Reviewing Your HIPAA Security and Privacy Exposure
With the focus on Meaningful Use Measures, many practices are neglecting procedures and policies needed to comply with HIPAA Security and Privacy. The recently announced $100,000 settlement with a 5 doctor Phoenix based practice should trigger a closer look at your own HIPAA compliance situation.
On April 17, HHS settled a HIPAA Privacy and Security Case with Phoenix Cardiac Surgery. According to the HHS announcement, the practice failed to establish and maintain the policies and procedures needed to protect patient information. Additionally, the practice failed to document appropriate training or even appoint a Security Officer.
This incident should trigger a review of your own HIPAA security and Privacy exposure in the following areas:
Maintain Policies and Procedures
According to the HIPAA Security and Privacy standards, you need written policies and procedures to safeguard protected health information as well as a process to insure that the procedures are enforced. Indeed, the lack of adequate procedures is a HIPAA violation. Note that is not just a matter of initially creating the appropriate policies and procedures, but also maintaining the policies and procedures according to changes in your practice or to standards. For example,
- The implementation of an EHR will require changes to your HIPAA Privacy strategy as well as rethinking your entire HIPAA Security strategy.
- The HITECH Act based changes to HIPAA Security and Privacy should be considered in your internal procedures as well as any Business Associates Agreement that you may have.
In a surprising number of situations, many practices do not adequately train employees on HIPAA Security and Privacy Issues. Commonly, practices trained employees initially (maybe years ago), but do not have a formal training process for new employees. Many more practices fail to update employees on a continuing basis or in the event of a change to your policies and procedures. For example,
- The release of a new version of your practice management or EHR system may require training relevant to HIPAA compliance.
- HIPAA Security and Privacy training should be customized for your own situation and operation. A general class on HIPAA Security and Privacy may not address how your staff may be notified about disclosure limitations on the patient’s HIPAA consent form or the contents of the patient medical record for your organization.
In some cases, vendor features or strategies may not adequately comply with HIPAA Privacy and Security. Note your practice is responsible for HIPAA Security and Privacy, not your vendor. For example, some EHR vendors offer email facilities from their EHR. However, you would need specific procedures governing or perhaps prohibiting the use of such a feature. Indeed, your practice should only be communicating with patients on clinical issues through a secured messaging facility.