HIPAA (Health Insurance Portability and Accountability Act of 1996) regulations are more stringent now than ever before. Healthcare Technology is an ever evolving piece of the puzzle where providers need to make sure their staff have appropriate access, but use that access within the confines of their daily duties. And with many practices outsourcing some or part of their business, this task becomes even harder.
Formal complaints are one way providers can come under scrutiny. According to HSS.gov, between April 2003 – February 2016, there have been a total of 35,081 complaints investigated. Of those, only 31% were found to have actually had no violation.
Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/numbers-glance/index.html.
There are several moves providers can make to help them become more “audit-proof.”
1. Make sure users have appropriate access to areas of the EHR that are relevant to their job function.
2. Make sure you have readily available all Business Associate Agreements (BAA’s) with all vendors you work with that access patient data. Likewise, make sure you know which vendors need to sign BAA’s and which do not.
3. Make sure you have done a security risk assessment recently and if you have not done one, make it a priority. This is a key factor in many cases against providers being investigated. This includes knowing where and how your patient data is stored.
Of course none of these are bulletproof. At the end of the day, you cannot monitor every single user accessing accounts. But be aware of small breaches. These are more common than grand scale breaches, but are usually a sign of a more systemic compliance issue. Some of these small breach examples include leaving paperwork with patient data out on a desk in plain view in a common area, not releasing requested information in a timely manner to patients and releasing information to someone not approved on the patient’s signed HIPAA form. These are easy mistakes to make in the rush of a busy workday, but are critical to preventing complaints or costly fines to your practice or business.
With OCR (the HSS Office of Civil Rights) becoming more involved with investigations and random audits, now is the time to make sure you have done everything you can to protect your practice and your business.