Keeping resolutions is tricky. Every year resolutions to exercise more, eat healthy or manage money better are made and broken. Lots of people decide to stop making resolutions because of the disappointment they feel if they don’t keep up. At home, it may not matter much because it’s personal and no one needs to know the difference.
In the healthcare profession though, improving compliance does matter. The Office for Civil Rights (OCR) continues to enforce HIPAA, patients expect their privacy to be protected, and cybersecurity threats bring new challenges.
Whether you believe your program is first rate, or you grade yourself as average or worse, now is the time to take stock and see how to do better. You can make huge improvements without breaking the bank or spending time you don’t have. Small improvements will pay off.
You can do it.
Audits Show HIPAA Compliance is Inadequate
Last week we mentioned a report from OCR published on December 17, 2020 summarizing the HIPAA Audits from 2016 and 2017. The 2020 Audit Report was released without much fanfare. A close reading is a devastating picture of widespread noncompliance and helps explain why HIPAA enforcement continues strong.
Generally, covered entities demonstrated compliance in two of the seven areas audited: (1) timeliness of breach notification and (2) prominent posting of the Notice of Privacy Practices on their websites. However, covered entities did not comply with the individual access requirements and content of breach notification provisions. And the report explained that covered entities still struggle to implement the Security Rule’s requirements of risk analysis and risk management.
Roger Severino, the current Director of OCR said:
“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”
Your HIPAA Checklist
Three basics apply to everyone regardless of the state of their HIPAA compliance program. Whether you are just starting, starting over, or your compliance is in good shape, each of these ongoing requirements should be refreshed on a regular basis.
Risk Analysis – Risk Management
This is the core requirement of HIPAA compliance, and everything else follows. The purpose is not for appearances – you don’t do one to get an “A” or just look good. In fact, it is meant to show you how to improve, because every organization has gaps and can make improvements.
The Risk Analysis will help you review whether you have the policies needed, it will help you take an inventory of all protected health information under your care – where is it located, how is it protected. You will make a list of your business associates or subcontractor business associates and your workforce members, and note their training. You will uncover threats, vulnerabilities and risks and create a Risk Management plan to manage them. If you are ever audited, investigated or sued, your documented Risk Analysis will help you defend yourself.
Review the Patient Right of Access Rule
In 2019 the OCR began a Right of Access Initiative to emphasize the importance of providing timely, reasonable cost access to patient medical records. There have been thirteen settlements of investigations under the Right of Access Initiative as of today, with settlement amounts ranging from $3,500 to $160,000. This violation is commonly brought up by patients who can easily report their frustrations to OCR through the online complaint system. With or without a patient complaint, an audit or investigation will include how well you comply with the right of access rule.
Train the Workforce
The workforce is both the first line of defense and a potential weak link in maintaining privacy and security of patient information. Everyone on the workforce who comes into contact with protected health information needs basic HIPAA training and cybersecurity training. It should be done when they first come on board, and then periodically thereafter. Their training should be documented in the Risk Analysis-Risk Management Plan. It does not have to be complicated or time consuming but it needs to happen.
HIPAA Compliance is a Blueprint for Cybersecurity
The cybersecurity threat is growing, and 2020 saw huge growth in ransomware and theft in healthcare. HIPAA laws actually provide great guidance for staying ahead of cyber criminals. Follow HIPAA and fight cyber crime, save yourself costs and downtime.
The three first steps described today will take you a long way toward better compliance. Even if you’re already an expert, your HIPAA program needs to be reviewed and refreshed on a regular basis – good compliance is part of an organization’s culture every day all year, and everyone on the workforce can contribute.
If you need help, have any questions, or need a jumpstart, let us know at The HIPAA E-Tool®.