Despite changes to the Health Insurance Portability and Accountability Act (HIPAA) that dramatically affect the risk profile of medical practices, many have yet to establish a full arsenal of defenses against data breaches. The simple fact is that failure to update your protections can multiply your vulnerabilities and fines if a breach occurs.
The penalties for a HIPAA violation are real and substantial. For example, a five-physician practice in Phoenix, Arizona, was fined $100,000 for failing to meet HIPAA’s privacy and security requirements. In other cases, fines have been assessed for the loss of thumb drives and laptops containing patient information as well as for poor compliance plans and training.
HIPAA privacy rules established standards for the handling and use of patient information, known as Protected Health Information (PHI). Prior to HIPAA, patient information was regulated by a diverse patchwork of thousands of state and federal laws. HIPAA’s standards enabled the exchange of information among healthcare organizations that assure provenance and integrity of PHI as well as appropriate authorization to share information among practices and/or healthcare organizations.
Unfortunately, many practices lack a comprehensive HIPAA security and privacy compliance program.
Although HIPAA compliance can be tailored to the complexity and size of your practice, the use of supposed shortcuts can dramatically increase the risk of problems and penalties. Using boilerplate materials from the Internet that have never been customized for the practice, performing training years ago but never again and not having designated staff members responsible for HIPAA compliance are common failures among smaller practices.
Compliance problems are not limited to small practices. Some larger practices assume that information technology (IT) staff members enforce HIPAA when in fact the IT team knows little about clinical operations or procedures to support HIPAA standards.
Small and not-so-small practices are exposed to HIPAA penalties as well as the embarrassment of inappropriate use of patient information. HIPAA problems and compliance issues can even place your electronic health records (EHR) Incentive payments at risk.
HIPAA problems can affect every aspect of your practice. For example:
- Failure to maintain the integrity of your office notes could result in unsubstantiated billings and refunds from your practice to payers.
- In the event of a claim of medical professional liability, poor compliance with HIPAA privacy and/or security could severely undermine your defense against claims.
- Insurance auditors, quality reviews and other reviews of you patient records will depend on practice efforts to protect the integrity of patient information.
- In the worst cases, you patient and service documentation may be misleading and/or dismissed due to HIPAA problems and violations.
HIPAA is not optional or a luxury. In order to meet your HIPAA responsibilities, we will review some key strategies to decrease your HIPAA-related risk.
Supporting HIPAA security and privacy is a key requirement for virtually every practice. Practices make a variety of direct and implied representations that HIPAA privacy and security compliance is in place to other practices, payers and a wide range of related parties. In the event of a problem, the lack of appropriate compliance strategies and processes will expose the practice to a greater level of embarrassment and penalties.
By making HIPAA compliance part of your operational and patient service strategy, you will operate as a more reliable and effective organization while meeting the HIPAA requirements.