Shortly after the Health Insurance Portability and Accountability Act (HIPAA) was implemented, David Zetter was at a doctor’s office helping the group build a compliance plan. He was in the back of the practice training some of the staff when the receptionist walked in and handed him a piece of paper.
The note was from a patient saying she could see everyone’s names and files at the front desk and she knew that was a HIPAA violation.
More than a decade later, HIPAA compliance has become ingrained: Files are not left out in the open, patient information is not improperly disclosed, and doctors do not leave health-related messages on answering machines. It is routine to have every patient sign a HIPAA release and go about your business.
But compliance is not a one-and-done activity as much as an evolution of rules and procedures. Compliance gurus bet there are at least a few things physicians are not doing to comply with HIPAA.
Make a plan
One main thing that practices should have is a compliance plan, but many do not, said Zetter, founder of Zetter Healthcare Management Consultants. “They buy a cheap manual off of the internet and think that works,” he said. “But it cannot be implemented that way; it wasn’t set up for your practice.”
Even state medical societies sell how-to manuals, but Zetter said this is only a document meant to guide you through creating a compliance plan, not the plan itself.
Sample HIPAA compliance plans and instructions for completing one can be found online. The Massachusetts Medical Society provides a document with a checklist and tips to help doctors develop their own documents.
The second thing that needs to be completed is a gap analysis. These are used to determine what the organization is doing and what they should be doing. Zetter said an office needs to take each section of the regulation, see what is required and compare it with what is being done. Detailed information on creating a gap analysis can be found at the North Carolina Department of Health and Human Services Website.
Once gaps are identified, it is important to find ways to mitigate the potential problem areas. Physicians can do this by performing a risk analysis, which provides the basis for developing ways to cover themselves if an information breach should occur.
A risk analysis can arrive at whether there is a low, medium, or high risk of a HIPAA violation occurring, Zetter said. The greater the risk, the more resources are needed for prevention. All of this should be documented.