NueMD, provider of cloud-based medical practice management software for small practices, in partnership with Porter Research and the Daniel Brown Law Group, surveyed practices and business associates about HIPAA compliance and how small practices and billing companies are coping. The survey of about 1,200 healthcare professionals, conducted during October 2014, found medical practices and billing companies are struggling to comply with regulations under the Health Insurance Portability and Accountability Act.
“Understanding HIPAA can be difficult for practices and billing companies, especially if they’re already scrambling to keep up with changes like ICD-10 and meaningful use,” said Caleb Clarke, sales and marketing director at NueMD, in a statement. “With audits looming, we wanted to get a sense of where the industry stands and provide resources to help those who may be struggling.”
NueMD surveyed practices and billing companies in all 50 states; most of the practices were small and made up of one to three providers.
In a nutshell, the survey found that:
- 66 percent of respondents were unaware of HIPAA audits (a staggering number)
- 35 percent of respondents said their business has conducted a HIPAA-required risk analysis
- 34 percent of owners, managers and practice administrators reported that they were “very confident” that their electronic devices that contain PHI were HIPAA compliant
- 24 percent of managers, owners and practice administrators at medical practices reported that they’ve evaluated all of their business associate agreements
- 56 percent of office staff and (non-owner) care providers at practices said they’ve received HIPAA training in the last year
HIPAA is one of the primary and most comprehensive government regulations that affect the daily activities of each healthcare organization every day.
Signed into law in 1996, the law outlines policies to protect sensitive patient data and penalties for those who don’t comply. Recent updates under the HITECH act introduced several changes that affect the responsibilities and liabilities of covered entities and business associates.
Enforcement of breaches is occurring at a more rapid pace. HITECH extended certain HIPAA security and privacy requirements and set the stage for greater enforcement, including:
- Widening the scope of the law, requiring health information exchanges to be business associates of healthcare entities, and applied HIPAA privacy and security requirements directly to the HIEs.
- Greater penalties for noncompliance.
- Redirecting civil monetary penalties back into enforcement activities instead of into the general fund. This provides additional funds for future enforcement and incentivizes proactive enforcement activities.
- Adding breach notification requirements to entities that operate personal health records or otherwise maintain personal health information for purposes other than healthcare delivery or payment.
- Opening the way for enforcement by states’ attorneys general.
Also, the HITECH Act incentivizes a more aggressive pursuit of HIPAA, which means it’s more likely that healthcare organizations will now be audited more regularly.