“Some nights I can’t sleep, worrying about HIPAA,” Dr. K confessed. “I’m sure I haven’t done everything I’m supposed to do. But when it comes to getting a handle on exactly what that is, it’s pretty overwhelming.” Dr. K is a successful professional who’s been in private practice for 11 years. She enjoys her work, cares about her patients, and keeps up with the latest advances in her field.
RELATED ARTICLE: Are patient names on dental lab labels a HIPAA violation?
But concerns about HIPAA compliance have her waking up in a cold sweat, haunted by the thought of potential fines and possible lawsuits. She wants to do right by her patients when it comes to safeguarding their personal health information, she just isn’t sure how.
She isn’t alone. Complying with HIPAA, the law that provides national standards to protect the privacy of personal health information (PHI), has been a challenge since 1996 for hundreds of thousands of independent health-care providers. The most recent updates to HIPAA, known as the Omnibus Rule, haven’t made it any easier.
HIPAA compliance is a complex process that requires a serious commitment of time and effort. It’s not fun, and there are no quick fixes.
That said, there are certain steps a practice can take that will provide a solid starting point on the path to compliance, help protect the practice from litigation, and make those nightmares of being chased by hordes of HIPAA auditors far less frequent.
Four major must-do’s
The HIPAA auditor from Health and Human Services will need to see documented proof that a practice is doing its best to comply. Providing an auditor with evidence that the following four things have been done increases the odds of passing the HIPAA audit, big time.
1) Identify who’s in charge -- HIPAA requires that someone on staff be designated as the privacy officer and/or security officer. Both the privacy officer and security officer must know or quickly learn the ins-and-outs of implementing HIPAA in the office.
The privacy officer is responsible for setting up and implementing compliance policies and procedures for the privacy of patient information. His or her duties go beyond creating, posting, and distributing the office’s Notice of Privacy Practices. This person also handles patient questions about HIPAA, requests for information, authorization, and health records.
The duties of the security officer focus on ePHI (Electronic Protected Health Information). He or she must be able to evaluate the practice’s digital security risks when it comes to such things as hacking, malware, and viruses, and see that measures are put in place to ensure that the practice’s electronic information is, and remains, safe.
2) Develop and document policies and procedures -- In most practices, it will fall to the privacy officer and/or security officer to make sure the “policies and procedures” part of the compliance process is in place. The place to start is with the existing policies and procedures for the day-to-day functioning of the office. If none have ever been documented, they need to be.
The policies and procedures required by HIPAA add a new dimension to the practice’s basic policies and procedures. HIPAA requirements include things such as:
• Data backup and recovery plans
• Security procedures
•Business associate agreements
• Processes for managing risk
• Procedures for reporting a breach
• Procedures for providing ongoing HIPAA training for staff
Each health-care office needs to specifically define how it’s going to deal with these issues. Accomplishing this takes more than talk. It requires documentation, so that everyone who works in the office knows or can easily access information on how the practice handles matters related to HIPAA. It also requires an ongoing effort to keep the staff trained in the updated policies and procedures that reflect the most recent versions of the law.
Everything you and your dental team need to know about electronic dental records
Is it a HIPAA violation to email radiographs to other dentists?
New HIPAA Omnibus rules are a game changer
3) Perform a risk analysis — A risk analysis makes sure that the way a practice handles ePHI (Electronic Protected Health Information) poses no risks to the confidentiality, integrity, or availability of that information. It starts with questions like:
• Where does this office store data and how is that data transferred?
• What are the potential risks and vulnerabilities in the systems used?
• What is the likelihood of data being compromised?
• If data is compromised, what impact would that have on the office and its patients?
A risk analysis should be performed annually or whenever there has been a change in the technology the office uses in connection with patient health information, for instance, a new computer system, server, or router.
How important is it to do and document a risk analysis regularly? Recent HIPAA enforcement actions have cited a missing or outdated risk analysis as the basis for penalties and fines in excess of $1 million!
4)Create a Mitigation Plan -- The risk analysis identifies potential problems and vulnerabilities. A mitigation plan addresses, “What is our office going to do about all that?” Each risk should be evaluated as to the likelihood of it happening and the consequences to the practice if it does. A mitigation plan needs to include not only how the identified risks are going to be handled, but also the estimated dates when the problems will be fixed. Again, HIPAA auditors will want to see documented proof that an office has a plan like this in place.
Why documentation is important
Clearly, HIPAA compliance involves more than an annual training session for the staff and a binder of policies from 2007 in the bottom drawer of the receptionist’s desk. HIPAA now requires that a practice be able to prove that it is compliant. The best and possibly the only way to do that is by documenting the various steps a practice has taken. Getting started is the most important step now.
A practice will fail the test for compliance if it appears to have willfully neglected to do what this law requires — in other words, if there’s nothing in writing that can substantiate that the practice has made a serious effort to comply. Auditors want proof, the kind they can see. Providing such proof goes a long way toward helping a practice avoid the fines and legal problems brought on by non-compliance.
Resources for the next steps
There are a variety of ways for a practice to have the requisite documents in place when that auditor from HHS says, “Show me.” These range from hiring consultants or legal counsel, to purchasing compliance materials from professional organizations, to installing special software that hopefully isn’t already outdated. Among the more efficient and economical alternatives are companies that offer online solutions, including customizable templates and up-to-date guidelines on policies and procedures.
This list of four essential steps for HIPAA success is by no means comprehensive, but it is a start, and a way to rest easier when it comes to HIPAA compliance.
Roman Diaz is president and founder of Touchstone Compliance, a San Diego-based company offering a comprehensive suite of interactive online tools for meeting HIPAA standards.