With the focus on Meaningful Use Measures, many practices are neglecting procedures and policies needed to comply with HIPAA Security and Privacy. The recently announced $100,000 settlement with a 5 doctor Phoenix based practice should trigger a closer look at your own compliance situation.
On April 17, HHS settled a HIPAA Privacy and Security Case with Phoenix Cardiac Surgery. According to the HHS announcement, the practice failed to establish and maintain the policies and procedures needed to protect patient information. Additionally, the practice failed to document appropriate training or even appoint a Security Officer.
This incident should trigger a review of your own HIPAA security and Privacy exposure in the following areas:
Maintain Policies and Procedures – According to the HIPAA Security and Privacy standards, you need written policies and procedures to safeguard protected health information as well as a process to insure that the procedures are enforced. Indeed, the lack of adequate procedures is a HIPAA violation. Note that is not just a matter of initially creating the appropriate policies and procedures, but also maintaining the policies and procedures according to changes in your practice or to standards. For example,
· The implementation of an EHR will require changes to your HIPAA Privacy strategy as well as rethinking your entire HIPAA Security strategy.
· The HITECH based changes to HIPAA Security and Privacy should be considered in your internal procedures as well as any Business Associates Agreement that you may have.
Training – In a surprising number of situations, many practices do not adequately train employees on HIPAA Security and Privacy Issues. Commonly, practices trained employees initially (maybe years ago), but do not have a formal training process for new employees. Many more practices fail to update employees on a continuing basis or in the event of a change to your policies and procedures. For example,
· The release of a new version of your practice management or EHR system may require training relevant to HIPAA compliance.
· HIPAA Security and Privacy training should be customized for your own situation and operation. A general class on HIPAA Security and Privacy may not address how your staff may be notified about disclosure limitations on the patient’s HIPAA consent form or the contents of the patient medical record for your organization.
Vendor Features – In some cases, vendor features or strategies may not adequately comply with HIPAA Privacy and Security. Note your practice is responsible for HIPAA Security and Privacy, not your vendor. For example, some EHR vendors offer email facilities from their EHR. However, you would need specific procedures governing or perhaps prohibiting the use of such a feature. Indeed, your practice should only be communicating with patients on clinical issues through a secured messaging facility.
Security Risk Analysis –
A Security Risk Analysis is part of any HIPAA Security compliance plan and also a Meaningful Use requirement. Note that Security Risk Analysis needs to examine the physical, technical, and administrative safeguards over protected health information. Even if you do not have an EHR, you may still need to perform a security risk assessment. For example, an online directory containing transcription Word files is covered by the HIPAA Security standards.
However, the use of an EHR product does not address your HIPAA Security exposure. For example, even if you use an EHR service, your practice still needs administrative procedures to control access and prohibit storing information in an unsecured environment: taking screen snapshots and storing the image on a personal PC or other device.
Although we have focused on the compliance issues, do not forget that a HIPAA Security or Privacy problem can affect your practice’s reputation and relationship with your patients. The recently announced settlement with Phoenix Cardiac Surgery should be a wakeup call to your practice that HIPAA Security and Privacy standards are important and that HHS will not hesitate to pursue compliance issues in smaller organizations.