My Doctor Wants To Know:
Why Do I Have To Spend All This Money On
Security & HIPAA Compliance
When I Never Had To Before?
- It has been Federal Law since 1996. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information, known as e-PHI or PHI (Protected Health Information).
- The final regulation, the Security Rule, was published February 20, 2003. The Rule specifies a series of administrative, technical, and physical security procedures for Covered Entities to use to assure the confidentiality, integrity, and availability of e-PHI. The final regulation, the Security Rule, was published February 20, 2003. The Rule specifies a series of administrative, technical, and physical security procedures for Covered Entities to use to assure the confidentiality, integrity, and availability of e-PHI. Your Practice should have begun complying with the Law in 2003.
- The Administrative Safeguards provisions in the Security Rule require Covered Entities (Physician’s Offices) to perform a Security Risk Analysis (SRA) as part of their security management processes. The risk analysis and management provisions of the Security Rule help to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.
- A Security Risk Analysis process includes, but is not limited to, the following activities:
- Evaluate the likelihood and impact of potential risks to e-PHI;
- Implement appropriate security measures to address the risks identified in the risk analysis;
- Document the chosen security measures and, where required, the rationale for adopting those measures; and
- Maintain continuous, reasonable, and appropriate security protections.
- Risk analysis should be an ongoing process, that is re-visited annually, or, when there are major changes to the Practice, such as a move, adding new computers, or a change of ownership.
- The Security Rule does not require specific technology solutions.
- There are many technical security tools, products, and solutions that a covered entity may select. Determining which security measure to implement is a decision that Covered Entities must make based on what is reasonable and appropriate for their specific organization, given their own unique characteristics, as specified in §164.306(b) the Security Standards: General Rules, Flexibility of Approach.
- Some solutions may be costly, especially for smaller Covered Entities. While cost is one factor a covered entity may consider when deciding on the implementation of a particular security measure, it is not the only factor. The Security Rule is clear that reasonable and appropriate security measures must be implemented, see 45 CFR 164.306(b), and that the General Requirements of § 164.306(a) must be met. (HHS HIPAA Security Series #4)
12 Myths About HIPAA
1. “HIPAA Compliance is optional.”
If you manage Protected HIPAA Information (PHI), you must comply with federal HIPAA regulations or face substantial penalties for non-compliance. Consider this: if a Covered Entity chooses to accept Meaningful Use funding, a Security Risk Analysis is required and any funding will have to be returned if adequate documentation is not provided upon request. Bottom line: it is mandatory.
2. “I can’t afford being compliant.”
Yes, you may need to spend money to bring your practice up to speed on HIPAA Compliance. If you think you can’t afford implementing what needs to be done in order to be so, do the math and think again: The HITECH Act substantially increased civil penalties for non-compliance with HIPAA Policies, from $25,000 a year to a whooping $1,500,000 a year (yes, there are two commas in that number) – per violation. Top that with willful ignorance or failure to comply resulting in mandatory investigations and penalties that can be started by any complaint, breach or discovered violation.
3. “It can wait – my practice is too busy.”
The compliance date has passed, so no, it cannot wait. All Covered Entities, including medical and physician practices, clinics and hospitals as well as their Business Associates must update their HIPAA policies, procedures, forms, Notices of Privacy Practices and otherwise implement the changes required by these regulations as soon as possible. Here are some key dates to keep things in perspective:
The Newest HIPAA Rules (Omnibus) Key Dates:
- September 23, 2013: Covered Entities must comply with most of the new Omnibus Rules’ provisions.
- September 25, 2013: Disclosures of PHI become subject to the new restrictions on sale of PHI.
- September 22, 2014: Covered Entities must bring all of their Business Associate Agreements (“BAAs”) into compliance with the Rules; the new Rules also apply this requirement to Business Associates’ agreements with their covered subcontractors.
4. “It only matters for larger organizations and serious breaches.”
New breach rules will increase the number of HIPAA violations that are determined to be Breaches. The recent federal Omnibus ruling expands the definition of a breach and failure to address it properly and provide proper notifications can trigger federal investigations and eventual fines and penalties.
5. “I am not a doctor, I should not worry about HIPAA compliance.”
With the recent Omnibus ruling, Business Associates are now required be HIPAA Privacy and Security Compliant, while Covered Entities are responsible for ensuring their BA’s are compliant.
6. “I am a doctor, my Business Associates’ HIPAA compliance is their problem.”
It is not just minding your own business anymore. With the recent Omnibus ruling, Business Associates are now required to be HIPAA Privacy (if applicable) and Security Compliant, while Covered Entities are responsible for ensuring their Business Associates are compliant.
7. “There are so many healthcare practices, they can’t possibly police everyone!”
As recent public announcement from the Office of Civil Rights indicates, they are stepping up hiring for HIPAA compliance activities: the Division of Health Information Privacy enforces the HIPAA Privacy and Security Rules and the confidentiality provisions of the Patient Safety and Quality Improvement Act.
OCR (Office for Civil Rights) is hiring experienced staff in privacy and security compliance and enforcement as well as in the areas of policy, outreach, and health information technology systems.
8. “HIPAA rules are still new – enforcers are not ready.”
The Federal government has expanded the reach of HIPAA by enlisting State Attorney Generals. In 2011 HHS began a training program agenda for state Attorney Generals who now have the power to enforce the Data Breach laws.
9. “My staff and I know enough about HIPAA”.
Unless you attended HIPAA training, you probably don’t. And, unless you are a full-time, security focused IT professional, you probably are not familiar enough with the computer technology to comply with the Security rules. All clinicians and medical staff that access PHI must be trained on proper HIPAA procedures on a regular basis. In addition to being trained you also must keep proof: documentation of training that is provided is required to be kept for six years.
10. “It’s not going to happen to me”.
It’s an oldie but goodie. We all rely on the “it is not going to happen to me” mantra in life from time to time. Do you think people on HIPAA Breach List (also known as the HIPAA Wall of Shame) had the same idea? If you check the names on that list, and quickly multiply the number affected (i.e. “violation”) and do the math: number of folks affected x monetary violation penalty + your patient’s trust broken = your bank account is emptied and you are out of business.
11. My Lawyer/Colleague/Computer guy tells me we don’t have to be compliant because of reason X.
Get a new lawyer, colleague, computer guy. If your practice has anything to do with patient data, you, your practice, and your Business Associates are accountable, and must be compliant, period.
12. “OK, I am convinced… but I don’t know how to go about HIPAA compliance, I’ll never get ready!”
Don’t worry. That’s what we are here for – not just us at Computer Networks, Inc. – but many trusted IT companies and advisers. If your computer support company cannot give you a solid answer on what needs to be done with your practice to make it HIPAA compliant, search for a reputable IT company in your area.
NOTE: This information is provided to you by Computer Networks, Inc. for educational awareness. The actual Code of Federal Regulations is about 500 pages, so this is not a complete guide to compliance.
Please call us 757-333-3299 Ext. 200 or fill out the form at the top of this page if you suspect your medical practice may not be HIPAA compliant and you would like to discuss our HIPAA Risk Analysis Services.