Scope of HIPAA Compliance Remains Uneven
By Matt Fisher, Esq
A recent survey of HIPAA compliance conducted by NueMD revealed a startling range of knowledge and compliance with HIPAA. Even though HIPAA has been around since 1996 and was updated to include the HITECH Act modifications in 2009, many medical practices revealed they were unaware of the full scope of HIPAA requirements, did not necessarily understand what they did know, or have not implemented full compliance programs.
From the compliance perspective, only 58% of respondents indicated that they had a compliance plan. Even worse at this point in time, especially given the number of high profile violations and settlements, 23% responded that no plan was in place. Further, the percentage of practices that have a breach notification policy falls even further, with only 45% having a formal policy in place in the event that a breach occurs.
Diving deeper into questions related to electronic devices and use of social media continues the discomfort presented by the survey. For example, less than half of all staff or management associated with practices are confident that electronic devices or mobile devices are HIPAA compliant. There is a somewhat surprising confidence that electronic communications and social media are used in compliance with HIPAA though. Clearly, social media is a growing and new tool in healthcare, but 30% of office staff and non-owner providers and 34% management and owners were confident that social media is being used in a compliant manner.
The results of the survey should not be overly surprising. When the Office for Civil Rights (“OCR”) of the Department of Health and Human Services conducted its pilot round of HIPAA audits in 2012, the results were consistent with findings of the survey. HIPAA compliance was all over the place and did not present a rosy picture. Instead, the OCR found non-compliance with any number of issues, including basic misunderstandings of just what HIPAA actually does.
Given the constantly evolving nature of threats, the relatively low numbers of practices with robust compliance programs in place or even strong confidence that HIPAA is being properly followed raises a significant level of concern. The OCR has been very clear over the past couple of years that lack of preparedness is not well tolerated. When the settlements are examined, it becomes apparent that OCR is trying to teach lessons to all of those entities that are or may be subject to the requirements of HIPAA.
What can be done to address the widespread non-compliance with HIPAA and even general lack of knowledge or awareness of HIPAA? First, education on multiple fronts and a better understanding of its multiple goals is a necessary step. For one thing, education must include a basic introduction to HIPAA and how HIPAA is designed to protect and secure information. Once a general awareness is established, then it may be possible to demonstrate why compliance is so important. Further, once the first level of education is complete, then it will be possible to move to the next level, which would be grasping how HIPAA applies to a particular entity (i.e. a healthcare provider, health plan, employer, business associate and others) and what policies and procedures are needed to fully comply with all of HIPAA’s requirements. While this level of education may appear and sound very basic and fundamental, the survey and audit results support the view that education at this level is a necessity. It is also important to note that education is not a once and done proposition. Instead, education must be a constant because the healthcare world is always changing. Everyone should always be reminded of their HIPAA obligations and how HIPAA is impacted by new technology and practices.
Once the initial education process is complete, then it should be easier to adopt and follow a comprehensive compliance program. A compliance program, which means policies and procedures, is the means by which a covered entity or business associate will satisfy its HIPAA obligations. A compliance program should not be feared, though. To the contrary, it may be viewed as an opportunity for an organization to put some best practices into place or otherwise help ensure that operations may flow more smoothly. While HIPAA can be seen as a barrier, it may be more appropriate to view it as a means of guiding a practice and offering a common set of expectations both to organizations within the healthcare field, but also to individuals or patients who interact with those entities.
While it seems there is a lot to do, the present state of affairs offers an opportunity to change how the future will play out. Now that HIPAA is becoming the center of attention, there is the chance for organizations that have not taken all of the necessary steps to now chart a course that takes HIPAA into account and positions the organization for compliance going forward. Organizations have received an inadvertent grace period by the delay of the newest audits to be conducted by the OCR. The opportunity should not be lost. Surveys, such as the one conducted by NueMD, present yet another learning opportunity and can start the dialogue in crafting and implementing a sound HIPAA compliance program.
About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.