You might remember this scene in the movie The Matrix. Cypher and Agent Smith are seated in a fancy restaurant. Cypher agrees to sell out his friends with the understanding he will be put back into the Matrix with no recollection of it's existence."I know this steak doesn't exist; I know that when I put it in my mouth, the Matrix is telling my brain that it's juicy and delicious." <Cypher takes an indulgent bite of his steak> "After 9 years, you know what I realized? Ignorance is bliss."
"HIPAA fines for non-compliance are based on the level of perceived negligence found within your organization at the time of the HIPAA violation."
Top 5 ways to avoid a HIPAA fine in 2019
- Demonstrate a commitment to compliance. I can't really say I blame Cypher, but taking that same approach with your HIPAA obligations would be a risk he might not even take. HIPAA fines for non-compliance are based on the level of perceived negligence found within your organization at the time of the HIPAA violation. Fines can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation. Most HIPAA audits request 6 years of records, so putting off compliance can create costly gaps. Complying with the Privacy and Security Rules can seem overwhelming but it doesn't have to be. Demonstrate a commitment and follow the next 4 steps and you'll be on your way to a HIPAA compliant practice.
- Provide HIPAA training for your staff. This is probably the single most important step. A well trained staff is less likely to make a mistake or improperly disclose protected health information (PHI and ePHI) that results in an inquiry or audit. HIPAA training should be provided at the time of hire and on a routine basis. HHS doesn't specify how often but we recommend annually or anytime there is a significant change or mishandling of PHI. Be sure to have employees sign a training record that documents the session. New employees should also sign an Employee Confidentiality Statement that states they understand the confidential nature of patients' PHI and won't disclose it unless there's a proper authorization in place.
"Staff training is probably the single most important step. A well trained staff is less likely to make a mistake or improperly disclose protected health information that results in an inquiry or audit."
- Implement physical, technical and administrative safeguards. Make sure that you have adequate safeguards in place to protect patient PHI. Pretty much everyone will have a building that's physically secured but safeguards need to be adequate enough to secure all PHI (paper and electronic format). At a minimum your safeguards should include the obvious; lock & key, computer passwords and a regular system to back up the computers to avoid data loss. These are considered physical and technical safeguards. Other safeguards that should be considered would include encryption, an alarm system, biometrics or video cameras. Since HIPAA is designed to be scaleable it allows you flexibility in determining what safeguards are required to secure your protected health information. Some considerations would be the technologies you use, the size of your facility, the number of patients you see and the amount of revenue you earn.
- Make sure your forms are up-to-date. That means your HIPAA forms need to be be updated periodically. Your Notice of Privacy Practices should be available to all new patients. It has to be based on current laws and site-specific details need to be reviewed for accuracy. An Acknowledgment of Receipt of the Notice of Privacy Practices has to be signed by all your patients. These also allow patients the ability to designate an individual or individuals that you can share PHI with, like a significant other or relative. Additional details often include authorizations to allow contact by email or text. It's important to have the patient list a contact address or number and sign allowing you to use a preferred method of contact. Business Associate Agreements are extremely important. They're required anytime you hire a vendor that performs a function not authorized on your Notice of Privacy Practices. Sharing PHI for treatment or payment is allowed under HIPAA. Granting vendors access to that same information for purposes like shredding, offsite backup or an appointment reminder service would require a signed BA agreement that specifies what services are being provided. The agreement holds the vendor responsible for the confidentiality and integrity of the information they need to access to perform their job.
"Sharing PHI for treatment or payment is allowed under HIPAA. Granting vendors access to that same information for purposes like shredding, offsite backup or an appointment reminder service would require a signed BA agreement that specifies what services are being provided."
- Have site-specific policies for HIPAA Privacy and HIPAA Security. Policies are considered an administrative safeguard that's required under the HIPAA Security Rule. These policies outline administrative actions and procedures to manage the development, selection and implementation of security measures to protect PHI and ePHI. Your administrative safeguards must also address the conduct of employees in relation to the security of protected health information. Too often we see practices that have a Notice of Privacy and get the Acknowledgement signed. They periodically document employee training and overall, have adequate physical and technical safeguards in place. What they don't have is the HIPAA policies that identify the people and safeguards they have in place to secure PHI.
Now just a short pitch. We've provided common-sense, affordable solutions for healthcare and dental providers for over 25 years. Our 2019 HIPAA Manuals come with policies, training, forms, posters, toll-free phone support and more. We can offer even better pricing on our bundles.