As 2018 gets underway, experts offer advice on some important issues related to HIPAA compliance. One issue is patient access to medical records. Kathy Downing, vice president of information governance and standards at the American Health Information Management Association, said her organization receives many complaints from patients who have issues receiving medical information even though right of access has been in place since 2003.This area is what Downing calls “super low-hanging fruit on the HIPAA tree.” If patients request records, there is no need to make them wait 30 days. If the records are stored electronically, practices should allow patients to receive their information in that format.
“The reason this is important is because in a lot of the cases, patients may be seeing multiple providers for chronic conditions, and having their chart allows them to be more engaged in their care,” she said. “It’s an important patient right, and important for population health and patient engagement.”
By giving patients their records, providers are also allowing them to do a quality review to ensure their information is correct. Electronic medical records commonly contain errors, mainly because of copying and pasting of data, Downing said.
If physicians are uncomfortable talking with patients about information in their charts, she recommends that practices appoint a nurse who can deal with patient queries. Portals can also be a good resource to guide patients through their information. If someone has been diagnosed with prediabetes, for instance, a portal can provide links to trusted online sources that can answer patient questions.
Another HIPAA-related question facing medical practices this year is the Office for Civil Rights (OCR) approach to HIPAA enforcement. Michael Bossenbroek, a partner at Wachler & Associates, P.C. in Royal Oak, Michigan, listened to remarks at a HIPAA conference last fall from the new OCR director. OCR might be striking a different tone as a new administration takes the reins. “How they balance the objectives of education and compliance with enforcement remains to be seen,” Bossenbroek said.
The OCR director gave no specifics, Bossenbroek said. Whatever approach emerges from OCR, as before, providers need to ensure they have the basics completed, with a risk analysis performed and solid policies and procedures in place.
Chris Apgar, CEO and president of Apgar & Associates LLC, in Portland, Oregon, said OCR has made it clear there will be continued enforcement activity in the coming years. No one is immune from them, he said. He recently worked with a small entity that had their wrists slapped by OCR. He helped them prepare a response, and when they failed to follow through with their plan, he had to mediate between the organization and OCR.
“If you respond to OCR in an appropriate and timely manner and follow through, they go away,” he said. “If you don’t, they stick around. They are not going away.”
Shortage of security talent
Health care organizations will continue to face a shortage of information technology (IT) security talent in 2018, Apgar said. A report released this past summer by the US Department of Health and Human Services found that 3 out of 4 hospitals do not have a designated information technology (IT) security professional.
Larger organizations are better able than small groups to afford hiring IT talent, which can be expensive, Apgar said. But smaller organizations, which often delegate IT security to office staff who are already busy with other tasks, have options. Apgar recommends looking for students graduating from information security programs and bringing them on board as interns. Small groups do not require the same kinds of security setup that a Cleveland Clinic or Kaiser might need, and young individuals can help build and run systems. Organizations can grow a position with them when they are new in the field, although these individuals could leave when they become seasoned and expect a higher salary.
With OCR increasingly scrutinizing and auditing business associates, it is important for practitioners to ensure their vendors are compliant. Apgar said the vendors he works with are increasingly motivated to do this for fear of losing customers. These customers – health care practitioners – are demanding proof of compliance.
To better understand a vendor’s compliance, providers can request policies and procedures and ask to see their risk analysis and any other pertinent documentation. Some ask that vendors fill out a security questionnaire. Others go even further. Groups like Apgar’s company can act as a third party to conduct a risk assessment, then attest in writing that a vendor has either mitigated or accepted risks found in the analysis.
It used to cost anywhere from $75,000 to $100,000 for a tool that would automatically monitor audit logs and send alerts if an anomaly is found for a hospital or larger clinic, Apgar said. Over the past couple of years, new options have hit the market that lowered the cost to $35,000 or less, which is a game changer for HIPAA compliance, he said.
“As more technology becomes affordable, there is a higher likelihood that regulatory bodies will push back and say providers have to use it,” Agar said. “If a hospital is generating and not regularly reviewing audit logs, they will look negligent to regulators.”
Technology tends to move with the needs of the market. For instance, as cyber crime has become increasingly prevalent, tools have been developed and marketed to prevent attacks. Some tools look both internally and externally in a network to see if unusual behavior is occurring, and sends an alert if any anomaly is found.
Keeping track of technology as it becomes more affordable is not always simple. Apgar said providers can look at IT newsletters and check with their state associations to stay atop of new and affordable tools coming on the market.