Small practices grapple with HIPAA compliance rules

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.chiroeco.com/small-practices-grapple-with-hipaa-compliance-rules/71803/

A recent survey on HIPAA compliance conducted by NueMD, Porter Research,
and the Daniel Brown Law Group uncovered several issues with compliance in
medical practices.

Across the board, numbers relating to compliance or confidence in
compliance were too low for comfort, especially within smaller operations.
If your practice is struggling to keep up, there are a few easy first steps
you can take to button up your compliance program.

HIPAA is more important than ever

You might have noticed a recent uptick in coverage on data breaches within
healthcare. While a lot of news emphasizes hospitals and larger
organizations, small covered entities are just as liable. And
unfortunately, small practices usually don’t have a ton of cash to pay a
fine (which can range from $100 to $50,000 per violation, with an annual
cap of $1.5 million).

To drive its point home, the Office for Civil Rights is about to embark on
their second round of HIPAA audits. At this year’s HIMSS Privacy and
Security Forum, Linda Sanches, who heads the audit program, said, “We’ll be
looking for periodic risk analysis and evidence of compliance, as well as
documentation of policies and procedures being in place.”

With regard to these policies and procedures, you need to have a plan. Your
plan should address all facets of your compliance program, including
information flow, training procedures, HIPAA officers, breach
notifications, and business associate agreements with outside vendors that
access your patients’ protected health information (PHI).

One troubling stat from the survey is that only 58 percent of respondents
at practices said they have plan. Below are a few key components of a solid
compliance plan:

HIPAA training

Train everybody at your practice with no exceptions. The survey called
attention to several cases in which staff and providers weren’t on the same
page as management and owners.

The solution is to periodically train your employees and make sure new
staff members receive training during the onboarding process. And don’t
forget to have proof—auditors will be looking for it.

Security and privacy officers

These officers are employees who make sure your practice stays in line with
HIPAA standards. To get a better feel for their responsibilities, review
these two sample job descriptions for Security Officers and Privacy
Officers.

Breach notification policies

In the case of a security breach, your practice could be required to take
specific action to resolve the issue. A breach could be triggered by
occurrences such as the theft of a mobile device containing PHI or
unauthorized disclosure of PHI.

“If there are less than 500 individuals involved, the organization must
provide written notice to each of those individuals,” said healthcare
lawyer Dan Brown. “If more than 500 individuals are affected, the
organization has an obligation to notify the press about the breach, as
well as the Department of Health and Human Services.”

The survey also indicated that only 45 percent of respondents from
practices said they have a formal policy for PHI breach notifications.
Auditors won’t be very happy with the other 55 percent.

Business associate agreements

Covered entities are responsible for creating contracts with their business
associates to ensure the proper usage of PHI. This sample business
associate agreement from HHS.gov states:

“A ‘business associate’ is a person or entity, other than a member of the
workforce of a covered entity, who performs functions or activities on
behalf of, or provides certain services to, a covered entity that involve
access by the business associate to protected health information.”

For small practices, this could mean medical billing companies, software
vendors, or other outside consultants.

At the HIMSS Privacy and Security Forum, Linda Sanches urged covered
entities to create a complete list of all of their business associates.

Electronics and mobile devices

Considering the speed at which technology is moving forward, HIPAA
implications get a little fuzzy. In many cases, it’s not as easy as saying,
“this device is compliant” or not. One thing practices can do easily is
catalog all electronic devices that could contain PHI, keep track of where
they are and what they contain, and keep the list up to date.

Determining whether electronic devices and communication are compliant will
require an in-depth review of how PHI is stored and transferred. Periodic
risk analyses will help you find weak points in your flow of PHI and
address problems before a breach occurs.

With a risk analysis, the idea is to identify all pathways that PHI can
take, whether electronically, on paper, or via outside business associates,
and make sure you don’t have any gaps. Proof of risk analyses tell auditors
you’re taking compliance seriously. Unfortunately, only 33 percent of
respondents from practices reported that they’ve conducted one.

Next steps

The above tips are a good starting point, but achieving compliance is a big
commitment and will require time. To accompany this information, check out
this helpful webinar series on HIPAA compliance that offers further insight.

Beyond freely available information on the web, practitioners should
contract with healthcare lawyers or HIPAA experts to ensure program
compliance. For those with a tight budget, many consultants are open to a
“team approach” that will help make the most of internal resources.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!