A Renewed Emphasis on HIPAA Compliance
By Lyn Triffletti
As the Office for Civil Rights prepares to launch phase two of its HIPAA auditing program next year, healthcare organizations should be turning their attention to this area of compliance. The upcoming audits will target covered entities and business associates, assessing whether they are consistently meeting HIPAA privacy, security, and breach notification rules, even if they haven’t experienced a recent breach.
The government’s main interest in performing these audits is to ensure that healthcare providers are sufficiently self-policing when it comes to health information security. In other words, the agency wants to make sure that organizations across the care continuum are committed to maintaining patient privacy and have processes and procedures in place to accomplish that goal.
Audits happen…are you ready?
Even though only a portion of physician practices will be audited in the next year, it would be a mistake to assume that such a review can never happen. OCR is dedicated to verifying compliance in all types of facilities regardless of size, so every organization should be prepared to demonstrate its commitment by making a financially reasonable effort to deal with potential risks and adequately preserve patient privacy. Especially because the forthcoming audits are designed to focus on Evaluation & Management coding, there has never been a better time for physician practices to get a handle on HIPAA.
Marrying obligation with affordability
Unfortunately, many smaller practices do not have the internal resources to effectively self-police for compliance. Addressing this issue internally requires dedicated personnel who have the expertise to develop policies, provide education, assess compliance, shore up weaknesses, and so forth. This level of proficiency is not only expensive, but also can be hard to find.
A more cost-effective option involves partnering with a third party that offers the necessary resources to achieve and sustain compliance. These types of organizations often provide technology that automates and streamlines the compliance effort. For example, a physician practice can leverage third-party software to generate a comprehensive and appropriate HIPAA policy — just by answering a few questions. Similarly, the practice can use an online tool to offer meaningful staff education, allowing employees to get up to speed on HIPAA anywhere and at any time. These tools help an organization quickly spin up its compliance program without having to hire new staff or re-task existing personnel.
Bottom line: By working with an external partner or expert, a smaller practice can demonstrate its commitment to following HIPAA regulations without blowing its budget.
All partners are not the same
When seeking a HIPAA compliance partner, organizations should take a careful look to make sure they join forces with an entity that provides value and delivers on expectations. Following are a few questions to ask as you proceed in reviewing different options.
- What is the partner’s degree of experience? The primary reason to partner with an outside resource is to take advantage of the company’s level of familiarity with and understanding of HIPAA’s rules and regulations, filling in the gaps at the particular practice. A partner should be able to demonstrate it is a subject matter expert with a proven track record.
- Are they familiar with your specialty? HIPAA compliance looks different depending on the area of practice, and you want to double check that the expert can appropriately address your organization’s specific needs.
- Has the company ever audited for the government? One way to gauge a potential partner’s know-how is to see if they have performed audits for the OCR. This experience would give them a first-hand view of what the agency requires and what compliance looks like.
- How robust is the technology? Practices shouldn’t select a partner that has a less-than-comprehensive solution. Organizations need to know what content the product includes and how close that is to what the government requires. Also, ask about how many users currently work with the software and how different organizations interact with the technology. Training is also key. Practices should gain an appreciation of how intuitive the software is and what training the partner provides.
- How do they promote retention of information? To achieve compliance, an organization has to do more than offer education and hope for the best. Practices must make sure staff participate in the training and retain the information. To that end, technology solutions should present a way of monitoring which staff have taken the course so you can follow up with those who have not engaged. Furthermore, the solution should offer a method for assessing whether staff understand and can apply the information to their day-to-day work.
Although meeting HIPAA regulations may seem overwhelming, it does not have to be. Organizations that take a fiscally responsible approach to compliance and leverage the resources of an outside expert can ensure they meet the government’s expectations while remaining in budget.
Lyn Triffletti, CCSP, CPCO, CPC, PCS is a vice president of compliance at Stericycle Inc.