This is the second in a series about how to create an effective HIPAA compliance program. Last week we covered the role of a HIPAA Compliance officer, and next week covers the Workforce.
Senior Management is responsible for HIPAA compliance. They can delegate the authority to implement compliance to a HIPAA Compliance Officer but they remain responsible. How do they support a successful compliance program? What happens when they fail?
Size Doesn’t Matter When it Comes to HIPAA Compliance
The same rules apply to everybody. All sizes of covered entities and business associates must comply with HIPAA – from the largest hospital systems to a neighborhood clinic to the one-person shop doing billing and coding – all should have HIPAA policies, training and a Risk Management plan. In larger organizations, a Compliance Officer reports to Senior Management who in turn reports to a Board. In smaller organizations, the owner is the leader who is ultimately responsible. Whatever the size or assignment of roles, all need to work together to be successful.
Culture of HIPAA Compliance Comes from the Top
The Board and Senior Management, or the owner, sets the tone. When leadership adopts the mindset that HIPAA matters and communicates that belief to everyone else, a HIPAA Compliance program is successful. But what does that mean? How does leadership “adopt the mindset that HIPAA matters?”
Three key actions:
- Support the HIPAA Compliance Officer with resources.
- Accept HIPAA training.
- Encourage and celebrate reporting of incidents and potential breaches.
Resources does not necessarily imply a big budget. Support could be a place on a meeting agenda, spending time to learn about the HIPAA Risk Analysis, and setting priorities to support the HIPAA Compliance Officer’s recommendations. If a budget allows, provide updated training.
Everyone in the organization, including the Board of Directors, should receive training at least once a year. This does not require learning everything there is to know about HIPAA, but should fit with job function and responsibility. For example, everyone, from the C-Suite to the receptionist, should learn the “minimum necessary rule”. But only those staff who interact with patients need to learn how to help patients obtain access to their records.
A strong culture of compliance helps prevent violations. Everyone in the organization should be alert to potential breaches or other HIPAA violations, and know what to do if they see something wrong. They shouldn’t be afraid to report, but encouraged.
The HIPAA Compliance Officer can tell everyone what to look for. Then Senior Management should support a plan for rapid communication to the right people who can prevent larger issues from developing. Celebrate prevention.
HIPAA Compliance: Fines are Failures
Bad things happen when leadership delegates authority for HIPAA compliance but doesn’t follow HIPAA policies themselves. The Office for Civil Rights, the government agency that oversees HIPAA compliance, can be harsh if an investigation reveals that Senior Management was careless. In 2017 Memorial Hermann Health System in Texas paid $2.4 million to settle HIPAA violations when it issued a press release disclosing one patient’s name. Senior management had approved the press release.
“Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response,” said OCR Director Roger Severino at the time.
The size of the fine was unusual in that only one patient’s information was disclosed. Usually settlements and fines are reserved for situations where the breach affected larger numbers. The message was clear. Senior management is responsible and needs to understand and comply with HIPAA.
One-Stop HIPAA Compliance Solution
The complete HIPAA Compliance solution, for large, medium and small organizations, is The HIPAA E-Tool®. Delivered over the Internet, it’s scalable and tailored to your needs.
Policies for the Privacy, Security, Breach Notification and Enforcement rules, a do-it-yourself comprehensive Risk Analysis – Risk Management module, Training, Updates whenever the law changes, and Customer Service so you’re never alone. With practical advice you can use, you can trust The HIPAA E-Tool®.