The Health Insurance Portability and Accountability Act (HIPAA) can be complicated. What are you doing for HIPAA? How confident are you in your HIPAA plans? More is needed than just a Notice of Privacy Practices and some HIPAA compliant software. This is not an overwhelming task, but it does require you to follow a checklist and to be conscientious in complying with the HIPAA regulations. By appointing a privacy and security officer, one person can oversee the HIPAA minimum requirements: create a HIPAA Policies & Procedures Manual, document HIPAA compliance, train employees to enforce HIPAA regulations & maintain a culture of privacy, and conduct an annual Security Risk Assessment. All of these will take some time to put in place, but once they are in place, they are easily enforced, and compliance is minimal.
You're probably not doing enough for HIPAA right now at this moment in time. Several times a week, I have people come to me, and we have an initial consultation. I ask them, “Well, what are you doing for HIPAA? How confident are you in your HIPAA plans?” And they'll say, “Well, I've gotten Notice of Privacy Practices, so I'm good,” or, “You know, I have HIPAA compliant EMR (Emergency Medical Records), so I'm good.” And it makes me cringe, and I have to kind of be gentle about it.
There's a lot more to HIPAA than a Notice of Privacy Practices and getting a software that's HIPAA compliant. Now, when I say there's a lot more to it, it doesn't mean it's overwhelming or difficult to do. It just takes some time to parse through it. If you can follow a checklist, you can satisfy all the requirements of HIPAA, no problem. Here we will talk about how you can do that, how we can make it easier for you, and where you can get started today if need be.
There’s a big contingent that says, and is technically true, that if you don't submit transactions electronically, basically asking for money, from an insurance company or from another third-party payer, then HIPAA doesn't call you a covered entity. While technically true, every state has security and privacy rules as well that help protect patient information. And those state laws are typically not spelled out with as much detail and don't include as many examples of what not to do as the federal HIPAA regulations do. And they still require you to make serious compliance efforts that are almost in lockstep with the federal rule as well. So, the agreement amongst most attorneys that you'll talk to is if you follow HIPAA, you'll be pretty close to your state privacy and security rules as well.
In your practice, you should include reasonable efforts to create and maintain, and then most importantly document, keeping records of the culture of privacy and security within your clinical space. Most of these requirements of HIPAA, the minimum requirements, are also best practices if you're not technically under HIPAA. Now, at this point, I like to use the NCAA as an example. If you follow college sports at all and you see where a program is not following the rules of the NCAA, there'll be a report, and months later, they'll say that the coaches are responsible because they didn't create a culture of compliance within the organization, even if they didn't know the actual infractions that were happening. So, the same thing can happen here in your practice. Your job is to create a culture of compliance. Let's figure out how to do that.
At a minimum, HIPAA requires you to have appointed a privacy officer and a security officer. Now that can be the same person. It can be you if you're the only person in the company, but then you must know what to do.
What is it that the Privacy and Security Officer does?
The privacy and security officer oversees first the creation and implementation of another requirement: the Privacy and Security Policies and Procedures Manual that each covered entity is required to have, creating a culture of compliance. I've had several other people contact me after the Office of Civil Rights (OCR), which enforces HIPAA infractions, has come to them after a complaint and said, “Show me your HIPAA Policies and Procedures Manual.” And that didn't happen. So that's the first request that you will get if there's ever an issue. So, putting a Policies and Procedures Manual into effect will 1) meet the minimum requirements and 2) help you sleep better at night as well. Putting it in place will prevent a lot of HIPAA issues down the road. Your company is creating policies, such as, “It's our policy that we want to comply with the Code of Federal Regulations as it pertains to HIPAA,” for each of the regulations, and then “What are the procedures that you've put into place to comply with that?” It's one thing to say, “Yeah, we want to comply,” but if your actions say otherwise, then you're not really doing much in the way of compliance. And it's important because, as you probably well know, from sitting through tons and tons of boring HIPAA PowerPoints and presentations from Continuing Medical Education (CME), or maybe from your initial training, that HIPAA costs and fines can be steep, up to $5,000 per record, per incident.
As you can see, it's not something to take lightly. But again, it's not very hard to create a culture of compliance if you're willing to sit down and go through a checklist, that checklist being a Policies and Procedures Manual.
We have a template at Functional Lawyer where you can start. It's comprehensive and covers the Privacy Rule and the Security Rule. There are approximately 80 pages of policies and procedures, with another 50 pages of different templates and forms that hopefully you'll never need, but some of them include the Notice of Privacy Practices, Accounting of Disclosures, and many other privacy and security forms that your patients have the right to, so you may as well have the form when they ask for it.
HIPAA and Compliance Training
Another task that should be accomplished is having your staff and workforce receive HIPAA Compliance Training, both once hired and then after that annually for you.
Security Risk Assessment
Part of your role or the role of the privacy and security officer is to perform a Security Risk Assessment. This is part of the rule, the HIPAA regulations, that most people forget about. Most of the time our concentration is on HIPAA’s Privacy Rule: Notice of Privacy Practices, Protected Health Information (PHI) and Non-Disclosure. However, there's a whole other rule, often forgotten, the Security Rule, which is about the other half of HIPAA. The Security Rule considers some physical, administrative, and technological safeguards that help ensure that the PHI doesn't get disclosed.
So, the Security Risk Assessment is essentially the security officer going through your Security Rule and your Policies and Procedures Manual, noting where there are any gaps. If you see that you don't have an encryption on your computer, then you write down the gap. Where HIPAA is concerned, it's like Physics or Math where you need to show your work and you'll get lots of credit for doing that. That helps document your compliance efforts, your culture of compliance. So even if there's a gap, that's good because then you can say, “Oh, we identified this gap during our latest Security Risk Assessment. We have identified a plan to address it within the next 90 days. And then 10 days later, we've addressed it.” That's a quick and dirty way to do your security or an explanation of how the process of a Security Risk Assessment might go.
Last, but not least, I would caution you to remember that HIPAA applies to practices of all sizes. The Privacy Rule, especially, does not consider the size of your practice, whether you are a solo provider or the biggest hospital system in your area. The Security Rule, however, does have a little bit more flexibility depending on your abilities and your finances. Yet, it still applies to you. Start with a Policies and Procedures Manual. It will force you to appoint a privacy officer and a security officer that can be the same person, even you. Perform a Security Risk Assessment at least annually, and then document and show your compliance with HIPAA throughout the year. Remember that it's not hard; like many other things in your practice, you must pay attention to it.