Five frequently overlooked mistakes in HIPAA compliance
HIPAA regulations can be confusing and often healthcare entities overlook certain HIPAA regulations. Read this blog post to learn about the 5 most frequent tripwires.
HIPAA was enacted in 1996. In the years since, most healthcare entities have adapted to the major requirements imposed by HIPAA, HITECH and the Privacy and Security Rules. Nevertheless, the thicket of regulations still leaves some traps for the unwary. Here are the most frequent tripwires.
First, the goal of HIPAA is integrity and availability of records along with confidentiality. For workflow or other reasons, hospitals or other covered entities are often reluctant to share patient records.
With the exception of certain specific carve outs, such as psychotherapy notes, this violates HIPAA. Patients are entitled to their records. Compliance programs must accommodate this legal reality
Second, HIPAA requires that disclosure of healthcare records be minimized to the extent necessary to accomplish the objective. In other words, a contractor or other entity with access to personal health information is only entitled to those data points necessary to perform their function e.g. names and addresses.
For practical purposes, a technical solution is not always available — a covered entity may have a single computer system, and cannot realistically reconfigure it for every purpose.
Also see:
In such instances however, compliance may not be left by the wayside. It must be accomplished by alternative means such as administrative safeguards. For example, a covered entity and business associate may contractually agree to limit access, and combine this restriction with random audits to ensure compliance.
Third, the requirement of minimal disclosure also extends to individual employees and contractors. They are entitled only to those records they need to perform their job functions.
Of course, in the real world those functions continually evolve. Employees often switch roles, go on leave, rotate to different units or complete the tasks that entitled them to access in the first place.
Yet access is rarely calibrated to fluctuating business needs. Excessive access is a regulatory risk. Any compliance program needs to regularly reassess employee access. It must adjust PHI access rights to conform to current responsibilities.
Fourth, HITECH and the Security Rule require a security assessment and the institution of safeguards to protect against reasonably anticipated disclosure. They also require that all business associates be bound to adhere to the safeguards program.
The Business Associate Agreement needs to specifically incorporate this requirement. Technically, the failure to do so, even in the absence of a breach, is a violation. Yet many covered entities overlook this requirement.
If the business associate is unwilling to accommodate the requirement, the covered entity needs to evaluate the contractual arrangement, ensure that it meets the identified security criteria, and document the basis for this determination.
Finally, the healthcare sector is consolidating. The acquisition and consolidation of practices results in transition periods where the successor entity has multiple sets of PHI records under multiple compliance regimes.
The result is a program that is either incomplete, incompatible, or is otherwise deficient. This is a serious regulatory risk. While a seamless transition may not be possible, incorporating compliance into the succession plan at the earliest possible stage is the prudent approach.
None of these five steps require mastery of particularly arcane aspects of the HIPAA regulatory scheme. Yet covered entities and business associates regularly stumble on them. Each of these pitfalls is easily remedied. In compliance, as in medicine, an ounce of prevention is worth a pound of cure.
SOURCE: Gul, S (2 August 2018) "Five frequently overlooked mistakes in HIPAA compliance" (Web Blog Post). Retrieved from https://www.employeebenefitadviser.com/opinion/five-frequently-overlooked-mistakes-in-hipaa-compliance
How to Prepare for a HIPAA Audit
Original post benefitnews.com
The Department of Health and Human Services’ Office of Civil Rights has announced it will be launching phase two of the Health Insurance Portability and Accountability Act audit program. Advisers can help clients prepare by updating policies and procedures, among other steps.
HIPAA provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs, reduces healthcare fraud and abuse, mandates industry-wide standards for healthcare information on electronic billing and other processes; and requires the protection and confidential handling of protected health information.
HIPAA established national standards for the privacy and security of protected health information and the Health Information Technology for Economic and Clinical Health Act (HITECH). This established breach notification requirements to provide greater transparency for individuals whose information may be at risk.
HITECH requires OCR to conduct periodic audits of covered entity and business associate compliance with the HIPAA privacy, security and breach notification rules. OCR began its initial audit in 2011 and 2012 to assess the controls and processes implemented by 115 covered entities to comply with HIPAA.
Phase two of the audit will focus on any covered entity and business associate. OCR will identify pools of covered entities and business associates representing a wide range of healthcare providers, health plans and healthcare clearing houses.
Roy Bossen, partner at Hinshaw & Culbertson LLP, says the law firm he works for is considered a business associate because the firm deals with cases under medical malpractice.
“When we defend a hospital or a doctor, we have access to Protected Health Information (PHI),” Bossen says. “There is requirement in HIPAA for what a business associate must do to protect [PHI] as well.”
Bossen says there is not a specific penalty for not passing the audit; however an entity or business associate could face possible fines for failure of the audit.
“The next phase of the audit will be called a compliance review,” he says. “[Entities and business associates] will require a more in-depth review of what their policies and procedures are, and that could theoretically lead to fines and penalties.”
Bossen stresses that it is important for employers to determine whether they are a covered entity or business associate or if the audit even applies to an employer’s business. An employer that operates their own plan would be considered a covered entity.
Advisers and brokers can assist their clients by making sure employer’s policies and procedures are up to date while also making sure the employer’s practices match-up with the up to date policies and procedures.
“It is not uncommon in any field to have a great policy manual that’s in a nice binder on a shelf or an email document that gets sent out, but nobody practices the organization of what their policies and procedures stipulate,” Bossen says.
The HIPAA phase two audit program will begin the next couple months and should a covered entity or business associate be contacted for a desk audit or onsite audit.
Both audits can take up to 10 days to be reviewed and the auditor will have entity’s final report within 30 business days.