If HIPAA were a child, it would be going into its senior year of High School! Even though it’s been part of healthcare for over 17 years, many providers think it only includes having a Notice of Privacy Practices (NOPP) posted and having patients sign a HIPAA notice.
The root of HIPAA is access and protection of Protected Health Information (PHI). Unfortunately, most providers are only doing the “minimum” just to get by because no one really looks at HIPAA. Unfortunately, this is no longer true, and this kind of thinking can set you up for getting a “minimum” fine later on. In this blog, we will discuss why having a HIPAA compliance program is important, things you can do to get started, examples of other people who thought they didn’t need to have all their HIPAA items in place and the issues they got into, and some solutions to help you calm down and not stress out.
There are many avenues within the HIPAA law that healthcare facilities need to be following. For example, with HIPAA extending to entities outside of primary healthcare providers, you need to ask, “Who am I granting access to my patients’ PHI?” We’re not just talking about the caregivers and family of your patients, but also the employees in your facility, law enforcement, attorneys, and especially your Business Associates. By knowing what the rules are and having detailed written Policies & Procedures, you can guarantee that you and your staff are following the law. Having up-to-date and signed Business Associate Agreements with 1099 employees and vendors adds a layer of protection and understanding to what each party will do and be responsible for in handling PHI and in the event of a breach.
Do you know how to handle a breach such as a patient getting the wrong medication, a hacker getting into your software, a jump (thumb) drive getting lost, a robbery where your sever is stolen?
OCR On-site inspections ask for four documents to the first person they meet in your facility. May I see your:
- Notice of Privacy Practices
- Risk Analysis
- Risk Management Plan
- Disaster Recovery Plan
Do you have these documents? They are part of your annual training requirement.
Have you updated your Disaster Recovery Plan lately? In 2018 we have seen out of control wildfires, flooding, volcanic activity, and unprecedented snow falls. These plans help to outline what will be done to protect files and also serve your patients in the event that Mother Nature turns against you, there is a fire, a burglary or another accident rendering your facility inoperable.
You may be thinking there is too much stuff to do, too little time in the day, and the chances of getting caught are slim. I’ll agree with the first two points. However, we have seen time after time small practices and large entities getting hit with fines for failure to have updated Business Associate Agreements, not notifying patients after a breach, having a large breach or misuse of PHI. The moral of the story, you need to have some type of HIPAA program in place. OCR has assessed almost $80 million in fines for just 55 cases of HIPAA Privacy Rule violations (according to data on HHS website).
Some examples are:
- New England Health System agreed to pay $400,000 and write a corrective action plan after a federal investigation found it lacked an up-to-date Business Associate's Agreement between it and one of its hospitals. (Reference Modern Healthcare, September 26, 2016)
- Linecare Inc., a respiratory, infusion therapy and medical equipment company, was fined $239,800 after an employee allowed her spouse to view PHI, as the facility did not implement any policies or procedures to safeguard PHI for its 278 patients. (Reference HHS press release, February 6, 2016)
- CHCS, a management and information technology service business that works with skilled nursing facilities, had a mobile device stolen resulting in over 400 patients’ information being exposed. They were fined $650,000 and must complete a corrective action plan. (Reference OCR, June 29, 2016)
While the 5 largest fines since 2008 have been for large entities, we can hopefully learn from their omissions and failures. If you share PHI with an entity and do not have a BAA, you are liable if they have a breach, and you are looking at fines in the millions of dollars.
- Memorial Healthcare System in Hollywood, FL, paid $5.5 million in 2017 to settle allegations that employees inappropriately disclosed 115,143 individuals' data to affiliated physician office staff.
- Advocate Health Care Network agreed to pay $5.5 million in 2016 after an investigation showed it had failed to protect patient data, which led to the loss of 4 million patients' information in 2013.
- Presbyterian Hospital and Columbia University, both based in New York City, paid a total of $4.8 million in 2014 to settle a 2010 data breach related to their shared data network.
- In June, the University of Texas MD Anderson Cancer Center in Houston was ordered to pay $4.3 million in civil penalties for HIPAA violations related to the organization's encryption policies.
- Cignet Health based in Temple Hills, MD, paid $4.3 million in 2011 to settle claims it violated 41 patients' rights by denying them access to their medical records.
(Reference Becker’s Health IT & CIO Report, August 14, 2018)
So if you’re fretting and nervous, don’t worry. You don’t have to try to read, interpret and write your own program. The R.J. Hedges Associates HIPAA Program can be customized for your facility. Once prepared, you’ll even have a Project Manager to help you implement it and answer all your questions that are bound to pop up. Rest assured, knowing this HIPAA Program is also designed for your abnormal days: You’ve had a robbery, the police are requesting information, an estranged parent is requesting information about their child, an adult child is requesting information on behalf of their elderly parent or, heaven forbid, you’ve had a breach.
Our HIPAA program has over 70 Policies & Procedures and an additional 75 support documents, including the NOPP, Disaster Recovery Plan, Risk Analysis, Risk Assessment, Breach Assessment, and Workforce Classification for PHI Access.
To see how compliant your current HIPAA Program is, feel free to take our FREE HIPAA Compliance Assessment.
Video: Full Transcript
How to tell if you’re basic HIPAA Program needs replaced?
Becky Templeton Director of Business Development
There are many organizations that offer free HIPAA Compliance, be it a state association, drug wholesaler, or a professional organization. In most cases this simply is a HIPAA policy and procedure and maybe a sample Business Associate Agreement and a Notice of Privacy Practices.
The RJHedges HIPAA Program is designed for your abnormal days: you’ve had a robbery, the police are requesting information, maybe an estranged parent is requesting information about their child, an adult child is requesting information on behalf of their elderly parent, or heaven forbid you’ve had a data breach. All of these requests deal with PHI (Protect Health Information) and there really is a process for properly documenting whether the facility is or is not going to grant access. Our HIPAA program has over 70 P&P and an additional 75 support documents including the NOPP, a Disaster Recovery Plan, Risk Analysis, Risk Assessment, and a Breach assessment.
In the end, we hope no one ever needs a large chunk of our HIPAA program. But isn’t it better to have it and not need it, than need it and find that your free HIPAA program doesn’t actually tell you what to do in these situations? If your current program doesn’t address these basic items that I shared moments ago, it’s probably time to replace your free or basic HIPAA program with one that is a little bit more robust.