Being HIPAA Compliant is not a Snapshot in Time

Mike Semel

Meaningful Use Requires You to Protect Patient Data

Mike Semel
Semel Consulting

Protecting patient information is like protecting patient safety; it is something you have to do every time, by developing habits you don’t have to think about. Do you allow needles and instruments to be shared between patients? Do you touch patients with your dirty hands, or without gloves? Of course not, and you probably don’t even think about it anymore because these have become habits.

Sometimes when I am doing a presentation on being HIPAA compliant one of the attendees expresses in frustration, “Don’t tell me everything about these rules. I just need to know what I have to do to be HIPAA compliant!” These are the folks who just don’t get it— they think being HIPAA compliant is something they can do in a day or two, take an online course, sign some forms, and get a certificate. Then they can go back to doing everything the way they used to.

Are they ever wrong.

Cultural Change

Being HIPAA compliant may require significant changes to the way your medical practice has operated in the past. The changes will be in your everyday operations, not just documented in a book and set on a shelf to gather dust.

HIPAA compliant changes may include:

  • Upgrades to your computers and network devices to protect patient data
  • Hiring a real IT professional to provide Managed Services to monitor and maintain your network
  • How you train and document the training for your current staff and new hires
  • Paying for e-mail since free mail services are not secure and should never be used to send patient information
  • No longer sharing logins and passwords
  • Automatic logoff to make sure unauthorized users cannot get to patient data
  • Reviews of systems access to ensure only authorized staff are looking at patient records
  • Documenting your activities as preparation for an audit or data breach investigation
  • Monitoring your employee’s activities and conducting internal compliance audits
  • Enforcing privacy regulations the same way you would enforce rules about patient safety
  • Having a certified professional do your Risk Analysis and help you with your compliance program

Meaningful Use

The federal government is now doing pre-audits before making incentive payments–and audits after incentive payments — for the Meaningful Use of Electronic Health Records (EHR) systems, which requires HIPAA compliance as part of the HITECH Act.Core Measure 15 for Eligible Professionals requires a Security Risk Analysis. When the government mentioned that this must be done in accordance with the cryptic “45 CFR 164.308(a)(1)” they could have been clearer and said it was the Risk Analysis requirement from the HIPAA Security Rule. And, you must remediate any problems (like not being HIPAA compliant) during the 90-day Meaningful Use reporting period.

Practice managers and physicians have exclaimed surprise and frustration when our Risk Analysis has exposed that they are not HIPAA compliant. Some have asked why HIPAA has anything to do with Meaningful Use. Others wonder why they have only 90 days to implement compliance— completely ignoring that they were supposed to be HIPAA compliant since 2005, eight years ago.

Some practices attested and received their incentive payments even though they never did the Core Measure 15 Security Risk Analysis. Audits have caught many and have resulted in the return of the funds. Practices also risk enforcement through the federal False Claims Act or, in more extreme circumstances, criminal Medicare fraud prosecutions.

Those that think being HIPAA compliant is expensive aren’t thinking about the small medical practice that paid a $ 100,000 fine for using webmail to send patient information, the hospital that paid a $ 1.5 million fine when a doctor lost a laptop computer, or the many practices that have had to return their 2012 incentive payments of $ 12,000 or $ 18,000 after they failed an audit because they had not done a Security Risk Analysis.

What to Do

Getting a Security Risk Analysis done now will give you more time to address any issues with HIPAA. Hiring a professional to audit you will accomplish two things— a third-party review methodology similar to a federal audit or investigation, and an independent view of your environment by knowledgeable professionals who understand compliance and IT Security, rather than the ‘friendly’ approach taken when you audit yourself.

The Office of the National Coordinator (ONC) that administers the EHR Incentive Program says, “…doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”

Becoming HIPAA compliant is the right thing to do, because patient data is sacred, and because it is the law. No matter whether your motive to becoming HIPAA compliant is to protect patient data, abiding by the law, or because you simply want to keep the incentive money for implementing an EHR system, you should get a Security Risk Analysis done now by a qualified professional.

Otherwise, don’t attest and take the incentive money, and take your chances that you will be audited or investigated for a HIPAA violation.

Mike Semel is certified in HIPAA and has been the CIO for a hospital (Covered Entity) and has provided IT support for healthcare providers (as a Business Associate.) This article was originally published on