Despite recent changes to the Health Insurance Portability and Accountability Act (HIPAA) that may put more practices at risk, many have not yet established proper defense against data breaches.
HIPAA privacy rules establish standards for the handling and use of patient health information (PHI). These standards protect the integrity of PHI and require authorization to share information between practices and healthcare organizations.
Unfortunately, many practices do not yet possess a complete HIPAA security and privacy compliance program. Supporting HIPAA security and privacy is a necessity for virtually all practices. Making HIPAA compliance part of the practice’s strategy will improve operations, making the organization both more reliable and effective.
HIPAA in the Practice
In some practices, the Notice of Privacy Practices (NPP) is years old or taken from another practice. Like other HIPAA compliance tools, the Notice of Privacy Practices should be customizable. Any NPP created before 2013 needs to be updated. Adding an EHR to the practice, changing procedures, or using new service plans may also call for an updated NPP.
HIPAA requires that practices maintain all documentation on HIPAA policies and procedures used to comply with the requirements. A practice should customize these policies and procedures to accommodate their strengths and weaknesses. Policies and procedures will differ for a variety of service, operational and technical issues.
HIPAA also requires a privacy officer to monitor HIPAA privacy compliance and a security officer for HIPAA security. In smaller practices, one individual may take on both responsibilities. These officers are responsible for current documents, training, and compliance, as well as any and all HIPAA problems. These HIPAA privacy and security officers need to be well trained and closely involved in developing the compliance program for the practice. The officers must adapt as the practice evolves to meet changes in the healthcare industry.
Staff and doctors must undergo training on practice-specific issues when they are hired and complete refresher courses on a periodic basis. Using web meeting services and other technologies, practices can record a training session to support the HIPAA training requirements. However, it must be noted that general HIPAA training on the Internet may not address any practice-specific problems.
Dealing with a breach
A HIPAA breach is defined as the procurement, access, use, or release of PHI that is not permitted by HIPAA privacy rules. How a practice handles impermissible use and disclosures could be used to determine the nature of an actual breach. This can also reflect on HIPAA compliance. Any analysis of HIPAA compliance could include a review of impermissible use and disclosure as well as a look at the practice’s policies and procedures, training records, and risk assessments. If documentation is poor, outdated, or has avoided acknowledgment of breaches, then a practice could be at risk for greater financial penalties.
Meeting security standards
One of the more challenging problems for many practices is meeting the HIPAA security requirements. To meet HIPAA security standards, practices must perform a HIPAA security risk analysis. This analysis is also a Meaningful Use requirement.
Some practices think that the use of an EHR alone fulfills the requirement. However, failure to perform an adequate assessment can result in returning meaningful use incentives or HIPAA financial penalties. HealthIT.gov has an assessment tool that practices may want to consider. Practices should customize the tool to address the specifics of their organization or practice.
Failure to comply with HIPAA standards and procedures could ultimately result in HIPAA violations and financial penalties.