Executive Summary
Smaller facilities often find it difficult to maintain compliance with the Health Insurance Portability and Accountability Act.
• Have a risk assessment conducted, develop a mitigation plan, and assign specific responsibilities to staff members.
• Put proactive audits and reviews in place.
• Train all staff on accessing and communicating protected health information in all formats.
An outpatient surgery facility gives a research organization a patient’s protected health information (PHI) for recruitment, but it didn’t have the patient’s authorization or a signed waiver of authorization approved by the Institutional Review Board or privacy board.
In another case, an organization placed a patient’s PHI, including demographic, financial, and clinical information, in a dumpster outside of a physician’s office, according to a report on compliance with the Health Insurance Portability and Accountability Act (HIPAA) recently released by Stericycle in Northbrook, IL, a consulting firm that addresses employee and customer safety, regulatory compliance, and environmental impact.1
Stericycle reports that many privately owned and smaller providers struggle with HIPAA compliance.
“It’s certainly a balancing act between having to do what all the requirements expect of a covered entity for HIPAA, and the balancing act of running a business and keeping things operating,” says Susan Stolz, HIPAA compliance solution manager with Stericycle. Stolz points out that the regulations are complex. “The biggest challenge we see, oftentimes, is that there aren’t appropriate resources, or the people responsible for compliance activities aren’t necessarily subject matter experts.”
These barriers have been witnessed firsthand by those working with smaller outpatient surgery providers. Debbie Mack, MSN, CASC, CNOR, is an independent healthcare consultant based in Nevada City, CA, who has visited three centers in the past six months. During her conversations with the managers, she just happened to bring up HIPAA. She found out those centers had only one or two HIPAA policies that offered basically “no security.” “There was no risk assessment,” Mack says. “They had nothing.” Mack also is past president of the California Ambulatory Surgery Association.
Privacy/security is just one small piece of a manager’s job at a smaller facility, says Jan Kleinhesselink, RN, BSHM, CPHQ, chief quality officer at Lincoln (NE) Surgical Hospital. “Time-consuming, laborious activities such as ensuring that compliance policies and procedures are updated, implemented, enforced, and audited can be very challenging,” Kleinhesselink says. Leaders might be involved in the day-to-day activities, she says. “They may spend much of their day dealing with ‘now’ issues and putting out ‘fires,’” Kleinhesselink says. “In this type of facility, there is an even greater chance that regulatory issues may fall through the cracks.” In comparison, hospitals have entire compliance teams, Mack says.
Another issue is that managers at freestanding facilities might have difficulty finding time to attend national meetings where regulation changes are discussed, she says. The most important recent change was the security rule in 2013, Mack says.
Coupled with these demands is the thought prevalent among managers of smaller facilities that they won’t have a breach, Stolz says. “That prevailing attitude can be a dangerous thing for the business,” says Stolz, who points to severe financial repercussions as well as the publicity involved.
Resolving issues with HIPAA compliance boils down to policy development, IT security assessment, and employee training, Mack says. “And those all cost money, and then you have to have someone managing those,” she says.
Consider these suggestions.
• Have a risk assessment conducted.
Kleinhesselink says, “Complete a risk assessment to identify potential failures, develop a mitigation plan, and assign staff specific responsibilities for essential components.”
The risk assessment can help you see where you are and what deficiencies you have, Mack adds.
• Conduct audits and reviews.
Kleinhesselink says, “Put proactive audits and reviews in place to reduce the ongoing day-to-day drain of reactive processes.”
• Train staff.
Your staff must attend training on the HIPAA Security rule and patient rights, Mack says. Kleinhesselink says, “Keep in mind that privacy and security go together and that it will be essential to communicate with and train all staff regarding accessing and communicating PHI in all forms: electronic, paper, verbal, etc. It sounds like a lot of work, but putting sound processes and reviews in place will help reduce the stress of that person or persons wearing multiple hats.”
You must maintain and sustain these activities, Stolz points out. “It’s never a ‘once and done,” she says. “It’s not a checklist to tick off, that ‘we’re completed and in compliance.’”
If you’re audited, you’ll have to produce six years of running documentation, Stolz says. HIPAA compliance requires continual and constant monitoring, training, risk assessment, and policy review, she says. “Anytime something changes in the organization, policies need to be updated,” she says.
1. Stericycle. HIPAA compliance: Six reality checks. What are you doing to mitigate the risk of a breach or HIPAA violation? Accessed at http://bit.ly/1vsu9uF.
