With
the focus on Meaningful Use Measures, many practices are neglecting procedures
and policies needed to comply with HIPAA Security and Privacy. The recently announced $100,000 settlement
with a 5 doctor Phoenix based practice should trigger a closer look at your own
compliance situation.
On
April 17, HHS settled a HIPAA Privacy and Security Case with Phoenix Cardiac
Surgery. According to the HHS
announcement, the practice failed to establish and maintain the policies and
procedures needed to protect patient information. Additionally, the practice failed to document
appropriate training or even appoint a Security Officer.
This
incident should trigger a review of your own HIPAA security and Privacy
exposure in the following areas:
Maintain Policies and
Procedures
– According to the HIPAA Security and Privacy standards, you need written
policies and procedures to safeguard protected health information as well as a
process to insure that the procedures are enforced. Indeed, the
lack of adequate procedures is a HIPAA violation. Note that is not just a matter of initially
creating the appropriate policies and procedures, but also maintaining the
policies and procedures according to changes in your practice or to
standards. For example,
·
The
implementation of an EHR will require changes to your HIPAA Privacy strategy as
well as rethinking your entire HIPAA Security strategy.
·
The
HITECH based changes to HIPAA Security and Privacy should be considered in your
internal procedures as well as any Business Associates Agreement that you may
have.
Training – In a surprising
number of situations, many practices do not adequately train employees on HIPAA
Security and Privacy Issues. Commonly,
practices trained employees initially (maybe years ago), but do not have a
formal training process for new employees.
Many more practices fail to
update employees on a continuing basis or in the event of a change to your
policies and procedures. For example,
·
The
release of a new version of your practice management or EHR system may require training
relevant to HIPAA compliance.
·
HIPAA
Security and Privacy training should be customized for your own situation and
operation. A general class on HIPAA
Security and Privacy may not address how your staff may be notified about disclosure
limitations on the patient’s HIPAA consent form or the contents of the patient
medical record for your organization.
Vendor Features – In some cases,
vendor features or strategies may not adequately comply with HIPAA Privacy and
Security. Note your practice is
responsible for HIPAA Security and Privacy, not your vendor. For example, some EHR vendors offer email
facilities from their EHR. However, you
would need specific procedures governing or perhaps prohibiting the use of such
a feature. Indeed, your practice should
only be communicating with patients on clinical issues through a secured
messaging facility.
Security Risk
Analysis
–
A Security Risk Analysis is part of any HIPAA
Security compliance plan and also a Meaningful Use requirement. Note that Security Risk Analysis needs to
examine the physical, technical, and administrative safeguards over protected
health information. Even if you do not have an EHR, you may still need to perform a
security risk assessment. For
example, an online directory containing
transcription Word files is covered by the HIPAA Security standards.
However, the use of an EHR product does not address your HIPAA Security exposure. For example, even if you use an EHR service,
your practice still needs administrative procedures to control access and prohibit
storing information in an unsecured environment: taking screen snapshots and
storing the image on a personal PC or other device.
Although
we have focused on the compliance issues, do not forget that a HIPAA Security or
Privacy problem can affect your practice’s reputation and relationship with
your patients. The recently announced
settlement with Phoenix Cardiac Surgery should be a wakeup call to your
practice that HIPAA Security and Privacy standards are important and that HHS
will not hesitate to pursue compliance issues in smaller organizations.
To
see the HHS notice, click here.
For more posts on how to deal with HIPAA Security and Privacy, click here.
For expert advice to address your HIPAA Security and Privacy exposure, contact Sterling Solutions at (800)967-3028 or click here.
For more posts on how to deal with HIPAA Security and Privacy, click here.
For expert advice to address your HIPAA Security and Privacy exposure, contact Sterling Solutions at (800)967-3028 or click here.
No comments:
Post a Comment