HIPAA is nothing new to most providers, but nearly 2 decades after its passage, many physicians still struggle to comply. David Zetter, president of Zetter HealthCare, in Mechanicsburg, Pa., is offered outdated business associate agreements even today that do not comply with updated regulations. “The government is just pushing all of these regulations and requirements, and no one is able to keep up with this stuff,” he said.
Many groups seem to have an understanding of the privacy rules, but security, he said, still trips up some practices. And it is likely not going to be auditors knocking on your door if something goes wrong. “It’s the disgruntled employees out there who are the ones who know what is going on in the practice and will report you,” he said. “All you need is 1 person to say ‘We don’t do any HIPAA training.’”
Many small practices fall short on requirements because they do not have the resources to comply. Larger practices spend fortunes trying to avoid risk. Zetter said there is a place somewhere in the middle where smaller groups can cover their bases without breaking the bank. Zetter offers the following 3 tips that may take a little leg work, but will help with compliance in an affordable way.
A simple, cost-effective undertaking is staff training. Because it is available online, it is easier than ever to meet this requirement. HIPAA Secure Now! offers it, as well as groups like Thomson Reuters. Zetter’s firm has an agreement with Healthcare Compliance Pros, headquartered in Salt Lake City, Utah, an organization that gives a dramatic discount for Zetter’s clients. A benefit of going through a group like Compliance Pros is it offers an online way to track compliance. A group can verify when training has been completed, get reminders when it needs to be done and get newsletter updates on compliance issue. “Every client loves it because they don’t have to think about it,” Zetter said.
A second option for a low-cost solution is a vendor that provides a risk assessment and prepares policies and procedures. Zetter said these organizations provide relatively generic boilerplate documents that are able to be adapted for various practices.
This documentation is not only required, but it shows the organization has made efforts to be compliant, which is important should a breach occur. Zetter refers his clients to EHR 2.0, a group that provides tools so organizations can perform a risk analysis and create other documentation. Other groups that perform similar documentation assistance are HIPAA Secure Now, which has a $399 package for practices with 10 or fewer employees (security training and compliance testing are included as well).
Documentation of a risk analysis is also required when attesting for meaningful use. Practices can spend money just once to have an analysis done that will last for years. When a good analysis has been created, in consecutive years, the organization can provide full minutes of a security committee meeting that updates the plan and ensures it continues to meet the needs and risks of the practice. Detailed notes from that meeting will be enough for attestation.
“It is money well spent,” Zetter said. “I have a client that spent $5,000 in 2011 to do a risk analysis and have never had to call the vendor back out.”
The client sits down once a year during attestation to go through each requirement and verifies it is still in place and appropriate for the practice’s needs. If not, the practice must show it has made changes or addressed issues with the IT vendor. The minutes from that meeting satisfies their attestation each year.
A risk analysis along with policies and procedures can run $1,000 for smaller organizations. That number, spread out over a handful of years, is a small amount of money, considering some organizations spend “$200 a year on staff lunches,” he said.
“It could bankrupt a smaller practice if they have a breach that affects more than 500 patients,” Zetter said. “They have to notify the government, and don’t think for a minute they won’t come in. That’s what their auditors are being used for. It’s a PR disaster as well.”
A final low-cost solution Zetter offers is using mistakes as form of training. If a staff member says protected health information loudly in a place where others can hear it or someone faxes a document to the wrong number, turn those into ongoing learning experiences for the rest of the staff.
Walk people through the correct faxing procedure. Have senders verify fax numbers, look at documents to make sure they are for the right patient and have another person look the documents over to make sure they are correct.
“You don’t have to report it (if it affects fewer than 500 patients), but let staff know what happened, how they fixed it and use it as an educational tool,” Zetter said. “Use those mistakes to ensure they don’t happen again.”