HIPAA Is Not Do It Once and You’re Done
Guest post by Lea Chatham, Editor-in-Chief, Getting Paid Blog.
I remember when the Health Insurance Portability and Accountability Act (HIPAA) passed. I was working for a leading practice management software vendor. Everyone was overwhelmed by what was involved. We developed a huge amount of education and information for our customers. Some people wondered if the healthcare industry could make such a major change.
Today, HIPAA is ubiquitous. Many practices take it for granted. They are not concerned about a breach because they believe they have done everything they need to do. In a recent study by MedData Group of physicians top practice management priorities for 2015, HIPAA didn’t even make the list.
“We instigated HIPPA when it came out, and it is in place and second nature to us,” said Joann Lister, a provider at a family medicine practice in Texas. “We have all worked at the hospital so we had plenty of training on the rules. Our physical space and computers are confidential. Our practice management and EHR software, Kareo, always goes back to login when we are done in a room so the next patient does not see anything. We have limited personnel so it is easier to know that everyone honors the HIPAA rules.”
The question is: Have practices gotten too complacent with HIPAA? With the latest changes to HIPAA in 2014, have they followed through on making changes and updates? The data and experience of industry experts and consultants suggests that there may be a problem with HIPAA compliance.
“The last analysis we did for a practice had 41 pages of regulations that required implementation,” recalled practice management consultant Rochelle Glassman, CEO of United Physician Services. “Most practices do not know what the complete requirements are. They believe that if they have the patients sign the privacy form that is all they need to do. This year there were updates that included the new HITECH Act and the HIPAA Omnibus rule. I can guarantee that many practices have not updated their HIPAA program to include the changes because they do not even know they exist.”
Glassman may have a point; HIPAA complaints have been steadily increasing each year. According to HHS, there were nearly 13,000 complaints in 2013. Also in 2013, only a small fraction of cases were found to have no violation (7 percent). The second most common issue in breaches is the use or implementation of privacy and security safeguards.
On December 8, HHS announced a major HIPAA settlement that relates directly to this issue of safeguards. The organization involved has agreed to pay a $150,000 fine for a breach that was caused by failing to update software and install necessary patches. According to Matthew Fisher, an attorney who blogged about this breach, “With regard to the HIPAA Security Rule, organizations should remember that compliance is customizable. The Security Rule recognizes and acknowledges that all organizations are different. As such, certain elements are required and others are addressable. The required elements must be put into place and organizations need to make a case by case assessment on how to deal with the addressable items. A risk analysis is the essential first step as the analysis will identify areas of weakness for an organization.”
Fisher adds, “It is not enough just to do a risk analysis once and then prepare and implement policies though. HIPAA Security Policies must be living, breathing documents that adapt to changing circumstances.” And here is the rub for organizations that believe HIPAA is inherent and they don’t need to continue to train, update, and adapt.
Practices must review HIPAA policies and update forms and processes each year to reflect changes. HIPAA is definitely not a do it once and you’re done set of rules and regulations.
To get the latest news and updates on HIPAA, visit www.hhs.gov/ocr.