The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides federal protection for individuals identifiable health information held by covered entities and their business associates, and gives patients rights with respect to that information. HIPAA ensures that you have rights over your health information. That includes the right to review your personal information, making sure it is correct and to know who’s looked at it.
In January of 2013 the HIPAA Omnibus Ruling was released and went into effect in March of 2013. With the release of the new rulings, the Office of Civil Rights (OCR) became vigilant in protecting patient rights. Protection of a patient’s protected health information (PHI) is not to be taken lightly.
OCR says more HIPAA Audits are coming in 2014. Practices of all sizes should be concerned this year with a staggering increase in audit and compliance demands concerning HIPAA and IT Security. Federal regulators are in the process right now of implementing a permanent HIPAA audit program. According to Leon Rodriguez, director of the Department of Health and Human Services’ Office for Civil Rights, future HIPAA audits will be narrower in scope and will focus on vulnerabilities that might change year to year as new issues come into focus. “Audits are less likely to be broad assessments generally across the Rules and more likely to focus on key areas of concern for OCR identified by new initiatives, enforcement concerns, and Departmental priorities,” Rodriguez said.
One key area of concern for the OCR has been the continued lack of thorough risk analysis. This was a major weakness OCR found during the HIPAA pilot audit program, as well as through breach investigations. Organizations would be wise to augment whatever processes they have in place to ensure the risk analyses, whether they’re internal or external, are up to par for OCR.
Another key area of concern is compliance with the HIPAA Omnibus Rule which took effect last year. The findings from the pilot audits indicate that business associates and covered entities generally have more difficulty complying with the Security Rule and that small covered entities struggle with compliance in each of the assessment areas – privacy, security and breach notification. You can expect under the new permanent audit program, more business associates, as well as covered entities, will be audited for Omnibus compliance.
The OCR’s recent enforcement activity demonstrates just how committed they are to holding organizations accountable for non-compliance. In 2013, OCR reached five resolution agreements with payments totaling approximately $3.7 million. These figures from a single calendar year represent nearly half the total number of resolution agreements and payments over the five-year period from 2008 through 2012 (11 cases – 10 million). Cases involved major security failures, where a breach incident led to investigations that revealed larger systemic issues, in addition to inappropriate disclosure of data and the denial of access of records to patients.
Rodriguez has even said he expects that OCR “will continue to leverage more civil penalties.” He noted that his office has approval to bank penalties it collects to fund enforcement actions across fiscal years which will enable OCR “to maximize funding our auditing and breach analysis” activities, he added. So in this enforcement environment, it is absolutely imperative that organizations regularly review their HIPAA compliance program and implement ongoing HIPAA training for their employees.
The government is coming after small practices that violate HIPAA. To help ensure that you are prepared for whatever HIPAA-related issues may be heading your way, here’s what experts say your practice should be doing – and what it should definitely not be doing – when it comes to privacy and security rules.
- Do polish your policies. To ensure that you are ready if an auditor comes knocking, critically assess your policies and procedures and update them if necessary.
- Do audit effectiveness. Ensuring all your policies and procedures are update is a good start, but you must also make certain those policies are working.
- Do plan for worst-case scenarios. If a security or privacy breach does occur at your practice, it’s crucial to handle it quickly and appropriately.
- Do reevaluate and reeducate. It’s important to provide HIPAA training to staff as soon as they begin working at your practice.
- Do tailor to job function. Keep in mind that while every policy needs to have a staff member trained on it, not every staff member needs to be trained on every policy.
- Don’t overestimate. Even if you think that you have provided staff members sufficient training, assess their skills periodically.
- Don’t get lax. If despite sufficient training your staff members fail to comply with your practice’s policies and procedures, a lack of discipline may be to blame.
- Don’t overlook problem areas. While practices come in all shapes and sizes, feedback from the OCR following the first 20 audits during the HIPAA Audit Program indicates that you share some common problem areas when it comes to compliance.
- Don’t try to do it all. The security rule is so complicated that hiring a compliance consultant is a must.
- Don’t get caught unaware. Stay updated regarding HIPAA by monitoring any relevant cases that arise and following any related news coverage.
Big HIPAA Don’ts – Don’t let these more obvious mistakes create big problems for your practice:
- Asking patients to sign a shared sign-in sheet.
- Discussing patients in public areas or with friends and family.
- Sharing passwords or making them easily identifiable.
- Failing to log off computers.
- Leaving patient files easily accessible.
- Posting patient information online without ensuring it is de-identified.
- Looking up a patient’s medical record without a valid reason.
For more information on the do’s and don’ts click here.
This blog post was written by our guest blogger Al Tripodi, Healthcare Administrative Assistant for RMS Healthcare – Practice Transformation. RMS Healthcare can provide consultation and training services to ensure HIPAA Privacy and Security Compliance within your organization. If you would like to learn more about HIPAA Privacy and Security Compliance or further discuss how RMS Healthcare can help you, contact our Director of RMS Healthcare Susan Maxsween at SusanM@RMSresults.com or by calling 1-866-567-5422.