Now that the holidays and office parties are over, is it time to concentrate on HIPAA compliance? As I said at this time last year, making sure your office or practice is doing everything necessary to become or maintain HIPAA compliance is probably not at the top of anybody’s New Year’s resolution list.
Let’s consider a couple of scenarios in the compliance spectrum. There are those practices that probably are not nearly as far along in meeting their regulatory requirements as they would like to be and others that feel a good effort has been made to be compliant. It can be a daunting task in determining all the necessary technical, administrative and physical safeguards that must be in place.
And as the threat to protected health information steadily grows every year, the Office for Civil Rights (OCR), the U.S. Department of Health and Human Services agency that has responsibility for HIPAA compliance, has made it clear that stepped up enforcement is on their agenda. OCR plans to kick off their new random audit program soon. (The program was originally scheduled to begin last fall, but technical issues delayed the launch.) The audit program targets healthcare providers and business associates of all sizes and will focus on high risk areas of compliance like risk assessments and risk management plans. The risk management plan is the backbone of a robust compliance program in being the overall policies and procedures manual.
Looking at the two possible scenarios I described, let me address both and provide guidance, examining necessary actions in each case.
For those practices that think they are well positioned when it comes to HIPAA compliance and feel they could take on an OCR audit, the first thing that needs to be done is an internal document review. The goal of this review is to determine if all required areas of the HIPAA Security Rule are being properly addressed by policy and procedure. You must make sure all implementation objectives are covered in a HIPAA Risk Management Plan. The plan must be the foundation for your compliance program. Documentation is key.
A couple of those key areas to look at within your plan:
- HIPAA Risk Assessment – this should have been completed or updated within the last twelve months.
- Breach Notification Policy – make sure the entire workforce knows what to do if a breach does occur.
- Audit Policy – a method must be set up to regularly review who on your workforce is accessing patient electronic health records. This is a vital integrity check that must be done.
- Device Management – there must be a tracking procedure in place to account for all mobile devices, laptops, removable media and workstations on a regular basis.
- Sanction Policy – your workforce must know what the disciplinary actions are for not following the rules and procedures to safeguard protected health information.
Regrettably, the other painful position that healthcare providers may find themselves in is that they have not done much to meet the compliance regulations. It may be a time management issue or just not having a solid understanding of what is required. Unfortunately, during an audit or a compliance review OCR does not view either as an acceptable excuse for not being compliant.
In these cases, my advice is simple – just start the process. Take some time to understand what is required. Please download my free white papers titled “The Basics of the HIPAA Security Rule” and "Simplifying HIPAA Compliance." Both papers provide a great deal of information about what is required. Then try to gather necessary documents needed to help start the process. There is plenty of open source material available online. It may be time consuming to find, but the material is out there. You can start with the OCR website and the agency’s information on health information privacy rights.
2015 is going to be a year of increased emphasis on HIPAA compliance, and your practice must be ready to meet this challenge. Maybe it is time to make that New Year’s resolution a reality.