HIPAA settlement payments hit an all-time high in 2018 following year-long HIPAA compliance requirements audits conducted by the Department of Health and Human Services Office for Civil Rights. These monetary settlements, which reached $28.7 million by year’s end, has prompted healthcare facilities across the country to take a hard look at their HIPAA compliance.
When it comes to HIPAA fines, it’s important to remember retroactive penalties. In other words, your medical facility or clinic can be fined in 2019 for a violation that occurred years ago. This is exactly what happened to insurer Anthem, Inc. The insurance company agreed to pay $16 million in 2018 for an information breach that occurred in 2015.
So how do you go forward safely? How do you safeguard your patients’ most valuable personal information and prove that you have done so? How do you comply with all HIPAA requirements?
HIPAA Compliance Requirements include the Security Rule
One of the requirements is the HIPAA Security Rule. A HIPAA risk analysis focused on the security rule is mandated by covered entities – clinics, hospitals, and others, to assess patient data vulnerabilities on-site and through their business associates.
HIPAA compliance requirements include the review of the likelihood of a security breach and whether breach notifications are warranted. This HIPAA checklist is a valuable tool you may use to prepare a risk analysis.
A HIPAA risk checklist may include:
- A complete inventory of information systems and devices.
- A complete assessment of firewall, encryption and computer security methods.
- Evaluations of ePHI access by non-covered personnel.
- A complete inventory of vendors and their information systems and devices, including data security methods, and access protocols.
If you find vulnerabilities, the next step is to assess the likelihood that patient data may have been breached and whether or not the risk is significant enough to report under the breach notification rule.
Remember, HIPAA fines are not based solely on security breaches, but also on the potential for these breaches.
HIPAA compliance includes the mandate not only to know when to report, but you also have to keep records of your efforts and these records must meet a deliberately vague set of rules. Not only are the rules deliberately vague to be inclusive for several types of covered entities, but the fines and penalties can be astronomical even if a breach has never taken place.
This is largely why so many hospitals and clinics are outsourcing HIPAA compliance requirements tasks to third-party experts.
HIPAA Requirements for a Physician Practice
A HIPAA risk assessment for a small physician practice ends up being almost as lengthy as a risk assessment drawn up for a large hospital. The good news is that these samples, though thorough and complicated, are applicable in a real-world setting.
With a hospital, fortunately, there are usually experts on staff to help keep employees in the loop and risks low.
A sample HIPAA risk assessment for a small physician practice includes everything from sanctions policies against employees to electronic system reviews, from workforce clearance reviews to computer login monitoring, from disaster plans to audit controls.
HIPAA compliance requirements for a small physician practice, to be applicable in a real-world setting (and in light of the 2018 HIPAA settlements), must be actionable.
After you’ve assessed and analyzed – decided for better or worse to report potential breaches – it’s time to shore up the gaps. Look at all the HIPAA compliance requirements and ask “where are your vulnerabilities?” and “what can you do to ease these vulnerabilities?”
Having a qualified third party assess part of your medical practice can uncover needless exposure to liabilities. It can also provide some strategic direction for your business as you grapple with the many reimbursement, regulatory and market pressures that confront today’s practitioners.