Published in Billing Coding Magazine – June 2014 Issue
By: Patrick Phillips
“I know HIPAA is required, and I know it’s important, I just don’t know what exactly HIPAA requires me to do.”
Don’t feel bad if this statement sounds all too familiar. Many doctors, nurses, office managers, and healthcare professionals share the same confusion over HIPAA compliance. Unfortunately, noncompliance with the HIPAA standards puts organizations at greater risk now than ever before.
Who is responsible for HIPAA?
Every Covered Entity (CE), Doctor’s office has to name someone as Compliance officer; it could be a doctor, but most of the time it’s the office manager. If HIPAA compliance is one of your responsibilities, violations may put your employment, career, and livelihood at risk. Fines range from $100 to $50,000 per incident.
Recent legislation has increased the government’s ability to enforce compliance with aggressive audits and fines. September 23, 2013 marked the first day of audits and you may be in the HHS audit crosshairs. The Office of Civil Rights (OCR) is auditing 5% of all CEs and their Business Associates.
Here’s what HSS OCR Director Leon Rodriquez says: “An ounce of prevention is worth a pound of cure. That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.”
And yet, according to their own estimates, over 70% of all practices are NOT compliant. Are you? Are you sure?
Failure to do so can be risky. Ask the owner of a Massachusetts three-doctor practice that was recently fined $150,000 because someone in the office had backed up patient records to an unencrypted thumb drive that was stolen.
Nationwide, over 27,000,000 medical records have been exposed in the last three years. That’s more than the populations of New York City, Los Angeles, Chicago, Houston, Denver, and Seattle combined.
“Changes resulting from the final omnibus rule not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of [the OCR] to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates,” says Mr. Rodriquez.
Business Associates can include labs, collection agencies, confirmation/messaging services, IT partners, consultants, cleaning crews, and other unsupervised after-hours services, billing companies, accountants, attorneys, and independent contractors.
Compliance with all HIPAA regulations will now be enforced through random audits, vigorous pursuit of claims for breaches, a sympathetic court system, and public censures.
HIPAA’s three rules
Most people in the healthcare industry are familiar with the purpose of HIPAA compliance, but not everyone realizes the HIPAA standard is actually a combination of three separate rules-the Privacy Rule, Security Rule, and Breach Notification Rule.
1. Privacy Rule — The Privacy Rule addresses appropriate Protected Health Information (PHI) use and disclosure practices by healthcare organizations, and designates the right for individuals to understand and control how their medical data is used.
2. Security Rule — The Security Rule sets standards for protecting PHI that is stored or transmitted in electronic form. The Security Rule is designed to be flexible and scalable to accommodate healthcare organizations of all sizes and levels of technology sophistication.
3. Breach Notification Rule — The Breach Notification Rule details the actions that must take place and the parties that must be notified in the event of a PHI breach.
The opportunities for unauthorized disclosures are great and can appear in many ways.
- Untrained staff may accidentally disclose protected information
- Patient records piled on the receptionist’s desk where other patients make co-pays
- Physician staff call in prescriptions or schedule patient appointments for tests within earshot of other patients or visitors
- Protected information is transferred electronically (like through email) without encryption
- A laptop containing protected information is stolen from your outsourced collection agency — you are held responsible!
- A breach of confidentiality unintentionally occurs but goes unreported
- Computers are accessible to non-essential users or monitor screens are visible to patients and visitors
- Due to a lack of proper HIPAA training, a new member of your staff disposes of extra photocopies of patient records without shredding
What happens if you are not compliant?
Here are just a couple ways that noncompliance with the HIPAA standards can negatively affect a covered entity:
1. DATA Compromise — Few things are more devastating to a healthcare organization than the effects of a PHI data breach, which may include:
- Financial penalties: On top of the severe fines levied by the HHS, the HITECH Act also gives state attorney generals the ability to impose civil penalties on behalf of state residents for violations of HIPAA Security and Privacy Rules.
- Negative publicity: Breaches greater than 500 records require covered entities to not only notify patients affected by the breach, but also the media. This damages brand equity and publicly embarrasses the organization.
- Loss of patient trust: According to a recent survey, 76% of patients state they will stop dealing with an organization responsible for a privacy breach. Losing 76% of your customers will definitely make a noticeable impact on revenue and inhibit your ability to provide quality healthcare.
2. HHS AUDITS — September 23, 2013 marked the deadline for covered entities to comply with HIPAA standards, and the HHS has begun to audit healthcare organizations and assess fees of up to $50,000 per day per violation.
What could trigger one of these audits?
- A breach or complaint of a breach
- A complaint of a privacy or security violation by anyone, including patients and current or former employees (Have you ever had an angry patient? Maybe a disgruntled ex-employee?)
- Filing for EHR reimbursements
- OCR just feels like it! The OCR has stated on multiple occasions that they will conduct audits on randomly selected covered entities. So even if you are hiding in the back row, the OCR may still call you to the front of the class.
What could happen in the case of a breach?
- Fines and penalties ranging between $100 and $50,000 – even for inadvertent breaches
- In serious cases, loss of accreditation, loss of license, dramatically higher fines, and even imprisonment are possible
- Your reputation and patient confidence may be lost
- You face the threat of litigation by affected parties
- Your business may be interrupted by the impact of a HIPAA violation
- Third-party payers may delay processing, suspend, or deny claims
What can you do to make sure none of the above happens to you?
Compliance does not have to be hard. It is just a set of rules. All you have to do is know the rules and follow them. That means having Privacy and Security policies and procedures that will protect PHI.
Although you can do it yourself, using purchased solutions or an independent company or consultant to do a risk analysis or “gap assessment” is faster and more reliable. These security experts can find out what, if any, deficiencies you might have in your practice.
The purpose of the risk analysis is to help covered entities identify (and document!) potential security risks (i.e. threats and vulnerabilities). Every security effort your organization makes will be determined by your risk analysis, so it’s critical to conduct a thorough and accurate assessment.
Some generally accepted steps that outline the process are:
- Identify the scope of the analysis
- Gather data
- Identify and document potential threats and vulnerabilities
- Assess current security measures
- Determine the likelihood of threat occurrence
- Determine the potential impact of threat occurrence
- Determine the level of risk
- Identify security measures and finalize documentation
There are several reasons why you should take the risk analysis very seriously.
First (and most obvious), this process will help you identify your organization’s greatest areas of risk.
Second (not so obvious but equally important), in the event of a data breach or random audit, covered entities that have not conducted a thorough and accurate risk analysis can expect to be hit with severe financial penalties.
A competent consultant should be able to suggest solutions to help you achieve compliancy.
However, risk assessment does not automatically make you “HIPAA compliant.” Risk assessment is just a checklist of things you should be doing to maintain privacy and security of patient information and to help you achieve compliance where you are lacking.
The next important step is to be able to illustrate, on a regular basis, your total compliance plan and due diligence, including any corrective actions you have taken to make sure you are complying with the checklist.
Make sure they are willing to work with you to maintain your compliance by training each of your staff members and make sure each of them are tested to show their personal understanding and compliancy with HIPAA.
A competent consultant will also work with your Business Associates to ensure that each of them is complying with HIPAA as well. When in doubt, they should require BAs to prove their compliancy. Remember, you are personally responsible for breaches that occur through your BAs.
Conclusion – To be safe, get help
The HHS has stated on multiple occasions that they will make examples of healthcare organizations that put PHI at risk. Given the stated importance and heavy consequences associated with the risk analysis, you may want to consider working with a HIPAA security expert to get and keep your office compliant.
Licensees of American Business Systems can help offices comply with HIPPA so that no one in the office has to lose their job.