If you work in medical billing or healthcare administration, you probably think you can answer the question: What is HIPAA Compliance? Yet, a recent Office of Civil Rights (OCR) audit found that 84.6 percent of 104 covered entities scored so low that is was termed “negligible effort” or “no evidence of compliance.”
These abysmal scores came from American hospitals, clinics, and their subsidiary contractors – institutions that know the penalties for shoddy HIPAA compliance, institutions that have their HIPAA compliance checklists in close range.
According to HIPAA Journal, the requirements of HIPAA are deliberately vague so that regulations can be applied equally across various covered entity types, including relevant business associates. Unfortunately, there is no such thing as HIPAA compliance certification in the legal sense. There is no HIPAA compliance training that will keep you off the OCR audit radar, but there are consulting firms that can come in and train your staff, assess your risks and provide a more comprehensive HIPAA compliance checklist.
What are HIPAA Compliance Violations?
If the requirements are vague, the consequences for noncompliance are clear and, well, scary:
- First-Tier Violation: A first-tier violation means that the covered entity was unaware of the breach. Regardless of intent, the penalty remains and can be $100 to $50,000 per incident up to $1.5 million.
- Second-Tier Violation: A second-tier violation means that the covered entity did not act with willful neglect but did not utilize due diligence to comply. The penalty can be $1,000 to $50,000 per incident, and up to $1.5 million.
- Third-Tier Violation: A third-tier violation means that the covered entity demonstrated willful neglect but corrected flagged issues. The penalty can be $10,000 to $50,000 per incident, and up to $1.5 million.
- Fourth-Tier Violation: A fourth-tier violation means the covered entity demonstrated willful neglect and did not correct flagged issues. The penalty can be $50,000 per incident and up to $1.5 million.
This is not the first time that OCR audit results have revealed serious gaps in healthcare compliance requirements. Either HIPAA is not understood, or key elements are being lost in translation. For your institution to avoid suffering these steep monetary fees, it is essential to be able to answer the question “what is HIPAA compliance?”
What is HIPAA Compliance in Simple Terms?
The Health Insurance Portability and Accountability Act (HIPAA) means the Secretary of the U.S. Department of Health and Human Services (HHS) has created regulations to protect the privacy and security of health information.
This means that there are rules and regulations dictating the way patient information – specifically electronic health records, or ePHI (protected health information) – is stored or shared. In other words, steps must be taken to protect sensitive information, which brings us to the Health Information Technology for Economic and Clinical Health Act (HITECH), an offshoot of HIPAA, sometimes referred to as HIPAA HITECH.
HITECH legislation means that HIPAA compliance extends outside your medical institution and compliance is also mandated from third-party service providers.
What is HIPAA Compliance in Regard to the Security Rule?
The security rule requires safeguards to ensure the security of electronically protected health information (ePHI), according to the HHS. So, if HIPAA compliance is the law of the land when it comes to sensitive patient data and storage, the security rule is the method or path to this compliance.
The first mile marker on your path to HIPAA compliance is a risk assessment tool or training materials that can be downloaded, along with several other helpers like the HIPAA compliance checklist 2018 and a HIPAA compliance assessment guidance tool. Alternatively, you can also contact a reputable healthcare consulting firm to complete a HIPAA risk analysis for your organization.
A risk analysis should be conducted annually, which can help zero in on weak data security areas and potential breaches.
The Security Rule does not give you a point A to point B set of steps to guarantee compliance, the language is deliberately vague and does not dictate measures but offers guidelines to safeguard ePHI.
What is HIPAA Compliance in Regard to Steps To Take Now?
Based on the results of recent audits – and remember accidental HIPAA breaches are also subject to large monetary fines – there are several security areas where you should pay close attention.
The following list is also based on The Fox Group’s own experience as third-party consultants to hospitals and clinics over the years.
Here is what you must do to avoid penalties:
- Develop a set of HIPAA Privacy/Breach and Security policies and procedures.
- Make sure you have a Business Associate Agreement for organizations, vendors and contractors who have access to patient data.
- Make sure your IT security is updated often with electronic fail-safe measures in place.
- Make sure paper files are secure and accessible by verified personnel only.
- Make sure the notice of privacy practices are updated and located on your website and in a visible to patients when they present to your organization.
- Conduct risk analysis regularly to gauge the safety of PHI.
- Update Business Associate Agreements with vendors and others to whom PHI is disclosed.
- Train workforce members on HIPAA Privacy and Security so they know how to avoid unauthorized disclosures, only provide minimum necessary information, and how to report a privacy breach.
The idea is that you want to take every measure to protect patient data, but you also must be able to prove with documentation that you have taken every measure to protect patient data in the event of an OCR audit.
These are the most common compliance failures found during OCR audits, according to HIPAA Journal:
- Failure to perform a risk analysis.
- Failure to enter into a HIPAA-compliant business associate agreement.
- Failure to use best measures to safeguard EHR on portable devices.
- Exceeding the 60-day deadline for issuing breach notifications to patients and media.
- Disclosures of protected health information.
Now is the time to ask your staff ‘What is HIPAA compliance?’ and start expecting a more complete answer. The privacy officer may need to share some cases and consequences of penalties of organizations who apparently were not able to answer the question ‘what is HIPAA compliance’ properly.
OCR Audits: Reports on Compliance
As mentioned earlier, 84.6 percent of 104 covered entities showed “negligible effort” or “no evidence of compliance.” They clearly could not or would not ask and answer the question ‘what is HIPAA compliance’ thoroughly!
In 2017, several monetary settlements and civil penalties were settled following OCR audits, some of these violations were more than five years old. The Center for Children’s Digestive Health reached a settlement for $31,000 after it was discovered that the center did not have a business associate agreement in place per HIPAA guidelines.
Metro Community Provider Network paid a settlement fee of $400,000 because they did not have a process for security management. In other words, they did not have anything on file detailing what they would do in the event of a security breach.
Then there are those found to have multiple breaches across multiple tiers. In June of this year, the University of Texas MD Anderson Cancer Center was ordered to pay more than $4 million in damages for multiple issues.
The Fox Group provides compliance and HIPAA consulting services to many organizations across the United States. We have many corporate compliance program case studies, demonstrating how we are able to bring hospitals and other healthcare facilities compliance programs up to par with regulatory guidelines. There have been many situations in which we were challenged and only given a limited amount of time to work with legal counsel to get the facility into compliance and at a point where they can maintain the program on their own or outsource it to The Fox Group to help them to sustain!
When you’re dealing with federal regulations and mandatory compliance, it is always best to bring in a healthcare consulting firm with many years of experience to assist you with HIPAA Privacy/Breach and Security Rule Regulations.
The settlements and monetary payouts that accompany violations – even accidental violations – can be astronomical. It only makes sense to put experience to work for you and your organization.