As a managed services provider in the area, we have a lot of experience in dealing with HIPAA, what it means to be HIPAA compliant, how to attain compliance and, too often, how providers are choosing not to address their HIPAA compliance needs. Keep in mind, you don’t necessarily need to be a medical office to fall under the purview of the Office for Civil Rights, U.S. Department of Health and Human Services Health Insurance Portability and Accountability Act of 1996. If your business handles or discloses personal health information or personal health records, you need to pay attention to what it means to be in compliance. This can apply to a medical billing office, a CPA who services a healthcare provider or even an attorney who has access to health information (think injury, accidents, wrongful death, etc.) In no particular order, here are some mistakes made by healthcare providers.
- They don’t take HIPAA seriously.
HIPAA is a monstrous and ambiguous beast in the healthcare industry that requires mandatory risk assessments but (in an effort to allow flexibility to the healthcare provider) offers vague requirement guidelines and recommendations for compliance. This leaves many healthcare providers extremely frustrated and overwhelmed. And, because often just demonstrating movement in the right direction is enough to get a healthcare provider through a risk assessment, leaders in health care sometimes skimp on compliance measures (which can be pricey to implement). Unfortunately, particularly with the advancements in technology, many providers aren’t staying ahead of the risk, and it’s costing them. Fines are dependent on how neglectful the provider was and how many violations have occurred. Fines range from a few hundred dollars to millions, and frankly, many providers just simply don’t know how far behind in security standards they are.
- They sacrifice security for convenience.
We’ve seen all kinds of businesses share passwords or bypass passwords all together. And why? Even with the inherit security risks, it is inconvenient to have to enter passwords frequently. Doctors often perceive this as a slow down to patient care. This can be addressed through single sign-on functionality, adjusting how long before applications time out or rolling out biometric solutions (a thumb swipe instead of having to enter in a lengthy password). But, too often, healthcare entities will opt for the lack of security altogether.
3.They count on their vendors to educate them about HIPAA or to follow HIPAA standards automatically rather than assuming the responsibility themselves.
Often, healthcare offices make too many assumptions about what their vendors are providing. For instance, they may assume that their information technology provider has standards in place that are compliant with HIPAA, when in fact many technology providers don’t even consider HIPAA unless they are specifically asked for assistance in HIPAA compliance.
- They don’t realize who their business associates are.
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity according to the U.S. Department of Health and Human Services. A few examples of business associates are attorneys whose legal services involve access to personal health information (PHI), a software vendor who, in troubleshooting the software, views PHI or a medical transcriptionist who provides services to a physician.
Healthcare providers are required to have business associate contracts in place with all their business associates. Unfortunately, many healthcare providers expect the vendor to take responsibility in identifying themselves as a BA, and quite often, that just doesn’t happen because the BA’s themselves don’t realize their classification.
Healthcare providers must have written business associate contracts between the healthcare provider and the business associate that outline appropriate PHI safeguards, how violations are handled and more.
In closing, if you are a healthcare provider or if you work with healthcare providers, it’s time to start taking HIPAA compliance seriously. Not only will working toward compliance now reduce the risk to your wallet long term, but most importantly, you will also be protecting your clients’ most critical information. Much of HIPAA compliance (or any other compliance) is tied to the technology and security solutions you implement. Make sure your IT service provider knows HIPAA and understands their role in the process. A good IT service provider should be able to get you going in the right direction to better understand what’s at risk, what steps you need to take and how to get what you need.
ABOUT THE AUTHOR
HEATHER REMER is co-owner and CEO of ComputerCare LLC, an IT services company providing a full spectrum of IT solutions and services to small and medium businesses.