As the deadline for compliance with the much-publicized Health Insurance Portability and Accountability Act (HIPAA) grows ever closer, large health industry concerns are fully immersed in the process of readying themselves.
However, smaller concerns like doctors’ offices and specialty medical services are slower to consider the steps that must be taken to initiate broad changes in their own offices. Since non-compliance after April 14, 2003 means stiff financial penalties as well as the potential for incarceration, like it or not, the time to begin the compliance process is now.
The primary objective of HIPAA is to provide better access to health insurance, limit fraud and abuse, and reduce administrative costs. In addition, it provides provisions to safeguard individuals’ rights with respect to notice, choice, access, and security of their personal health information, and it prevents wrongful use of this information.
Requirements include regulation of access to medical records, storage of these records in a secure location, procurement of written consent by an individual before releasing information to any party, mandatory reporting of offenses, making an individual’s own medical records available to him or her, amending medical records whenever an individual finds a discrepancy, and public disclosure of internal practices and policies with respect to privacy.
A tall order for any medical practice or service, HIPAA is serious business. Since business processes need to be examined and in most cases revised, this is not something that will simply be accomplished in a few weeks time, so waiting until March is not recommended.
The first step that any organization must undertake is the appointment of a privacy officer and security officer. In smaller offices, this may be one person wearing two hats. It is important to understand that this individual must be granted the authority to implement sweeping changes in the company’s business operations, and also must have the know-how to retool some IT functions, as they will have to be responsible for the security of both paper- and electronic-based patient information.
HIPAA requires that someone within every organization be designated as the person responsible for data security, while someone is designated responsible for compliance with the new regulations, so that person or people must be chosen wisely. This assignment of responsibility sends a message to both employees and patients that HIPAA is a serious matter.
With several months remaining before the deadline, the following steps should be set in motion in each office that will be impacted by HIPAA compliance.
• Establish HIPAA compliance as a priority and designate the privacy officer and the security officer.
• Obtain a copy of the HIPAA rules and review them carefully, noting obvious discrepancies between current operations and the new mandates.
• Collect all current policies regarding security and privacy, and review them carefully. Identify non-compliant policies and procedures, then establish new ones.
• Educate all staff members about HIPAA so they may assist in identifying areas of non-compliance.
• Compile an inventory of personally identifiable electronic information that is maintained, including information stored on servers and personal computer hard drives.
• Perform a risk-assessment evaluation to identify potential vulnerabilities of private information storage and distribution. Consideration must also be given to hacker threats from outside, through Internet access.
• Define a plan to address all risks, and prioritize the level of each threat.
• Since each office is also responsible for ensuring the compliance of vendors with whom private information is shared, it is important to review all vendor contracts to ensure that they are also embracing HIPAA compliance. Rewrite contracts to state such.
• Ensure that the master patient index is accurate, eliminating all duplicates and overlays.
• Consider information security technologies. Fingerprint or retinal scans are probably not appropriate in most cases, but secure logins with carefully guarded passwords are paramount.
• Review the audit trail abilities of the current technology system. The best systems record all access to patient records, even read-only, and flag suspicious activity. Be sure that any new system evaluations include this ability as part of the package.
• Evaluate billing practices to endure compliance with the new standards. Modify billing practices to meet compliance regulations.
• Ensure that patients have proper access to their personal medical information, are allowed to copy it and make any changes that they deem necessary, and are aware of the channel for filing a complaint regarding the misuse of their medical information.
• Educate staff about new HIPAA-compliant policies and enforce them vehemently. Establish a confidential reporting system for infractions and instruct employees that they are legally obligated to report infringements.
HIPAA compliance is a complicated issue, and it is likely to take several months to institute all the mandates. With the April 14 deadline looming, it is advised that each physician and medical service office initiate the measures outlined above promptly, giving special consideration to who is designated as responsible for overseeing the affairs.
With infractions resulting in severe financial penalties and the threat of imprisonment, considerable effort must be undertaken as soon as possible, before the clock runs out.
Michelle M. Begley is a member of the Litigation Department of Bacon and Wilson, P.C.; (413) 781-0560. Her areas of expertise include employment law, domestic relations, family law, and personal injury.