The first round of HIPAA audits by the US Department of Health & Human Services (HHS) Office for Civil Rights (OCR) found that providers are still not doing some of the most basic tasks required by the law. More than half of those audited failed to complete a risk assessment, a main tenet of HIPAA. Many are not addressing weaknesses found in a risk analysis. And others still do not have business associate agreements in place with required vendors.
Many important parts of HIPAA, such as a risk analysis, are part of the security rule. But Jay Hodes, president and founder of the Burke, Virginia-based Colington Consulting, said the less-complex privacy side is also befuddling to many providers.
Building a policy
Along with electronic data requests, Hodes likes to see privacy officials’ contact information clearly available on the form. “If a patient has a complaint, you want to try to handle it at the practice level,” he said. “Because if you aren’t in the HIPAA database, a complaint will put you there.”
When practices have concerns about their privacy notice, Hodes sends them a link to the HHS, which has a customizable policy that covers everything needed since the omnibus changes.
Don’t ask, don’t tell
Physicians also continue to have issues when it comes to the minimum necessary standard. To meet this, providers should only be sharing the smallest amount of information with others needed to do their job.
For instance, can you or a nurse have a conversation in the hallway or elevator about a patient? If you are talking specifically about payment, treatment or operations, then yes. Are you complaining to a colleague about a patient’s attitude? That is not permissible under HIPAA.
“If conversations need to take place, you have to be cognizant that people around you can hear them,” Hodes said.
Although some doctors talk too much in the office, many err by having too much caution when it comes to disclosing information to patients and families. To follow HIPAA, some providers refuse to give any information.
Physicians need to understand the difference between permitted and authorized disclosures, Hodes said. A permitted disclosure is information you can give a patient or family member when exercising professional judgment for treatment or payment purposes. Anything else needs authorization.
When you do give out authorized information, you are required to have some sort of tracking mechanism. You need to be able to account for 6 years of disclosures. Hodes recommends some form of computerized or manual tracking to avoid having to sort through a thousand patient records should you be audited.
In case of emergency
Hodes tells his clients if something is required under HIPAA, they cannot just ignore it or say it is not applicable to their organization (something done by many small practices).
One example is a plan for emergency mode operations. A urology office cannot just claim they do not provide critical care services; this only applies to hospitals. Instead, they need something in writing saying if a problem does arise, the policy from their contingency plan will be implemented. This contingency may be something as simple as referring patients to another physician until your system is up and running again.
“I would rather an organization have a process that can be demonstrated than one that says, ‘No we don’t do any of that,’” Hodes said. “You need to understand the point of the requirements and make sure your organization is trying to comply.”
Where to find help
A vast majority of breaches continue to be caused by human error, such as losing a laptop or inappropriately disclosing information. It is not that providers do not want to follow the rules; many still do not understand them. But with all of the information, resources, and consultants available to help physicians comply, lack of knowledge will not be a viable excuse much longer.
HHS has revamped its website and is working to make it easier to navigate. The site has information to answer questions about nearly any section of HIPAA. It offers training, tools, and resources on everything from security and privacy to IT and business associates.
Kathy Downing, senior director of IGAdvisors consulting service at the American Health Information Management Association in Chicago, said risk assessment continues to be a top priority for OCR. This has been a challenge particularly for smaller organizations that do not have adequate assessments or are not performing them at all. To help remedy this, HHS has a tool and videos to guide providers through the risk assessment process available on its website.
Incident and breach management is another space where providers have not prepared for the worst, Downing said. AHIMA offers a breach management toolkit online that offers step-by-step information on planning, implementing and maintaining a breach management process. It also provides information on things like choosing operational roles and individual responsibilities and solutions for breach mitigation.