Electronic Health Reporter

NueMD, provider of cloud-based medical practice management software for small practices, in partnership with Porter Research and the Daniel Brown Law Group, surveyed practices and business associates about HIPAA compliance and how small practices and billing companies are coping. The survey of about 1,200 healthcare professionals, conducted during October 2014, found medical practices and billing companies are struggling to comply with regulations under the Health Insurance Portability and Accountability Act.

“Understanding HIPAA can be difficult for practices and billing companies, especially if they’re already scrambling to keep up with changes like ICD-10 and meaningful use,” said Caleb Clarke, sales and marketing director at NueMD, in a statement. “With audits looming, we wanted to get a sense of where the industry stands and provide resources to help those who may be struggling.”

NueMD surveyed practices and billing companies in all 50 states; most of the practices were small and made up of one to three providers.

In a nutshell, the survey found that:

• 66 percent of respondents were unaware of HIPAA audits (a staggering number)
• 35 percent of respondents said their business has conducted a HIPAA-required risk analysis
• 34 percent of owners, managers and practice administrators reported that they were “very confident” that their electronic devices that contain PHI were HIPAA compliant
• 24 percent of managers, owners and practice administrators at medical practices reported that they’ve evaluated all of their business associate agreements
• 56 percent of office staff and (non-owner) care providers at practices said they’ve received HIPAA training in the last year

HIPAA is one of the primary and most comprehensive government regulations that affect the daily activities of each healthcare organization every day.

Signed into law in 1996, the law outlines policies to protect sensitive patient data and penalties for those who don’t comply. Recent updates under the HITECH act introduced several changes that affect the responsibilities and liabilities of covered entities and business associates.

Enforcement of breaches is occurring at a more rapid pace. HITECH extended certain HIPAA security and privacy requirements and set the stage for greater enforcement, including:

• Widening the scope of the law, requiring health information exchanges to be business associates of healthcare entities, and applied HIPAA privacy and security requirements directly to the HIEs.
• Greater penalties for noncompliance.
• Redirecting civil monetary penalties back into enforcement activities instead of into the general fund. This provides additional funds for future enforcement and incentivizes proactive enforcement activities.
• Adding breach notification requirements to entities that operate personal health records or otherwise maintain personal health information for purposes other than healthcare delivery or payment.
• Opening the way for enforcement by states’ attorneys general.

Also, the HITECH Act incentivizes a more aggressive pursuit of HIPAA, which means it’s more likely that healthcare organizations will now be audited more regularly.

Audits are scheduled to begin at any time.

According to the survey, a crucial component of HIPAA compliance plan is a staff training policy. Training should be conducted at least once a year to make sure everybody is on the same page, NueMD suggests. Everyone should know how HIPAA affects their day-to-day work, and how to respond quickly and appropriately to security breaches. Only 62 percent of owners, managers and administrators said their business provided annual HIPAA training; of those, only 65 percent said they have proof.

Additionally, only 45 percent said their business/practice has a formal policy for PHI breach notifications.

Even more eye opening is that only 33 percent of respondents said their practice has performed a PHI risk analysis to assess how and where inappropriate disclosures are likely to occur and only 14 percent of owners, managers and administrators said they weren’t sure if their practice conducted an analysis, while 43 percent of office staff and non-owner care providers said they weren’t sure. Yes, NueMD, “with potential audits just around the corner, these numbers don’t bode well for practices.”

Let’s not get into mobile devices. They are being used regularly with no or little accountability for whether they are HIPAA compliant even though patient information is being exchanged on them.

To wrap up the survey, NueMD asked all respondents the same question: “How confident are you that someone at your business is actively ensuring your business’s compliance with HIPAA?” When considering all respondents from medical practices, 38 percent said they were “very confident;” 44 percent said they were “somewhat confident;” and 19 percent reported “not confident at all.”

“It’s troubling to see that so many practices aren’t participating in training programs for their staff,” said Daniel Brown, managing shareholder at The Daniel Brown Law Group. “If an audit were to occur at that particular practice, one of the biggest red flags is that the staff is unaware of the HIPAA compliance plan and what their role is in it.”

Anyone concerned about HIPAA or those managing the program for their practices needs to check out the complete details of the NueMD survey. Perhaps the details of the report will scare folks into action.

To view the results, visit http://www.nuemd.com/hipaa/survey.