
Having violated a major HIPAA privacy rule, Parkview had to cooperate with the Office of Civil Rights in not only paying the massive fine but also committing to a corrective action plan, undergoing a thorough evaluation of their policies and procedures, and implementing staff retraining.
Reality check
Still, it’s not unusual to hear doctors say they believe HIPAA only applies to insurance practices, electronically stored data, or practices with a minimum number of employees. Some doctors assume that once they’ve purchased a certified EHR system, HIPAA will give them the stamp of approval. They’re wrong. Implementing EHR software alone does not put your practice in compliance.
While a certified EHR system may satisfy HIPAA laws regarding software requirements, software alone remains one small aspect of a compliant practice. A compliance program consists of a multifaceted process that meets all of the standards and requirements of HIPAA privacy and security laws. This is a daunting undertaking if it has been ignored for the last 11 years while the laws have been in effect and evolving.
A complete HIPAA compliance program consists of a risk analysis, meeting required training standards, implementing ongoing safety updates, a contingency plan that addresses emergency data recovery and emergency operation mode, about 80 to 150 pages of policies (in the typical chiropractic clinic), audit schedules, implementation of the new Omnibus Rule of 2013, technical and physical safeguards for electronics, and much more.
Information systems review
Most recently in the spotlight is the HIPAA requirement for performing an information systems activity review. Since early last year, doctors have been receiving notifications from an outside agency hired by the Centers for Medicare and Medicaid Services (CMS) that they have been selected for a random audit related to meaningful use. These audits require that doctors produce proof that what they attested to was actually completed.
These audits have traditionally asked for proof that certain core measures were accomplished and have required submission of the clinic’s risk analysis. These audits have increased in number and are also asking for completion of the lesser-known information systems activity review.
This review investigates how a practice is controlling the alteration, creation, and deletion of electronic data, as well as paper records and other media. It requires that procedures be in place and documented to regularly review systems activities including:
- audit logs (how each device containing PHI is audited, which logs are turned on, etc.)
- audit trails
- access reports
- potential risks and cases of security breach
- the disposal and reuse of media that contains PHI (including paper)
- data backup and storage accountability measures
It also requires a written policy and procedure regarding the process to receive and remove media hardware that contains PHI and a log of where hardware is, where it goes, and who has it. Furthermore, a written policy must outline how former employees are cut off from access to data and devices, and how that is accomplished. Other areas that must be addressed are automatic logoff, integrity controls (intrusion detection), and how “spoofing” is handled.
A true HIPAA compliance program will cover and accomplish these tasks as a portion of the overall program; however, these points must be formalized and supported by documentation into an information systems activity review.
These requests are presently arriving in doctor’s offices across the country, so there is no time to delay. Take action now, and get professional help if you need it.
Ty Talcott, DC, is CEO of HIPAA Compliance Services. He has been consulting with practices for decades and assists with protection from regulatory risk. He has developed specialized programs to assist individual chiropractors and their associations. He can be contacted at 214-437-7559 or through hipaacomplianceservices.com.