The government is now coming after small practices that violate HIPAA. Here are ten do's and don'ts to help you up your game.
Complying with HIPAA is more critical - and more complicated - than ever. The government is ramping up its efforts to crackdown on violations, and small- to medium-sized practices are no exception.
In April 2012, a five-physician cardiac surgery practice in Arizona became the first small practice to pay a significant HIPAA-related penalty to HHS - to the tune of $100,000. The investigation stemmed from a complaint that the practice posted surgery and appointment schedules on a publicly-accessible Internet-based calendar. The department's Office of Civil Rights (OCR) found that the practice had implemented few policies and procedures to comply with HIPAA, and had limited safeguards in place to protect patients' electronic protected health information.
This case is "a wakeup call for smaller practices that they can get on the [government's] radar screen," says Elizabeth Warren, a Nashville-based health law attorney at Bass, Berry & Sims. "Certainly [OCR] could have looked at the situation this group had and just advised them on how to fix it, but they did choose to impose a penalty and the resolution agreement and kind of put them publicly out there," Warren says. " ... It definitely seems to point to, if you're not doing anything or not doing much of anything [to comply], you may trigger an enforcement action even if you're small."
The HITECH Act, which was part of the American Recovery and Reinvestment Act of 2009, enhanced privacy and security enforcement provisions and increased penalties. It also required HHS to provide for periodic audits to ensure covered entities are complying with HIPAA.
To help ensure you are prepared for whatever HIPAA-related issues may be heading your way, here's what experts say your practice should be doing - and what it should definitely not be doing - when it comes to the privacy and security rules.
1. Do polish your policies. To ensure you are ready if an auditor comes knocking, critically assess your policies and procedures and update them if necessary, says Ericka Adler, a health law attorney at Kamensky Rubinstein Hochman & Delott, LLP, based in Lincolnwood, Ill. "I think one of the most important things is that a lot of practices did what they were supposed to do [when the laws first came out] in terms of getting their policy together and getting their forms out there, and they haven't talked about HIPAA since," she says, noting that some of the laws have changed and practices need to alter their policies accordingly. In addition, practices must have an active program in terms of training staff on the privacy and security rules, tracking patient record requests, HIPAA violations, etc. "HIPAA needs to be a living breathing part of a practice and not a policy that sits on a shelf so the practice can say they have a policy," says Adler.
Keep in mind that new technology use at your practice or by your staff members, such as e-mail and social media, could lead to privacy and security issues. Make sure your policies account for these changes, says Sharona Hoffman, a professor of law and bioethics at Case Western Reserve University School of Law in Cleveland. "Technology always gives rise to a lot of benefits, but it also creates a lot of risks, and you have to be sensitive to those," she says. "... You have to make sure that security is maintained."
2. Do audit effectiveness. Ensuring all your policies and procedures are updated is a good start, but you must also make certain those policies are working. As Adam Greene, a health law attorney and partner at national business and litigation law firm Davis Wright Tremaine LLP, points out, "A lot of things sound good on paper, but in practice don't actually work." For example, "If your policy that you created back in 2003 was that all protected health information should go in the orange bin, which will then be sent to the shredder, it's worth looking into whether that's actually working - and there's a pretty good chance that it won't be," he says. "It's always better to find that out yourself rather than through a patient complaint, or ... an OCR audit."
Greene, who is based in Washington and formerly served as senior health information technology and privacy specialist at the OCR, suggests creating a timeline to ensure you are continually checking up on procedures. For instance, monitor the effectiveness of a different policy and procedure every month. "If one of your policies is to physically secure protected health information, as it should be, you need to walk around and see. Do people leave it on their desks in unlocked offices at night? Do people have it in cabinets with the key left in the lock? Issues like that," he says. Be sure to document all of those procedure checkups. If a problem does arise, it will be helpful to demonstrate that you took those preventive actions.
3. Do plan for worst-case scenarios. If a security or privacy breach does occur at your practice, it's crucial to handle it quickly and appropriately. "You definitely want to make sure you've got a HIPAA breach policy, which not everybody does …" says Warren. Covered entities must notify individuals affected by a breach within 60 days of its discovery, and the sooner they are notified of a breach the better, she says. "The privacy officer needs the more detailed map of - if this happens, here's what I do, here's what notifications have to go out - but the rank and file don't necessarily need to know all of that detail. They just need to understand things have to be reported quickly, and then I think it's helpful to provide training of concrete examples of things that should be reported." For example, reporting a stolen or missing laptop or thumb drive, even if staff believes it is encrypted or does not contain personal health information, or mistakenly providing private information to the wrong patient.
4. Do reevaluate and reeducate. It's important to provide HIPAA training to staff as soon as they begin working at your practice. But one initial training session is not sufficient, says Adler. "I recommend to my clients that you make this an annual event because it just fades into the background unless [HIPAA compliance] is something that's repeated to employees all the time," she says. "They just forget about it and they don't even think in certain contexts, 'Oh yeah, HIPAA, I need to remember about that.' There should be a constant education program."
Consider mixing smaller HIPAA training sessions in with other staff gatherings, says Greene. For instance, if you want to train staff members on a specific scenario, such as what to do if a police officer asks for information about a patient, add it to the agenda at a monthly staff meeting. Also, just as you should your other policies, ensure your training program is continually updated and revised.
5. Do tailor to job function. Keep in mind that while every policy needs to have a staff member trained on it, not every staff member needs to be trained on every policy, says Greene. "Your training should not be focused on making everyone a HIPAA expert," he says. Instead, it should cater to each employee's particular needs. For instance, "The person who's responsible for responding to requests for medical records may need to have different training than the receptionist, although the receptionist still needs to know what to do when someone asks them for a copy of their medical record or billing record - but that training may just be to send them over to this other person," he says.
1. Don't overestimate. Even if you think that you have provided staff members sufficient training, assess their skills periodically. "Don't assume that people understand HIPAA as well as the privacy officer does, and that they are focused on it as much as the privacy officer would be," says Warren. "From a privacy-officer perspective, you just think, 'Well, surely everybody knows this, I talked about this at training,' but often it doesn't sink in as much as you want it to."
One way to increase staff knowledge - and identify problem areas - is by getting creative. For instance, create HIPAA quizzes, send them to staff, and offer prizes for the best scores. "Ask questions that if you understand the policies, you would know the answers; if you don't, you might not," she says, noting that some questions could be as simple as, "Who is our privacy officer?" and some could be as complicated as, "What should we do if a patient requests to amend his records?" The quizzes will keep staff members informed; the responses will inform you of areas in which retraining is necessary.
2. Don't get lax. If despite sufficient training your staff members fail to comply with your practice's policies and procedures, a lack of discipline may be to blame. "Discipline really gets people paying attention," says Adler, noting that practices must make it clear what consequences staff will face for HIPAA violations, such as leaving a file out in the exam room. "People need to know whether it's a warning in their files, or it's a reprimand, or it's termination because time after time they're not compliant," she says. "You can't just say, 'Oh don't do that anymore.' I mean, you really formally need to take action."
3. Don't overlook problem areas. While practices come in all shapes and sizes, feedback from the OCR following the first 20 audits during the HIPAA Audit Program indicates that you share some common problem areas when it comes to compliance "... What we saw was security was a bigger issue than privacy," says Greene. More specifically, issues like user-access monitoring (i.e., knowing who was accessing what records) and contingency planning (i.e., having a data backup plan) were trouble spots.
Also, pay close attention to the risk analysis requirements of the security rule, says Warren. In other words, conduct a thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information in your practice. "So many breaches that can result in enforcement actions are security related and in my experience OCR will ask for ... the most recent copy of your risk analysis," she says. "It's really awkward when you're kind of cobbling together, well, here's a memo someone did that kind of, sort of resembles one."
4. Don't try to do it all. The security rule is so complicated that hiring a compliance consultant is a must, says Hoffman. "Every practice should really be working with an expert that can provide advice as to what steps need to be taken," she says. "Some of these are mandatory. Some are not as mandatory and they have to do with training programs with the work force, with securing the physical environment, and with all kinds of other steps such as encryption, password authorization - there are just a whole lot of rules." In fact, if you have the means, Hoffman suggests finding a consultant who can assist you in all aspects of HIPAA compliance. "You really do need to work with an expert who can provide advice about your own practice," she says.
5. Don't get caught unaware. Stay updated regarding HIPAA by monitoring any relevant cases that arise and following any related news coverage, says Adler. And when relevant news comes out, share it with staff members to keep HIPAA at the forefront of their minds. "I ... like to see the kinds of things that are getting practices investigated to make sure those aren't things that we are doing in our practices," she says. "There's also lots of discussions in the news about how people get in trouble, which is really interesting, what kind of people are complaining, what are they complaining about."
Big HIPAA don'ts
Don't let these more obvious mistakes create big problems for your practice:
• Asking patients to sign a communal sign-in sheet;
• Discussing patients in public areas or with friends and family;
• Sharing passwords or making them easily identifiable;
• Failing to log off computers;
• Leaving patient files easily accessible;
• Posting patient information online without ensuring it is de-identified; and
• Looking up a patient's medical record without a valid reason.
The HIPAA audit program
The HIPAA audit program began with a pilot held between November 2011 and December 2012. It's expected that the pilot will continue as a full-scale audit program, retaining many of its original features. In the pilot, audited entities received a notification letter from HHS, and instructions to send documentation of their HIPAA compliance to a designated auditor within 10 days. They also underwent site visits that lasted up to 10 days.
While undergoing an audit may be a cumbersome process, as long as auditors don't find that you've "egregiously" failed to comply with HIPAA, it's likely that you will not face penalties, says Elizabeth Warren, a Nashville-based health law attorney. "Although you obviously can't predict what the government will do, they've definitely focused on using the audits as an educational tool, a way of finding best practices and to improve compliance and not a gotcha type thing," she says. "... I think it would be something you'd want to be prepared for, but we also don't need to panic about it either."
For more information on the HIPAA audit program, visit http://bit.ly/HIPAA-Program.
Small practices are facing more scrutiny regarding HIPAA policies, procedures, and documentation. Here's how to deal:
• Assess your policies and procedures and update them if necessary;
• Monitor your procedures to ensure they are working;
• Ensure your staff knows what constitutes a breach and how to handle it;
• Train and retrain staff on HIPAA compliance;
• Assess how well your staff is retaining HIPAA knowledge;
• Institute disciplinary standards for potential violations;
• Pay close attention to the security rule; and
• Stay current regarding HIPAA developments.
Aubrey Westgate is an associate editor at Physicians Practice. She can be reached at firstname.lastname@example.org.
This article originally appeared in the March 2013 issue of Physicians Practice.