HIPAA is Not Optional
HIPAA is not sexy, and it’s often called “a necessary evil” but if you are in the business of healthcare, it’s actually required. Unfortunately, most clinics do not understand what is required to be considered HIPAA compliant. Some have fallen into the misconception that a HIPAA Manual is all that is necessary, others feel if they attend HIPAA Training, they are HIPAA compliant. Often a provider finds out the hard way, when they experience a ransomware attack or other type of reportable breach. This is a costly way to learn about HIPAA requirements. It is vital that providers understand what is involved in implementing and maintaining a HIPAA Compliance Program.
The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) believes a comprehensive Health Insurance Portability and Accountability Act (HIPAA) program provides a baseline for protecting patient privacy and improves the efficiency and effectiveness of the health care system. While HIPAA has made many twists and turns to adapt to advancing technologies, it is vital to know what is expected of a practice in order for them to be HIPAA compliant.
HIPAA is Here to Stay
Although we may wish it would go away, HIPAA rules and regulations are here to stay. With the advancement in technology, necessary standards were needed to address the increased risk of potential breaches of protected health information. Therefore, in 2013 the final Omnibus HIPAA Rule was established. The Omnibus Rule encompassed many provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Omnibus was created as part of the American Recovery and Reinvestment Act of 2009, and the goal was to strengthen the privacy and security protections for health information, which was initially established with HIPAA in 1996. As recent as 2023, revised rules and regulations are in play and will once again impact providers and their HIPAA policies and procedures.
Keeping an Eye on Your HIPAA Health
HIPAA is never one and done. It requires constant attention through yearly risk assessments of both privacy and security safeguards. The Risk Assessment reports should include corrective actions and the clinic should have tangible evidence of implementing these changes. In addition to assessing risk, a health HIPAA program will have trained staff who are determined to maintain a compliant environment in the clinic. This requires ongoing risk management training along with established policies and procedures.
If you are concerned about your clinic’s HIPAA health, check out the HIPAA Assessment service provided by KMC University. It is a great place to start on the road to improving your compliance. Remember, you cannot fix something if you do not know what is broken. Do not put your clinic at risk another day. Take the time to assess your clinic’s needs. Do not fall into one of the percentages listed below.
Between April 14, 2003 and December 31, 2020, a study of the results of the UCR investigations revealed:
- Average of 6% of the cases no violation was noted
- Average of 56% of the cases being resolved as part of the intake and interview process
- Average of 41% of the cases referred for corrective action with potential Civil Monetary Penalties
Having a HIPAA compliance program is just good business. Reducing exposure to risk and liability is one of the main reasons to implement and maintain a proper HIPAA compliance program. If a practice implements and follows an active HIPAA compliance program, it demonstrates that the practice has made reasonable efforts to protect individually identifiable health information.
This weekend has been so enlightening. Thanks to Kathy and KMC University's Hands-on-Lab this weekend in Denver, I am now able to go back to the office and be equipped with the tools and systems I need to make my job EASY! I highly recommend Kathy and her staff at KMC University! Her knowledge and systems will help you and your office run like a smooth well oiled machine