The Health Information Portability and Accountability Act of 1996 has been anything but static, as regulators have pushed to keep this piece of legislation relevant to the threats of the current and forthcoming marketplaces. Medical organizations have often faced an uphill battle when trying to manage all of the requirements involved in HIPAA, but this is largely an achievable initiative when decision-makers are making sound choices by way of policy, support and guidance.
Some examples of recent changes include the Omnibus Rule that governs the interactions between service providers and health care companies, while amendments can quickly force covered entities into a tough spot. The regulations as they stand today are very comprehensive, and might be the tightest of all with respect to data management governance coming from the government.
Rather than trying to handle all of the various complexities within HIPAA without any type of support, organizations are increasingly turning to managed service providers - especially those from which they get IT solutions - to meet and sustain compliance with the evolving regulations. Additionally, HIPAA is not the only set of statutes that health care providers must oblige, as the Health Information Technology for Economic and Clinical Health Act of 2009 also contains some challenging requirements.
Failure to comply with these and other statutes can result in significant issues, ranging from crippling fines and sanctions to severely damaged reputations in the eyes of current and future patients. The costs of protecting patient data through HIPAA email and data center security services, as well as general compliance support, will almost always be far lower than the price of being called out for noncompliance or, even worse, falling victim to a major breach.
OCR's new plans
McDermott, Will and Emery recently published a statement that explained how the U.S. Department of Health and Human Services' Office for Civil Rights, which is responsible for HIPAA audits, will be moving past Phase 1 and toward Phase 2 in the coming months,. Whereas the Phase 1 audit stage only involve compliance checks for covered entities, the law firm stated that this next line of investigation will look at both health care providers and their business associates.
The results of the first line of audits conducted last year were less than desirable from the health care provider's perspective, with 89 percent of the 115 entities reviewed having at least one problem with respect to compliance. The authors of the study also noted that while health care providers represented roughly 53 percent of all companies investigated, they accounted for a disproportionate rate of the violations.
Whereas one might think that Phase 2 is still plenty of time away, this is simply not the case, as it will begin soon. Additionally, the OCR has already announced the basics of its plan to get these audits underway and completed in a timely fashion.
"OCR has randomly selected a pool of 550–800 covered entities through the National Provider Identifier database and America's Health Insurance Plans' databases of health plans and health care clearinghouses," McDermott, Will and Emery explained. "OCR will issue a mandatory pre-audit screening survey to the pool of covered entities this summer. The survey will address organization size measures, location, services and contact information. Based on the responses, the agency will select approximately 350 covered entities, including 232 health care providers, 109 health plans and 9 health care clearinghouses, for Phase 2 Audits. OCR intends to select a wide range of covered entities and will conduct the audits between October 2014 and June 2015."
Considerations for the coming months
Health care providers should not allow themselves to become frozen and concerned about the Phase 2 audits, but must rather take a proactive and comprehensive approach to eradicating infractions before they become an issue. One of the best areas to begin internal investigations is the system in place that governs and manages communications and data within the corporate framework.
Health care providers need to remember that all types of communications and technologies used to share, generate and control data will be covered under HIPAA by definition, and these items can be a bit trickier to gain a full handle on when the entity falls behind the curve. These include everything from emails and file transfer systems to Voice over Internet Protocol phone systems and personally owned devices that are used for work purposes.
In many ways, health care providers that already have tight, centrally managed frameworks in place will not have much of an issue preparing for the next round of audits, but now is the right time to conduct internal investigations to be sure that all matters have been reconciled.
By partnering with an expert provider of solutions such as HIPAA email tools and data center management services, medical organizations will be in the clear.
David Bailey is Senior Vice President at Protected Trust.
Protected Trust is a sponsor of the Print4Pay Hotel. I urge members and readers to visit their site to see their full line of products and services. More and more we need to provide well rounded strategic solutions for our customers. Protected Trust offers some unique solutions that can help us in our day to day efforts. Check them out here.
-=Good Selling=-
Comments (1)