If your business involves health care, or services to health care providers, you may not be sure if you could pass a HIPAA audit. On May 7, 2014, the US Department of Health & Human Services (HHS) announced that it had levied a fine of $4.8 million against Columbia University and New York and Presbyterian Hospital.
The reason? Thousands of patients’ records had become accessible over the Internet, resulting in a breach of the privacy and security rules in the Health Insurance Portability and Accountability Act (HIPAA).
When the penalty amount was announced in the Wall Street Journal, I expected it to send health care practitioners running back to their offices to see what vulnerabilities they could detect. After all, HIPAA’s rules apply to all “Covered Entities” (i.e. any health care provider, whether a solo practice or a giant hospital system) and all “Business Associates” (i.e. any service provider, such as a billing company or lab). Everyone who provides health-related services is required to protect “Personal Health Information” (PHI) from unauthorized use or disclosure. PHI is any health-related information that can be linked to an individual.
And yet, 18 years after enactment, it’s evident that the breadth of HIPAA’s requirements remains a mystery to many practitioners. Why? One reason is the lack of guidance. Proposed regulations weren’t released until seven years after HIPAA was enacted, and they weren’t finalized until 10 years later! Paper files are still left on open shelves, and computer screens continue to blink data to all who exit the waiting room. It’s not difficult to see why this is still happening — practitioners who are expected to do more in less time have little energy left for a records policy overhaul. But this is exactly what they’re being required to do, and HHS has the authority to assess huge penalties, and even criminal sanctions, as motivation for compliance.
In 2011 and 2012, the Office for Civil Rights conducted a pilot audit program to assess weaknesses in compliance. They looked at 115 covered entities, of which only 13 passed with no issues. Of the 980 findings of non-compliance, 30 percent were due to complete ignorance of the law’s requirements. Most of those had no privacy policies or procedures in place for handling health data. They’d assigned no one in the office to find out what they were supposed to be doing, or to be responsible for assessing vulnerability. They didn’t know how to tell or what to do if they’d had a breach of privacy or security (PHI was disclosed or used by an unauthorized person).
In 2014, a permanent audit initiative began – 800 covered entities and 400 business associates were targeted. The initial audit looked for the following:
- The designation of a Privacy Officer
- Knowledge by the staff of the privacy rule for disclosures
- Written policies for HIPAA compliance
- Written Business Associate Agreements stating the service provider will protect PHI
- Evidence that a risk analysis was conducted and remediation undertaken
- Security for electronic medical records, including encryption of laptops and other mobile devices, and implementation of password and firewall technology
The Office for Civil Rights has announced that the full audit will dig into problems with data breaches and security. HIPAA is a complex law with many layers, but small steps can be taken toward full compliance:
- Require strong passwords be created and changed frequently
- Prohibit sharing access information
- Turn workstation screens in offices and examination rooms away from the public eye
- Implement procedures for reporting suspicious activities
- Install encryption programs on laptops and mobile devices
Most importantly, training can simplify the rules and make them useful, even in a busy medical practice.
Claudia Allen works with Covered Entities and Business Associates to help answer questions about HIPAA compliance. If you’re interested in a compliance audit or in-house training, or you need HIPAA compliance forms, Claudia can be reached at email@example.com or 513.629.9462.