Complying with HIPAA is more critical — and more complicated — than ever. The government is ramping up its efforts to crackdown on violations, and small- to medium-sized practices are no exception.
In April 2012, a five-physician cardiac surgery practice in Arizona became the first small practice to pay a significant HIPAA-related penalty to HHS — to the tune of $100,000. The investigation stemmed from a complaint that the practice posted surgery and appointment schedules on a publicly-accessible Internet-based calendar. The department's Office of Civil Rights (OCR) found that the practice had implemented few policies and procedures to comply with HIPAA, and had limited safeguards in place to protect patients' electronic protected health information.
This case is "a wakeup call for smaller practices that they can get on the [government's] radar screen," says Elizabeth Warren, a Nashville-based health law attorney at Bass, Berry & Sims. "Certainly [OCR] could have looked at the situation this group had and just advised them on how to fix it, but they did choose to impose a penalty and the resolution agreement and kind of put them publicly out there," Warren says. " ... It definitely seems to point to, if you're not doing anything or not doing much of anything [to comply], you may trigger an enforcement action even if you're small."
The HITECH Act, which was part of the American Recovery and Reinvestment Act of 2009, enhanced privacy and security enforcement provisions and increased penalties. It also required HHS to provide for periodic audits to ensure covered entities are complying with HIPAA.
To help ensure you are prepared for whatever HIPAA-related issues may be heading your way, here's what experts say your practice should be doing — and what it should definitely not be doing — when it comes to the privacy and security rules.
1. Do polish your policies. To ensure you are ready if an auditor comes knocking, critically assess your policies and procedures and update them if necessary, says Ericka Adler, a health law attorney at Kamensky Rubinstein Hochman & Delott, LLP, based in Lincolnwood, Ill. "I think one of the most important things is that a lot of practices did what they were supposed to do [when the laws first came out] in terms of getting their policy together and getting their forms out there, and they haven't talked about HIPAA since," she says, noting that some of the laws have changed and practices need to alter their policies accordingly. In addition, practices must have an active program in terms of training staff on the privacy and security rules, tracking patient record requests, HIPAA violations, etc. "HIPAA needs to be a living breathing part of a practice and not a policy that sits on a shelf so the practice can say they have a policy," says Adler.
Keep in mind that new technology use at your practice or by your staff members, such as e-mail and social media, could lead to privacy and security issues. Make sure your policies account for these changes, says Sharona Hoffman, a professor of law and bioethics at Case Western Reserve University School of Law in Cleveland. "Technology always gives rise to a lot of benefits, but it also creates a lot of risks, and you have to be sensitive to those," she says. "... You have to make sure that security is maintained."
2. Do audit effectiveness. Ensuring all your policies and procedures are updated is a good start, but you must also make certain those policies are working. As Adam Greene, a health law attorney and partner at national business and litigation law firm Davis Wright Tremaine LLP, points out, "A lot of things sound good on paper, but in practice don't actually work." For example, "If your policy that you created back in 2003 was that all protected health information should go in the orange bin, which will then be sent to the shredder, it's worth looking into whether that's actually working — and there's a pretty good chance that it won't be," he says. "It's always better to find that out yourself rather than through a patient complaint, or ... an OCR audit."