As we move into another year, it is important now more than ever for medical practices to ensure that they have a robust Health Insurance Portability and Accountability Act (HIPAA) compliance program in place. In 2009, the Office for Civil Rights (OCR) was appointed as the enforcement arm for HIPAA, and with that appointment came a mandate by Congress to begin auditing entities that fall under the HIPAA rules.
In 2012, the OCR implemented its pilot audit program. During the pilot audit phase, 115 covered entities were audited for compliance with various provisions of the Privacy, Security, and Breach Notification Rules. Since then, the OCR has developed its full audit program, and in September 2015, Jocelyn Samuels, Director of the OCR, announced that she fully expected the OCR’s audit program to kick off sometime by the first quarter of 2016. This article finds us firmly within that time frame.
What Makes a Good HIPAA Compliance Program?
The question now becomes, what should every medical office be doing to ensure that it can demonstrate compliance with the HIPAA rules? The cornerstone of any HIPAA compliance program is its policies and procedures. Ensuring that every employee understands the HIPAA policies and procedures is a huge part of your HIPAA compliance program, but there is more to a compliance program than only a manual. So, what constitutes a good HIPAA compliance program?
A well put together HIPAA compliance program has the following components:
- A privacy and security official (which may be the same person)
- Professional information technology (IT) support
- Documented, communicated, and enforceable policies and procedures
- Documentation of compliance with the HIPAA rules (forms and contracts)
Privacy and Security OfficialEach organization is required by HIPAA to appoint someone as its privacy officer. This person is responsible for ensuring that HIPAA- related policies and procedures are in place, are updated appropriately, are communicated, and are enforced when needed. This person is also responsible for investigating, documenting, and reporting HIPAA security breaches to the US Department of Health & Human Services and to the patient when required by law. The privacy officer’s name and contact information are made available on the organization’s Notice of Privacy Practices, which should be posted in the waiting area and on the organization’s website (if one exists).
Professional IT Support
In today’s very connected world, it is of utmost importance that every medical practice work with a professional IT group to ensure the security of its network, computers, tablets, devices, and, most important, its patients’ information. Without professional IT support, there is no way for any organization to truly know if there have been any malicious attempts to gain access to the network or to patients’ information. At the very least, all practices should have IT-managed antivirus programs and firewalls in place for protection.
Documented, Communicated, and Enforceable Policies and Procedures
There are no policies unless they are documented, communicated to the employees, and enforceable by rule. Working with a third party to develop sound policies is a very good idea when it comes to HIPAA compliance. Any policy manual must encompass the HIPAA rules and the culture of the organization. It is important to remember that what the policy indicates an organization does by rule is what the US Department of Health & Human Services and the OCR (which enforces the rules) will expect an organization to demonstrate. How does your office demonstrate that there are policies and procedures in place, that they are communicated to employees, and that they are enforceable? In addition, medical practices should be able to demonstrate that they update their policies and procedures at least on an annual basis.
Documenting Compliance with HIPAA Rules
Every practice must have certain forms and contracts in place to demonstrate compliance with HIPAA rules, including:
- Notice of privacy practices
- Acknowledgment of receipt of the privacy practices
- Authorization (HIPAA-compliant)
- Business associate agreements or contracts
- Risk analysis
- Taking inventory of the location of the electronic protected health information
- Contingency planning
- Corrective actions plans as needed.
Under the Privacy Rule, all members of the workforce must be educated on the HIPAA rules, including administrative staff and doctors or other providers within the organization. Training should occur when an entity first adopts HIPAA policies, for any new employees, for existing employees on an annual basis, and as required for certain roles that may necessitate more in-depth knowledge of the policies.
In addition, training should occur after any incident involving a violation of HIPAA rules. It is important for medical practices to ensure that they can demonstrate a teachable moment when things go wrong, as they sometimes will. Training should always include information on HIPAA rules, the policies and procedures for the practice, and the sanctions for nonadherence to the rules. Medical practices should also release periodic reminders on topics such as e-mail safety and policy, computer use policies, and other security issues as they arise throughout the year. Remember that every aspect of HIPAA compliance must be documented, including training.
Without a doubt, the least appealing aspect of any rule is enforcement; however, it goes without saying that you truly do not have rules if they are not enforceable. Moreover, the HIPAA rules require medical entities to have sanctions policies that they can demonstrate are enforceable. Sanctions must apply equally to all members of the workforce. A good sanctions policy will include levels of sanctions as they relate to specific actions. Organizations may elect to start with verbal warnings and then move to more rigid penalties for violations of HIPAA rules. The sanctions must reflect the organization’s philosophy, and they must be written so that they can be enforced without hesitation. Do not write a rule that you are not willing to enforce.
Every organization that falls under HIPAA rules is required to put appropriate safeguards in place that must be designed to protect the confidentiality, integrity, and availability of patient information. In other words, information that must be kept confidential is not viewed or used by any person who is not authorized to have such access.
Next, the integrity of information ensures that the data are not changed by any person who does not have the authorization to do so. This includes members of the organization who are not authorized to access certain records or other protected health information.
Finally, the information we create, maintain, and store regarding our patients must be available when needed. We must have an up-to-date contingency plan in place, and we have to work with a reputable and professional IT group that can monitor and ensure that the confidentiality, integrity, and availability of patient information are maintained.
The HIPAA rules specifically address the need for administrative, technical, and physical safeguards to be put in place, such as:
- Administrative: policies and procedures, risk analysis, and awareness and training programs
- Technical: identity and access management, auditing, and network infrastructure safeguards
- Physical: facility access management, maintenance record keeping, and workstation security.
A good HIPAA compliance program is more than just a manual or policies and procedures. It is also your documentation and training, as well as your sanctions and safeguards. Your compliance program must be documented, communicated, and enforceable. It is not a program that can be put in place overnight or reviewed one time and then forgotten. HIPAA compliance must become an integral part of the culture of every medical practice, beginning with the administrative or management staff, and then must permeate throughout the entire practice.