|
![]() ![]() ![]() ![]() |
January, 2017 Is Your Practice a Haven for HIPAA Violations?By Ronald Short, DC, MCS-P HIPAA: five simple letters that are responsible for a great deal of confusion, even after all these years. The first step to avoiding violations is to understand exactly what you are responsible to do under the provisions of HIPAA. There are currently three main rules in HIPAA that "covered entities" and "business associates" need to be concerned with: HIPAA privacy rules, HIPAA security rules and (if appropriate) HIPAA Breach Notification rules. You are a "covered entity" if you "transmit any health information in electronic form in connection with a transaction for which Health and Human Services has adopted a standard." A "business associate" "is a person or organization, other than an employee of a covered entity, that performs certain functions on behalf of, or provides certain services to, a covered entity that involve access to PHI."1 Let's review each of these rules and discuss how you can avoid violations. One thing I should mention before I get into the details is that I am often asked about chiropractic-specific HIPAA requirements. There are none. Keeping PHI private applies equally to everyone, whether a chiropractor, dentist, medical clinic, nursing home, pharmacy, or even a health insurance company. The same applies to the HIPAA security and breach notification rules. HIPAA Privacy Rule
All of your HIPAA privacy policies need to be written and placed in a manual that you have available in your office. You need to train all new staff on the rules, policies, and procedures within a short time of hiring them; and retrain your existing staff on the privacy rules, policies, and procedures at least annually. You also need to have documentation of when the training was conducted, who attended and what was discussed. Important Ways to Avoid HIPAA Privacy Rule Violations
HIPAA Security Rule "The Security Rule specifies safeguards that covered entities and their business associates must implement to protect the confidentiality, integrity, and availability of Electronic Protected Health Information (ePHI)."1 The start of this process is conducting a Security Risk Assessment (SRA). The SRA will help you identify the risks you face and classify those risks by probability and importance. (You can find a Security Risk Assessment tool at www.healthit.gov/providers-professionals/security-risk-assessment that will greatly assist you in this effort.) Once the risks have been identified, you have three methods to safeguard electronic PHI: administrative safeguards, physical safeguards, and technical safeguards. Administrative safeguards include security management processes, sanction policies, workforce security, security awareness and training, contingency plans, and business associate contracts and other arrangements. Physical safeguards include facility access controls, maintenance records, and device and media control. Technical safeguards include access control, automatic log-off, person or entity authentication, and transmission security. Your written policies and procedures should include all safeguards necessary to mitigate the risks identified in your SRA. These policies and procedures should be taught to your staff and the training should be documented. The Security Risk Assessment should be repeated annually to ensure no new risks have emerged, and the policies and procedures in place are still effective. Staff training should be repeated annually. Important Ways to Avoid HIPAA Security Rule Violations
HIPAA Breach Notification "Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information."2 If a breach occurs, you are required to notify the individuals involved, the Department of Health and Human Services, and, in some cases, the media. If the breach involves fewer than 500 individuals, you are required to notify the affected individuals within 60 days. You can notify the Department of Health and Human Services annually by way of a log of the breaches, and the media is not required to be notified. If more than 500 individuals are involved in the breach, you are required to notify the affected individuals, the Department of Health and Human Services, and the media within 60 days of the discovery of the breach. Important Ways to Avoid HIPAA Breach Notification Rule Violations
The HHS Office for Civil Rights enforces the HIPAA privacy, security, and breach notification rules. It does this by investigating complaints filed with the office, conducting compliance reviews to determine if covered entities are in compliance, and performing education and outreach to foster compliance with the rules' requirements. The HHS Office for Civil Rights also works in conjunction with the Department of Justice (DOJ) to refer possible criminal violations of HIPAA. Major HIPAA Errors There are four major ways doctors mess up on HIPAA. The first is that they do not take it seriously and take no action at all. The second is that they borrow a privacy policy from a colleague and implement it as their own without doing anything else. The third way is that they purchase a HIPAA manual, put it on their shelf without even reading it, and think they are protected. The fourth is that they purchase a manual and only do part of the necessary work. There are many good HIPAA manuals on the market today that will make HIPAA compliance easier, but they must be read and all sections completed for them to be effective. Otherwise, they are as useless as doing nothing. References
Dr. Ronald Short is a certified medical compliance specialist and a certified professional coder. He has authored numerous books on Medicare including The Medicare Documentation System. He also teaches seminars on Medicare, coding, billing, documentation and compliance. You can contact him at
. More information about this and other Medicare topics is available at www.chiromedicare.net.
|
Chiropractic Events
|
||||
|
|||||