During the years we have spent in the healthcare industry dealing with policies and procedures, as well as, managing such documents, we have regularly found ourselves recognizing the importance of HIPAA compliance and the benefits of certain certifications. Therefore, at PolicyMedical, we are always trying our best to ensure that we advise our clients to check whether they are complying with such regulations, in order to be safe from potential issues. This is why it is important to have a robust, yet simple, policy and procedure management solution to help manage documents, in order to minimize any risks of falling off track with HIPAA. It may be that you find PolicyManager, a useful tool to manage your policies and procedures manuals, or it may be that another vendor has a better offering, we’ll leave that up to you. The important thing is to use whatever works best to ensure your healthcare organization complies with all HIPAA regulations.
Breaching HIPAA Rules
In November 2012, the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) received complaints alleging that employees at a large, Boston-based medical center, had put the protected health information (PHI) of about 500 patients at risk. They had implemented a web-based document sharing application to store documents containing the patients’ PHI without first analyzing the risks associated with the platform. The OCR’s investigation determined the hospital failed to comply with Health Insurance Portability and Accountability Act (HIPAA) rules to protect the patients’ information. In July 2015, the medical center agreed to pay $218,400 to settle the alleged HIPAA violation and to implement a corrective plan of action for its HIPAA compliance program. Using a better policy management system could have prevented this.
Impact of HIPAA Violations
In hospitals and healthcare facilities around the country, the number of HIPAA violations is steadily increasing. In fact, since 2012, the number of HIPAA violations has increased by an incredible 138%. A major contributor is the ever-increasing number of electronic medical record (EMR) systems being implemented in hospitals and healthcare facilities. It is unlikely that EMR will be going anywhere anytime soon, so it is imperative for hospitals to take HIPAA compliance very seriously.
The Health Insurance Portability and Accountability Act is a federal law governing the use, storage, and dissemination of patients’ protected health information. The law applies to any organization with access to health information, including health care providers, health plans, and healthcare clearinghouses. The Act requires these covered entities to perform a periodic, technical and non-technical, evaluation to determine whether or not their policies and procedures meet stated requirements. Though not required, many hospitals opt to hire an external organization to train staff members and assist with the evaluation. This process of ensuring HIPAA compliance is useful; however, it does not prevent HHS from finding violations during a subsequent audit.
What is HIPAA?
- Portability – Ensures that individuals are able to maintain their health insurance between jobs, and addresses issues such as, pre-existing conditions.
- Accountability – Ensures the privacy and security of patient information and outlines the standards for electronic data transmission of patient health information.
Two important provisions of HIPAA are the HIPAA Privacy Rule and the HIPAA Security Rule. The HIPAA Privacy Rule establishes a set of national standards to protect individuals’ medical records and other personal health information. It defines how individuals will be informed of uses and disclosures of their medical information, and requires that consent be obtained before this type of information is shared. The Rule also gives patients rights over their health information, including rights to obtain a copy of their health records, and to request corrections. The Security Rule establishes a national set of standards for protecting health information that is stored or transferred electronically. The Security Rule operationalize the Privacy Rule by addressing the protections that covered entities must implement to secure individuals’ electronic protected health information (e-PHI).
The Department of Health and Human Services’ official rules specify who needs to be HIPAA compliant. The following is a detailed list of these covered entities:
- Healthcare providers, including hospitals, clinics, regional health services, and individual medical practitioners that carry out transactions electronically
- Healthcare clearinghouses, including billing services, community health information systems, and value-added networks that process nonstandard data elements of health information into standard data elements.
- Health plans, including insurers, HMOs, Medicaid, Medicare prescription drug card sponsors, flexible spending accounts, public health agencies, in addition to employers, schools or universities that collect, store or transmit e-PHI
- The business associates of the aforementioned entities, including private sector vendors and third-party administrators
In reality, HHS does not formally recognize any HIPAA compliance programmes. HIPAA is only concerned with compliance. Many use the terms certified and compliant interchangeably, but this is incorrect. HIPAA certified means that your organization has undergone a training or evaluation by a third party organization surrounding HIPAA rules and regulations. Compliance means that your organization has put policies and procedures in place that meet HIPAA requirements and that all staff consistently abide by them. HIPAA compliance does not preclude HIPAA from finding violations during inspections and audits.
Although HIPAA compliance is not required, it does have many benefits. Becoming HIPAA compliant can be a daunting task. The Act can be difficult to navigate and comprehend due to its age, length, frequent updates, and wide scope. Getting HIPAA compliance is an extra step that covered entities can take to ensure that they have the systems and processes in place to properly safeguard PHI and meet HIPAA requirements. Working with a HIPAA compliance specialist will give you the opportunity to ask specific questions, and he or she can help you identify potential violations you may have been unaware of.
All organizations that work with Protected Health Information (PHI) must pursue HIPAA compliance and to help achieve this may choose a reputable company that offers compliance training at a desired level. HIPAA 101 courses offer basic knowledge, while privacy and administrator certifications dig deeper into the handling and storage of data and files. Some companies offer online training, while others require that you travel to their offices. Many training companies will perform training at your hospital or healthcare organization, if you would like to train a large number of employees.
It is clear that HIPAA violations can be extremely damaging to healthcare organizations, their employees, and most importantly, their patients. Not only are HIPAA violations costly, but they are also detrimental to a hospital’s reputation and trustworthiness. As cloud computing continues to gain popularity and utility in healthcare, HIPAA concerns are likely to persist. In order to reduce potential risks and vulnerabilities, it is imperative that proper policies and procedures are in place and all employees fully comprehend and abide by them. Although HIPAA compliance is not a requirement from HHS, it is an extra step that hospitals and other covered entities can take to ensure compliance.
At PolicyMedical, we firmly advocate that all healthcare providers should use a good policy management system to help comply with HIPAA in order to minimize any breaches that might, otherwise, occur. Our offerings may be the perfect solution to your healthcare facilities’ needs of having a robust policy management system; or it may be that you find another vendor has a better solution. Regardless, we would be more than happy to help you come to the right decision, so please do not hesitate to contact us. In addition, you can also book a demo to see PolicyManager in action.