HIPAA Compliance

Will you be prepared when the Office of Civil Rights calls YOU?

By Kelly Grahovac,* Senior Consultant

As we round out the first quarter of 2018, there is no better time to ensure your practice is compliant, especially where the Health Insurance Portability and Accountability Act (HIPAA) rules and regulations are concerned. With more than 3500 paragraphs, the HIPAA and Health Information Technology for Economic and Clinical Health (HITECH) Act regulations can get complicated. Here are some pointers to help you get started.

First, know where you need to be compliant. Generally, when you hear about HIPAA, the discussion is associated with a hospital or a medical group that had a breach or HIPAA violation. What most people don’t know is that HIPAA applies to organizations outside of hospitals and health networks. So who exactly needs to be compliant when it comes to HIPAA laws? If you read the federal laws, that answer might seem unclear. The US Department of Health and Human Services (HHS) describes those who must be compliant as “covered entities.” Let’s dig a little deeper and understand what types of organizations are considered to be a covered entity.

Health plans fall under the covered entity title, which includes anyone who deals with insurance or medical information for patients. Examples of these are health maintenance organizations (HMOs), Medicare, and Medicaid, as well as private insurance. Human resource employees/employers and schools who handle patient information when the employees are hired and students are enrolled are also covered entities.

Health care clearinghouses, organizations that collect any patient information from health care entities, are also in the covered entity description. Examples include billing/collection services and health management information systems.

Health care providers are also entities that come to mind when thinking about HIPAA compliance. Some examples of these are physicians, surgeons, dentists, optometrists, hospitals, clinics, nursing homes/care facilities, and pharmacies.

While the entities listed here may seem more obvious when it comes to covered entities, one area in which most people are lacking is their business associates agreements. If you are involved with or fall under any of the following examples, you need to ensure that you are in compliance. Some examples of business associates would include data processors, medical equipment companies, consultants, medical transcription services, external accountants and auditors, or any third-party organization dealing with protected health information (PHI). Further, consider anyone who could possibly come into contact with PHI at your facility. This includes a cleaning crew that comes on site after hours and also a shredding company that handles the disposal of your documentation containing PHI.

At the end of the day, anyone who accesses or deals with protected health information should be complying with HIPAA regulations. PHI includes any conversation with medical professionals about a patient’s care or treatments, any patient billing information, and any medical insurance information.

Now that you have a better understanding of who and what is a covered entity, it is important for you to determine your risk. In 2003, the original HIPAA Privacy Rule was issued, and the requirement to have a HIPAA Risk Assessment was put in place. However, many entities have yet to comply with this requirement. In fact, the Office of Civil Rights (OCR) has spent the last two years conducting HIPAA audits, and a copy of your security and risk assessments from the past three years is the first item requested. Would you be able to comply with this request if the OCR audited you today? If that doesn’t frighten you, let’s consider the fines. In 2016, the OCR fined covered entities over $23 million. And in 2017, fines totaled over $19 million for HIPAA violations.

A risk assessment intends to identify potential risks, vulnerabilities, availability, and integrity of PHI that an organization creates, maintains, receives, and transmits. Consider the following when conducting your risk assessment:

1. Identify where your PHI is stored, transmitted, and received.
2. Identify and document threats and vulnerabilities.
3. Assess your current security measures.
4. Determine the likelihood of a threat occurrence.
5. Determine the potential impact of a threat occurring.
6. Determine the level of risk.
7. Identify your security measures and finalize documentation.

By identifying these potential risks, you can work to mitigate the potential for breaches of PHI and prevent fines for your organization. Developing this assessment will help determine just how secure your organization is, and where improvements need to be made. A security and risk assessment should be conducted on an annual basis.

Another area of focus for your HIPAA compliance plan is that of employee training. Most HIPAA breaches are a result of an employee error; therefore, it is important that everyone on staff receive regular and adequate HIPAA training. This training should include the proper handling of PHI, seeing and reporting suspicious activity and/or any possible violations, what constitutes a violation and how to protect yourself and company from breaches, etc. After training has been provided, be sure to document what was covered and which employees participated. When presenting the initiative to the staff, stress the importance of the steps that everyone needs to take. There are many risks involved with not being compliant. If you’re a small entity, a breach can potentially wipe you out after paying the associated penalties and fines. HIPAA compliance, and more specifically, HIPAA training, should be an “all hands on deck” effort, and all staff need to be on the same page when it comes to ensuring compliance is met.

HIPAA compliance is a requirement for all individuals who work with patients’ protected health information. No matter the size of your organization, it is your responsibility to handle PHI in a secure manner. HIPAA compliance should be the shared responsibility of your organization’s compliance officer and security and privacy officers. Several products on the market can assist you with enhancing your current HIPAA compliance program. These products most often include policies and procedures, security and risk assessments, and training capabilities and are a great way to implement assessments into your organization’s processes. With a little research you can find an affordable solution that will ensure your organization is compliant with HIPAA regulations and can easily pass an OCR audit.

Kelly Grahovac is a senior consultant at Van Helm Group in Atlanta, Georgia. She counsels health care providers as they navigate complex regulatory issues related to Medicare and Medicaid. She can be reached at kelly@vanhalemgroup.com.

* The author has a vested interest in the subject of this article.