As a medical or health care provider, one of the most important (and often worrisome) aspects to doing business is regulatory compliance to protect the civil rights of patients. Federal, state, and local agencies are constantly formulating and implementing new rules that not only affect the way you run your practice day to day but can result in severe financial consequences if you’re found to be in non-compliance. Here, well focus on the Health Insurance Portability and Accountability Act (HIPAA), one of the most important regulatory frameworks you’ll need to focus your compliance efforts on.
HIPAA requirements apply to different practices in different ways, and without the right knowledge and approach, its easy to succumb to common pitfalls as it relates to protecting patients Personal Health Information (PHI). According to the Department of Health and Human Services (HHS), the federal agency that administers HIPAA, violations were found in 69 percent of compliance issues HHS investigated.
These statistics point to the simple fact that many medical providers and covered entities simply aren’t adequately prepared for HIPAA compliance. Which begs the question, do you know what it takes to have all your HIPAA compliance bases covered for 2018 and beyond?
Read on to learn about some of the most critical do’s and don’ts of HIPAA regulations, and how you can put yourself in the best position possible as you prepare to comply with the necessary HIPAA requirements.
Do: Conduct a Thorough Risk Analysis
Any cyber security solutions expert who specializes in HIPAA compliance solutions worth their salt will tell you that a risk assessment analysis is a cornerstone to meeting HIPAA requirements and is imperative to making sure that you can comply with HIPAA. Some of the largest HIPAA penalties doled out have been for failure to conduct a thorough risk assessment, such as the recent $5.5 million fine against the Advocate Health Network for failure to protect against risks that it should have recognized. That’s because violations related to inadequate risk assessments fall under the most severe Willful Neglect tier of penalties. The bottom line is that every organization that creates, receives, maintains, or transmits PHI has to conduct an accurate and thorough HIPAA risk assessment in order to comply with 164.308 of the HIPAA Security Rule.
An adequate risk assessment can be complex and time-consuming and is best done in conjunction with a compliance partner. First, take a look at your assets and potential threats. What kinds of PHI do you handle, and who might want to get their hands on your patients confidential data? Next, work to assess your potential vulnerabilities. These can be either physical or digital, from access to file cabinets to systems that could potentially be hacked. Then look at what controls you have on those systems. Who has access to PHI, and are strong authentication controls in place? Finally, analyze the likelihood of impact, focusing on the most significant threats to your PHI.
Don’t: Ignore Social Media Usage
Odds are, most (if not all) of your staff or employees are active on social media in some way, shape or form. The way people use social media is at the opposite end of the spectrum with regards to HIPAAs primary objectives. While social media encourages cavalier sharing of data on a constant basis, HIPAA regulations strives to keep PHI as confidential as possible. However, conflict tends to arise as healthcare organizations increasingly rely on social media to communicate with patients or market their services.
Also Read: Top 5 Components of HIPAA Privacy Rule
The problem is, many covered entities fail to include social media usage in their HIPAA compliance plans. They fail to recognize that HIPAA violations can easily occur via social media communications if theyre not conducted in the right way, as HIPAAs standards are different for social media than for other forms of electronic communications such as e-mail. Unfortunately, these violations can occur even if providers and entities act in good faith. If a patient requests PHI to be sent to them via Facebook Messenger, for example, providers can violate HIPAA by complying with the request. The solution for many providers is to appoint only one individual who is authorized to use social media communication with patients, and have that person trained in-detail by a compliance partner.
Do: Perform Regular Self-Audits
Its one thing to have policies and procedures in place that are designed to ensure a health care provider is in compliance with HIPAA requirements. Its quite another to guarantee that those practices are being followed on a day-in, day-out basis by everyone in your facility. Thats why periodic self-audits are recommended by the National Institute of Standards and Technology (NIST) as one of the most effective HIPAA compliance tools. Self audits normally focus on HIPAA Security Rule compliance, which covers technical, administrative, and physical safeguards as it relates to PHI. Audits can also encompass issues within the Privacy Rule as it relates to areas like patient communication.
For example, you may hire a cybersecurity partner to act as if they were a hacker trying to infiltrate your database and procure PHI. You might also periodically review your physical storage measures, like the security of your administrative staffs physical files. The main goal is to ensure all PHI is accessible only to authorized parties. As you work with your compliance partner to ensure you’ve met the relevant HIPAA requirements, you should also work to develop a continual self-audit plan to address each and every rule on an annual basis (at the very least). Self-audits wont just help you sleep better at night, they’ll clue you in as to which areas might need to be addressed future compliance training.
Don’t: Forget Your Business Associates
While its easy to focus on internal issues that relate to HIPAA compliance, one mistake that occurs all too often is a failure to ensure all third-party vendors, contractors, and business associates (BA) are handling PHI in the appropriate manner. Third party HIPAA compliance is a result of the 2013 HIPAA Omnibus Rule, and covered entities should work with vendors to ensure that PHI is secured. If a hospital works with a cloud data storage provider, for example, the technology vendor must have safeguards in place per the Security Rule as if they were a covered entity themselves.
It is important to note that in most cases, the vendor or BA will be responsible for fines, violations, or penalties that occur in their facilities or databases. However, that doesnt eliminate the potential threat of third-party access to PHI. In other words, if your database is connected to a software vendors, there is the potential for a hacker to slip into your system through a third-party back door. In fact, one provider in New Jersey was recently fined over $400,000 due to the lax data security practices of a technology vendor. The lesson is, dont just assume your partners are handling PHI as carefully as they should, but work with them on a continual basis to make sure youre both in compliance alignment.
Do: Have a Training Plan
One thing that covered entities simply cant ignore is HIPAA training requirements. Both the HIPAA Privacy Rule and the HIPAA Security Rule have training requirements, 45 CFR 164.530(b)(1) and 45 CFR 164.308(a)(5) respectively. In short, HIPAA requirements mandate that both covered entities and BAs provide regular training to any members of their workforce who handle PHI. While HIPAA doesnt specify the length and topics that need to be covered in trainings, the Privacy Rule states that trainings must be as necessary and appropriate for members of the workforce to carry out their functions.
These necessary functions will vary, as nurses and doctors will handle PHI differently than administrative staff. Which is precisely why you need to have a training plan for each role within your practice, focusing on the relevant and necessary topics to that individual. All too often, entities approach HIPAA training with a one size fits all approach, bombarding people with too much unnecessary information in only one or two training sessions. Your staff will retain much more information, and apply the principles much more effectively, if your training plan is targeted and conducted in small chunks over time.
Don’t: Approach Online Reviews Lightly
With the rise of sites and platforms like Yelp! And Facebook for Business, medical professionals are now also subject to online reviews, feedback, and (unfortunately) complaints. What many covered entities fail to realize is that HIPAA violations can, and do, occur as practices strive to better manage their online reputations on these review sites. When leaving an online review, patients may even willingly (and unwittingly) provide PHI. Covered entities need to be extremely careful in how they respond to such reviews, as these communications are indeed covered by the HIPAA Privacy Rule.
Covered entities should work with their compliance partner and internal privacy officer to develop a strict policy for responding to online reviews, and especially those which contain PHI. But there are a few best practices that should be adhered to. First, never acknowledge or repeat PHI in a response to an online review. By the same token, you shouldn’t delete or alter the patients review containing the PHI. You want to, in effect, quarantine yourself from that specific review as much as possible. If there is an issue where you need to follow up with the patient to discuss his or her PHI, make sure to take the conversation offline, and communicate in a HIPAA-compliant fashion that you can document in the event of an HHS investigation or audit.
Do: Have a Contingency Plan
Healthcare organizations and covered entities must ensure they have a current HIPAA contingency plan in place to prepare for all types of adverse events that could affect PHI. This could be anything from a physical burglary to a natural disaster or cybersecurity attack. Your contingency plan will depend mostly on your risk assessment and analysis, and address the most salient threats to your PHI. Make sure your contingency plan establishes specific guidelines and procedures to follow, including things like systems and data recovery.
Your plan should outline how youll maintain operation of your critical systems, and minimize loss or damage. Also clearly define time periods in which youll address certain issues, such as processes for the first hour, day, and week following an event. Know under which circumstances the contingency plan would be activated, and train all staff members so they know their specific roles in the response process process. And since all employees need to understand the plan and be able to react on a moments notice, keep the language plain and concise.
Don’t: Tackle Compliance Single Handedly
One of the biggest mistakes that covered entities make in tackling HIPAA requirements is thinking they can go it alone. This is especially true for smaller practices, who might think that they’re only affected by a few aspects of HIPAA. While working with an expert or partner might seem like a sunk cost in the short run, its far outweighed by the potential fines and penalties that can be incurred by any number of violations. Compliance partners are able to (among other things) develop a comprehensive risk assessment, develop the most effective training plan, and identify potential cyber vulnerabilities.
At the very least, providers should enlist a compliance partner at the beginning stages of the preparation for HIPAA compliance. After laying a solid foundation, it may only be necessary to engage with a HIPAA compliance solution partner on an annual or ad hoc basis, but you’ll be provided with a solid framework in how you’ll implement policies and practices that will ensure compliance with the Privacy, Security, and Breach Notification rules.
So, no matter what stage of the HIPAA compliance journey you’re in, be sure to take these dos and don’ts into account as you progress. Work with your partner to develop a comprehensive risk assessment, and don’t ignore things like social media usage and review sites as it relates to potential PHI misuse. Have a plan for ongoing training, and don’t forget to engage with any third party BAs and vendors to guarantee that everyone is on the same page. It goes without saying that HIPAA compliance is a team effort, and getting both internal and external stakeholders pulling in the same direction is the best way to avoid that dreaded, unexpected phone call or letter from HHS about a potential violation.