The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information (PII) maintained by healthcare should be protected from fraud and theft, and address limitations on insurance coverage. (1)
Think HIPAA is merely not sharing patients’ information with another non-involved person or entity?
You are not alone if you said yes. Protecting PII is a key component to the HIPAA requirements, but it goes way beyond not talking about a call or sharing details with someone not directly involved on that call.
Protecting patients PII starts before the call and continues well after the shift is over. All employees (volunteer or paid) must undergo annual HIPAA awareness training, conducted either onsite or virtually. Documentation of such training must exist and be kept on file. Computer systems must have unique logins, passwords, and policies for complexity and rotation of passwords. Business Associate Agreements (BAA) should be in place with any entity you share PII with, including your billing company, or any other entity you contract with.
Another key provision is to perform a Security Risk Assessment (SRA). This assessment is around 158 questions looking at Administrative, Technical, and Physical Safeguards with regards to protecting PII. The rule states an SRA will be done periodically, and although not spelled out, this has been generally accepted as annually. Further, an SRA has to be completed in the calendar year you are attesting to. Part of the assessment is the review of all of your policies and procedures that relate to each of these areas.
After the assessment, a risk matrix should be created to determine where the gaps are, ranked by severity, and have persons or teams responsible for correcting the deficiencies along with due dates.
The Office of Civil Rights (OCR) is the entity that will perform an audit, either randomly, or after a complaint is received. They will give you 10 business days to provide proof of an SRA along with all supporting documentation. Fines can range in the 100’s of thousands of dollars and can include OCR oversight for years after the audit to ensure compliance.
In December of 2019 OCR settled with a Georgia ambulance service for $65,0o0 and the adoption of a corrective action plan to settle HIPAA violations after a reported breach and subsequent audit. The breach consisted of a laptop being left on the back bumper, which later fell off, of an ambulance that contained the data of 500 patients.
Among their findings was long-standing noncompliance with several HIPAA aspects including failure to conduct the risk analysis, failure to implement a security awareness program, and failure to implement HIPAA Security Rules Policies and Procedures.
In addition to the financial penalties and adoption of a corrective action plan, OCR will be scrutinizing the services HIPAA compliance program for two years to ensure HIPAA Rules are being followed.
Penalties for running afoul of HIPAA can include financial penalties, oversight, and even jail time. In 2019 OCR imposed 10 HIPAA financial penalties totaling 12M to resolve noncompliance issues. (2)
It can be a daunting task, especially for smaller agencies who are helping people every day but may not have the manpower and resources to work on HIPAA compliance. We can assist your agency, whether just starting to tackle HIPAA, or you have been doing it for years (or parts of it). Our consultants have many years of experience in healthcare and HIPAA regulations.