HIPAA compliance can help satisfy patients and practices in several ways. By assessing and fixing risks that need to be addressed, you are off to a great start with compliance. It goes further by ensuring happy employees, patient loyalty, increased practice profit, and more. In fact, ensuring that policies and procedures are in good order can result in profits increasing by as much as 15% based on increased efficiency.
By ensuring that your practice maintains a consistent set of policies and procedures, employees are better able to complete tasks. Issues are avoided before they happen with consistent policies and there is less stress as a result. Further, ensuring that procedures are consistently in place will ensure any type of random audits go well for the practice. That said, CMS audits can be triggered by meaningful use failures or any vendor that may have any suspect business practices.
What happens if there is an audit? There are two steps to the audit process. The first step is a desk audit. This includes a request for a gap and remediation plan. If everything checks out during the desk audit, no more work is required. If further investigation is required, an on-site audit will take place.
Required risk assessments break down into three categories – technical, physical, and administrative. The technical area includes an asset and device manual audit as well as an IT Risk Analysis Questionnaire. This touches on backups, encryption, Wi-Fi, and more. The physical assessment consists of a physical site manual audit. The physical assessment consists of print materials such as PHI/ePHI and ensures that these items are protected and not exposed in a way that would create a violation. Administrative assessments are part of three overall audits . These include a security standards self-audit, a privacy standards self-audit, and a HITECH Subtitle D privacy self-audit.
The importance of audits is demonstrated by the number of breaches that can occur. 17,000 medical records are breached per day on average. 89% of healthcare organizations have experienced a breach over the last two years 86% of mistakes are administrative, which alone lends credence to why half of the audits are administrative in nature.
Under HIPAA there are three rules – privacy, security, and omnibus. The privacy rule sets standards for when protected health information (PHI) may be used and disclosed. The security rule requires safeguards to ensure only those who have access to electronic protected health information (ePHI) will have access. The omnibus rule deals in the areas of breach notification, business associate, and technical due diligence.
While training and other programs around ensuring HIPAA compliance are great, there remains still too much room for error compared to a complete secure and compliant solution. A proper solution should include multiple focus areas including Audits (SRA, Administrative, Privacy), Gap Identification and Remediation, Policies, Procedures, and Training, Document Version, Employee Attestation and Tracking, Business Associate Management, and Incident Management. Anything missing from this may result in partial compliance and may lead to fines and civil penalties.
HIPAA can be good for business. When Fitbit Inc. announced its HIPAA compliance, the stock went up by 26%. In the case of a medical practice, compliance can be a marketing opportunity and a differentiator from peers/competitors. Talking about the brand experience (i.e. more efficiency meaning happier employees and patients) and security through marketing can certainly help bring more business to your practice.
To learn more abut HIPAA compliance and how to ensure a complete Risk Assessment, watch the video below:
