HIPAA COMPLIANCE and Why the Wise Provider Enlists Help in Achieving it

Archive for May, 2016

HIPAA COMPLIANCE and Why the Wise Provider Enlists Help in Achieving it

Posted on: May 31st, 2016 by claimsworks

HIPAA stands for The Health Insurance Portability and Accountability Act, which was passed by The US Congress in phases during 2000 – 2003, with the intent of instituting administrative reforms. The act was designed to hold the healthcare industry accountable for safeguarding the privacy of all patients’ Protected Health Information (PHI). The Office of the Inspector General (OIG) is the governmental agency that addresses HIPAA compliance amongst the ranks of healthcare institutions, medical practices, and accompanying business associates that handle PHI. The OIG’s enforcer arm is The Office of Civil Rights (OCR).

If you work in the healthcare industry, you know that HIPAA is a big deal. HIPAA non-compliance fines can range from $100 for single “I didn’t know” cases and up to $50,000 for “willful negligence” per case. When many patients are involved in a PHI breach, the maximum fine caps out at $1.5 million, and in some cases the penalty can even include incarceration. So, with this threat looming over the heads of providers in private practice, a provider may ask – what exactly are all the aspects of HIPAA Compliancy, and more importantly, how does one ensure that his/her practice is compliant?

HIPAA COMPLIANCE goes well beyond just trying to keep Protected Health Information (PHI) secure. An initial printing of a policies and procedures along with a whole-hearted effort to educate employees about the rules and regulations of HIPAA is where some practices stop. With fingers crossed, one can only hope that their practice will never experience a security breach (that could be the act of a disgruntled staff member seeking revenge). Or, adding insult to injury, a breach could result in a full audit by The Office of Civil Rights (OCR). True HIPAA Compliancy amounts to not only establishing policies and procedures to maintain security, but it includes the burden of proof that those policies and procedures are being followed to the T! That means documentation and ongoing maintenance are a must.

Some of the over-arching necessary action steps a practice must take are the following:

  • · The practice must assign an officer in charge of all things HIPAA.
  • · The practice must establish written Policies and Procedures to properly handle PHI and keep it secure.
  • · The HIPAA officer must be the enforcer that all staff members have read (and understood) the different aspects HIPAA rules pertaining to their specific roles in the practice.
  • · Document updates but must also maintained to ensure ongoing staff education and attestation of latest document revisions.
  • · The practice must conduct an annual risk analysis.
  • · If there are gaps that keep the practice from being fully compliant, remediation actions must take place to fill the gaps.
  • · There must be an action plan already in place which would be followed in the event of a security breach.
  • · Signed Business Associate Agreements must be on file for any and all companies commissioned by the practice to provide billing, collections, coding, transcriptions, etc.

According to The Health and Human Services (HHS) the OIG has established four Rules that must be observed to satisfy the rules and regulations of HIPAA. http://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html. The four HIPAA rules are as follows:

  • · HIPAA Privacy Rule
  • · HIPAA Security Rule
  • · HIPAA Administration Rule
  • · HIPAA Enforcement Rule

Under these rules, there are additional sub-categories that apply. For instance, under the Security Rule, physical security must be addressed. One common example is the sign-in sheet at the front desk of a medical practice, which should not visibly display the names of every patient that has visited the office that day for each subsequent patient to read. Staff must also be discreet and reframe from discussing any medical conditions with a patient within earshot of people waiting in the waiting area. That means a friendly office greeting such as, “How are your hemorrhoids today?” announced by the nurse for all to hear as she ushers her patient into the back office, would actually be a HIPAA violation.

Under the Security Rule there is also a sub-rule known as the Technology Rule, which addresses password protections and the need to encrypt electronic PHI. Depending on whether a practice uses a cloud-based Electronic Health Record system (EHR), or manages its health records electronically with its own server and purchased software, there are detailed policies and procedures that must be followed in order to keep PHI secure. Even something as simple as a receptionist asking a patient to just send an image of their medical insurance card via an ordinary email system like Gmail would be a HIPAA violation. While it is true that typically common sense would prevail in these types of situations, and these types of violations are unlikely to occur, HIPAA fines are so costly that the best approach is to be proactive and establish the policies and procedures that will minimize the risk of a HIPAA violation.

So, what’s the best way for a practice to help ensure they are HIPAA compliant and minimize the risk of HIPAA violations? Some build their own HIPAA compliancy plan from the ground floor, which is a daunting task. Others hire attorneys who help them to get started with templates for policies and procedures, while others enlist the help of HIPAA coaches or experts. Clearly there are a lot of different options for achieving and maintaining compliance, and these options have a wide range of prices. Prices can vary from up to $10,000 for a HIPAA coach or costly attorney fees by the hour. One proven and economical approach is to use a HIPAA compliance company that offers effective compliancy solutions through a web-enabled approach with a model that also includes the ongoing help of a HIPAA coach at only a fraction of the cost that other solutions would charge.

With the increased financial burdens that providers face in running their practices these days, some may be tempted to only hope that they never have to deal with any HIPAA problems, but such hopes may prove to be costly down the road. In the end, providers do not have absolute control over the choices that their staff and business associates make. A more proactive approach by way of enlisting the help of a HIPAA expert may serve as a valuable insurance policy of sorts in the face of a PHI breach and audit. If there is evidence of an annual self-audit and remediation, The OCR is much more likely to extend understanding if it is obvious that every effort was made to safeguard PHI.

Whether you are a solo practice provider or a large practice with multiple providers, it is never too early to address HIPAA compliancy and protect yourself from the headaches and costs associated with HIPAA violations. You’ll be glad you did, and what’s more, the stress of worrying about HIPAA compliance will be gone!