In the event of any incident involving your medical record data, many action items for your practice will be required to address the situation. These activities extend far beyond your normal concern for patient care and are not part of your practice’s daily routine. As outlined by HIPAA regulations, a covered entity is required to notify affected patients, as well as the state’s governing medical boards and the Health and Human Services (HHS) department. Depending on how these notifications are handled, they may preserve or deter patient’s confidence in your practice. Following a breach, there is a strong possibility of a HIPAA audit, during which your practice must demonstrate historic compliance with HIPAA rules based on many previous years policy and response management documents.
The frequent reports of data breaches over the last few months demonstrate the importance of taking every step possible to protect your patients’ medical records. It is just as important to the longevity of your practice to properly document HIPAA compliance and to be prepared for rapid presentation for an audit under any circumstance.
HIPAA Breach Notification Rule
On the Department of Health and Human Services (HHS) website, in the HIPAA Breach Notification Rule, covered entities are required to notify all affected individuals in the event of a breach. The covered entity must document that they have made all required notifications in accordance with all applicable federal and state requirements. When notifications are prepared in haste they are prone to leave out important details or not meet all the requirements of notification rules. Also, by preparing these documents in advance, a practice can identify the resources required to properly address patient inquiries while continuing to serve the ongoing medical needs of patients. We suggest preparing for the worst while hoping for the best by using a compliance management system.
Preparing Your Practice For Breach Notifications
Has your practice implemented written policies, procedures, and standards of conduct regarding security and privacy? Is there a designated compliance officer and committee as regulation require? As importantly, do you have the document archives to show this designation to a specific individual or group? If you answered “no” to any of these questions, your practice does not adhere to the definition of compliance outlined by HHS. Trying to create these documents during the crisis may be too late to produce the best results.
In a report distributed by the Office of Inspector General in 2015, almost half of the participating covered entities that had privacy issues were non-compliant with at least one privacy standard. PrognoCIS partners with the Compliancy Group to ensure that its systems are 100% HIPAA compliant. The Compliancy Group delivers audits (privacy, administrative, and security risk assessments), as well as gap identification, remediation planning, policies and procedures, training and tracking of employee attestation, document and version control, incident management, and business associate management. Clients of the PrognoCIS compliance as a service (CaaS) partner – The Compliance Group – have never failed OCR or CMS auditing.
Although the risk of a Protected Health Information (PHI) exposure is always possible, becoming a HIPAA-compliant practice and displaying third-party compliance validation in advance of any incidents is a strong safeguard to regulatory penalties, and it inspires patient confidence that PHI is secure at your practice. The Compliance Group offers a HIPAA compliance shield as their mark of validation, and also functions as a link to generate third-party validation reports for interested parties.
For example, when an employer is seeking an occupational medicine or urgent care practice for its employees’ medical needs, it might require the verification of HIPAA compliance. Having the compliance shield displayed on its website allows these medical groups a simple way to satisfy the due diligence of verifying that their Occupational Medicine EHR or Urgent Care EHR is HIPAA compliant by a simple click of the compliance shield link.
Best Practices Related to Managing HIPAA Compliance
In advance of any event related to policies and practices related to securing PHI, making sure that your practice is fully compliant, including a well-organized and managed document archive is crucial. The Compliancy Group offers templates in a browser-based application, accessible with any web browser, related to every facet of a practice’s compliance needs. In addition, they provide hours and hours of one-on-one guidance and training for very experienced compliance professionals as part of their subscription-based service. If a PHI related incident happens, being prepared in advance of sending the notifications to all affected individuals and relevant media channels is the key to a successful outcome. Preparation will allow clear plans of action, proper selection of notification documentation and well-organized archives of the response to meet any audit needs. Proactive HIPAA compliance contributes to speedy recovery and a successful audit after any data breach.
HIPAA conducts periodic audits in order to assure that covered entities remain in compliance with HIPAA Privacy and Security rules. In a 2015 study by the Office of Inspector General (OIG), 26% of the entities that implemented corrective measures did not document them correctly. When you’re ready to prepare, visit the PrognoCIS HIPAA Compliance page. Once your practice is HIPAA compliant, you can rest assured that you’ll be able to meet the challenge of an audit in any situation.