July 20, 2018
With considerations and requirements that can be somewhat overwhelming, achieving HIPAA compliance can be quite challenging for medical practices. Even for those well acquainted with HIPAA provisions, there’s always the possibility of gaps and weaknesses. According to the Department of Health & Human Services (HHS), an average of 1,445 complaints have been submitted each day during the calendar year 2018. This staggering statistic means there is much cause for concern.
Often, the missteps in HIPAA compliance aren’t deliberate or due to lackadaisical procedures, but rather the result of insufficient documentation and/or inefficient tools. The first step in determining where your vulnerabilities lie is through a security Risk Analysis. However, a Risk Analysis is often considered the Achilles heel for practices, requiring substantial documentation on multiple processes and contingencies. While the many complex layers of a Risk Analysis present multiple opportunities for errors to occur, its importance in passing audits and being prepared is invaluable.
The Office of Civil Rights (OCR) has determined that the Risk Analysis, which is derived from the Security Rule, to be the foundation of a HIPAA-compliant program. The Risk Analysis and its significance in HIPAA compliance impacts every part of the healthcare ecosystem. There are no opt outs of HIPAA compliance, no matter the size of an organization or any other influencing factors. Every organization that transmits any Personal Health Information (PHI) in an electronic format or in data content in connection with a transaction for which HHS has adopted a standard, must be HIPAA-compliant. This includes providers such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, health insurance companies, HMOs, company health plans, government and military/veteran healthcare programs, healthcare clearinghouses, and/or MACRA/MIPS participants.
In straightforward terms, per the HHS site, the purpose of the Risk Analysis is to “conduct an accurate and thorough assessment of the potential risk and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].” To ensure that information is protected and safeguarded to HIPAA standards, the Risk Assessment takes into account three separate organizational areas: physical, technical, and administrative. Each division must have its own plan for compliance, detailing both strengths and possible weaknesses. It’s also not a one and done type of exercise–plans must evolve throughout a healthcare organization’s lifespan.
In today’s medical profession, failing a Meaningful Use (MU) audit isn’t as uncommon as one would hope. In fact, the Morning eHealth section of Politico magazine reported that according to Centers for Medicare & Medicaid Services (CMS) data, 209,000 doctors and providers were penalized for failure to meet MU standards in 2014, which is approximately two in five physicians practicing in the U.S. Failing a Meaningful Use audit often comes down to the same weak link—either the lack of, or the insufficiency of, a practice’s Risk Analysis. And further reports on 2016 HIPAA audits by HHS.gov have found that organizations did not have an adequate Risk Analysis 83% of the time. As the foundation for HIPAA compliance, it’s simple to see that Risk Analysis deficiencies can impact many other components of the compliance bionetwork as well.
Risk Analysis sets the tone for HIPAA compliance, and having a sound plan that details strategies in all three areas is essential. However, many other pieces must fit together to complete the puzzle. Remaining compliant is an ongoing act of vigilance. Policies and procedures must be drafted that define processes to safeguard PHI, and should include Disaster Recovery and Business Continuity Plans—compliance must continue even when the worst scenario occurs. In addition, every day operating initiatives must be supported, such as password protocols and staff training. In fact, staff should be trained in PHI security within 90 days of hire, with continued education scheduled on an annual basis.
Furthermore, organizations should set in place routine procedures to ensure patients sign required HIPAA-related notices and forms, during both new patient onboarding, and on an annual basis going forward. It is also essential to regularly verify that vendors and other providers that interact with a patient’s PHI are not only HIPAA-compliant, but have executed Business Associate Agreements to offset any liability in the case of a breach. Lastly, retaining HIPAA documentation in both hard copy and digital means practices have information readily accessible to confirm compliance.
In today’s modern electronic healthcare world, HIPAA compliance is mandatory, crossing all sectors of the healthcare industry. To avoid costly penalties, data violations, and breaches in doctor-patient trust, small practices and large organizations alike must keep current with the HIPAA landscape and ensure that weaknesses in their systems are turned to strengths.
Join a free webinar hosted by Abyde & ChartLogic to learn more about Security Risk Analysis and other related HIPAA requirements. In this complimentary educational HIPAA compliance webinar, other topics covered will include: