By Paul Edwards bio
The next round of HIPAA audits promised by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has been delayed since October 2014, but OCR has made it clear they are still going to happen. Their senior advisor, Linda Sanches, has informed medical office managers, “This is a good time to get your house in order.”
If your reaction to this news is “Ugh, not HIPAA again, we got our house in order years ago!” a recent NueMD survey on HIPAA compliance might contain unpleasant surprises. Among other findings:
- Office managers and staff have very different opinions over whether their practice even has a compliance plan. Sixty-eight percent of office managers said they have a plan, compared to 43% of office staff. Confusion or disagreement on the matter is a huge red flag during an audit.
- Only 45% of practices indicated they have a privacy breach notification plan. Even for minor breaches, the difference between a $100 and a $50,000 fine lies in how well a breach is addressed.
- Sixty-two percent of practices provide HIPAA training at least once a year, and only 65% can prove it. Regular training is an integral part of HIPAA compliance, so practices that cannot provide proof that employees have been recently trained will likely fail an audit. This is true even if the practice has not yet had a single breach.
The news is even worse for smaller practices (1-3 providers), whose compliance efforts tended to be far worse because they have fewer resources available. Smaller practices are also far less able to absorb the potentially hefty fines for HIPAA privacy breaches.
Luckily, there’s still time for these practices to get their HIPAA ducks in a row before OCR’s HIPAA audits intensify.
First, and most importantly, make sure every aspect of your HIPAA compliance efforts is well documented. Among other things, be prepared to show proof of:
- Your overall compliance plan
- The compliance procedures your practice has implemented
- ALL employees being regularly trained in HIPAA compliance
- Your Breach Notification plan, for if/when a breach occurs
Your attitude when it comes to training and breach mitigation efforts should be, “If it isn’t documented, it didn’t happen.” This will surely be OCR’s viewpoint if your practice gets audited.
Next, make sure your office has a dedicated Safety and Privacy Officer (SPO) to oversee the office’s compliance. Only 55% of practices surveyed indicated they had one. This is a HIPAA requirement. The SPO is also the go-to person for all HIPAA-related questions or concerns. If your team is asked during an audit who they would report a possible breach to, they must not only know who the SPO is, but also how to contact that person at all times.
Benjamin Franklin said, “The only certain things in life are death and taxes,” but if HIPAA had existed back then, he surely would have listed it as number three. Your practice can’t escape HIPAA, but with a solid compliance plan followed 100% of the time, you can at least keep the worst of it at bay.
Paul Edwards is the CEO of CEDR Solutions (www.cedrsolutions.com), the nation’s leading provider of customized medical employee handbooks and expert HR support for practices of all sizes and specialties. He can be reached at 866-414-6056 or pauledwards@cedrsolutions.com.
The above information is shared by a guest contributor and does not necessarily reflect the views of Medical Office Manager.
