Are You One of The Eight?
The Health Insurance Portability and Accountability Act (HIPAA) was originally introduced way back in 1996. The “portability” portion of the name reveals the program’s initial purpose: to assist workers with health insurance needs when they move from one job to another. Over the years, this program has expanded to include provisions to ensure that protected health information (PHI) is handled correctly, appropriately secured and restricts access only to authorized individuals. In an effort to prepare for the onslaught of Electronic Health Records (EHR), additional provisions set the tone for the security of health information and to ensure that the same code sets were used by everyone. Most practices say they have a HIPAA compliance program implemented in their office, but when we peel back the layers we find as many as 90% of practices are non-compliant in at least one aspect of this required compliance program. Worse, more than half are woefully out of date and out of compliance with little more than a book on a shelf to represent their program.
Admittedly, compliance may not be the most interesting thing done day-to-day in the practice. We can’t see a patient progress or get out of pain because of our HIPAA program. We don’t make additional revenue from keeping that program up to date. Therefore, it’s often prioritized near the bottom of the list when it comes to keeping up. But it should be noted that HIPAA violations CAN cost your practice. The fines for noncompliance are based on the level of apparent disregard found within your practice when the violation occurs. These fines can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation. The impact of something like this can break the back of a small business.
These Are Not Paltry Fines
In February 2019, The Office of Civil Rights (OCR), the division of Health and Human Services that oversees HIPAA, announced that 2018 was a record year. OCR settled 10 cases and was granted summary judgment in a case before an Administrative Law Judge. These cases together totaled $28.7 million in collected fines from enforcement actions. This total surpassed the previous record of $23.5 million from 2016 by 22 percent. In addition, OCR also achieved the single largest individual HIPAA settlement in their history of $16 million from Anthem, Inc., representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016. Cottage Health, a California hospital group, reported two breaches, affecting over 60,000 individuals, and was held liable for $3 million in fines.1
In nearly every case where a practice, hospital or other entity was found to be in violation of the rules, the investigation revealed that the covered entity didn’t conduct the simple risk assessment required on an annual basis. In the example above, Cottage Health failed on four of the most basic HIPAA requirements. The investigation revealed that they:
- Failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI
- Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level
- Failed to perform periodic technical and non-technical evaluations in response to environmental or operational changes affecting the security of ePHI
- Failed to obtain a written business associate agreement with a contractor that maintained ePHI on its behalf
Did You Try a DIY Program?
But what about your office? Do you keep up with these rules and conduct these annual reviews? If you’re like 8 out of 10 providers for whom KMC University has conducted a “proactive” HIPAA review, you would be in breach of at least 50% of the required elements of a HIPAA program, scaled to your practice. Many of these practices have purchased a set of templates or another starter kit and thought they were compliant. However, placing your letterhead at the top of a sample policy is not implementing a HIPAA program. Nearly every “do-it-yourself program” also requires that evaluation, training, and upkeep are performed. In almost every instance we’ve reviewed, the practice failed to do so.
Not unlike an anti-virus program you have on your computer, a HIPAA program is designed to be installed, updated, and evaluated on a regular basis, in order to keep you safe. You would never think of purchasing an anti-virus program and leaving the box on the shelf. Nor would you fail to install it, set the timing for updates, keep up with new virus definitions, or have a policy around keeping your data safe. Yet, that is what most practices do when implementing HIPAA. They assume that if they have the book on the shelf, their work is done. Nothing could be farther from the truth.
A Better Way
In the past, KMC University has also offered a DIY program for implementing compliance, including execution of a HIPAA program. We offered excellent training and materials, step-by-step instructions, and a certified specialist at the other end of the line to help at any time. Yet, when we conducted spot-audits of practices, we determined that 8 out of 10 who thought they were compliant, were not. They had simply missed important elements from the training, failed to execute some of the steps, or simply took a short cut and made a book. When questioned, most indicated they didn’t have the time or expertise to follow even these step-by-step instructions.
We take our responsibility as Certified Compliance Specialists very seriously. In 2019, we made the decision to discontinue the DIY version of HIPAA implementation. We realized that offering the program in this way strayed from our KMC University Proven Process, which is to Evaluate, Report, Recommend, Train, Implement, and Sustain.
Your HIPAA Opportunity
We suggest that you use this prompting to examine your existing HIPAA program. We would love to help you with this process.
This is how we approach the serious deficit of HIPAA compliance that exists in our profession:
Because most practices have some kind of HIPAA program in place, we start with a detailed review of what you already have, in order to determine where the gaps are. This is our HIPAA Discovery Consultation. In this review, we ask a series of questions and review your existing materials to provide a risk score for you.
Both in the consultation and in writing, we’ll outline the exact elements that are missing or outdated and provide a reference to the rule that is violated.
In this written report our specialist outlines what it will take for you to bring your program into compliance. You may choose to take this information and solve the issues on your own, or, if you prefer, we can do it for you. Your report outlines the expected length of time and pricing for us to help you, scaled to the complexity of your practice, the number of team members, and the level of your existing program.
|Train and Implement:||
If you elect to have a certified specialist work with your practice to upgrade your program, we offer the “we do it with you” option. We take on the heavy lifting and ensure that your final program is accurate and compliant and that your team is equipped to keep it that way.
Because there are a number of requirements that are included with ongoing HIPAA compliance, while under the care and protection of KMC University, we help keep you compliant with continual reminders and updates, thus providing you with peace of mind.
What are you waiting for?
It is our goal to set you on the path for success in this area and beyond. But a journey always begins with the first step. The initial HIPAA Consultation is only $79. And if you elect to work with us to bring your practice into compliance, we apply the full amount of this consultation fee to the HIPAA service you need. You owe it to yourself to have confidence in your level of compliance. We’re ready to get you there.