By Ali Khan, CHP, CSCS, CHPSE,
Doctors! It’s time to be HIPAA Compliant.
Think there’s still time to ease your way into compliance? Most physicians I meet truly believe a HIPAA audit will result as a slap on the wrist. Not true. With deadlines long in the rearview mirror, leniency is a thing of the past. So far, OCR has fined $23 million. They have received over 123,065 complaints of which 116,266 have been resolved – some with heavy fines.
You’re probably thinking they will have to catch you first. And they will. They even have help. Now any employee or physician with access to a practice can file a HIPAA complaint and receive 15% of the monetary fines resulting from their complaint. As reported by the National Law Review, recently 67 healthcare-related lawsuits were unsealed and 85% of the plaintiffs were current or former employees.
But a monetary fine isn’t the only thing you should worry about. Your reputation is at stake. The reporting protocols and breach notification requirements are lengthy and involve media reporting. Once your name gets dragged in the mud for not safeguarding your patients’ personal health and financial information, it is difficult to recover. Case studies of similar breaches in banking and retail reveal severe financial and reputational impact for 2 years and longer.
Where to start. Some physicians and their practice managers who are responsible for HIPAA compliance think that following a checklist will make them HIPAA compliant. Again, not true. The majority of checklists, manual by mail, and “HIPAA in a box” users do not understand how to implement the requirements. So at a minimum, unless your checklist conforms to OCR field audit protocols, you have policy documentation for your administrative, security and privacy practices in place, use working logbooks, and have complete HIPAA compliant IT infrastructure documentation on file, you are far, far away from becoming compliant. The IT compliance is typically the most difficult.
This is why Khan & Marshall does what we do.
Would Arnold Schwarzenegger clean his own house? No, he has a housekeeper for that. Would Bobby Flay prep his own food? No, he has underchefs for that. Should you do your computer technician’s work? No. Because your time is valuable. With more than 6 years of experience working directly with physicians, I have learned that physicians prefer to focus their time on patients. But IT applications are notoriously glitchy, eating up minutes of your time. Then there is IT infrastructure; it’s often slow, sometimes completely off the rails, and it’s frustratingly non-compliant out of the box. Even with expert IT help. Systems documentation takes hours to complete, and processes must be aligned with your policy. Staff trainings are pending. Accesses are not appropriate. And the list goes on. The worst part? Most IT providers Do Not understand HIPAA/HITECH implementation requirements – and you, the physician, are responsible for it.
An experienced HIPAA compliance partner can take care of your worries even before they arise. At Khan & Marshall we offer peace of mind for any physician who owns or runs a practice. Our services are a one-stop solution that takes your practice to the next level by actually implementing your compliance according to best practices, and what’s appropriate for your practice. We know what you need – and what you don’t. No more guessing how to meet the checklist requirements by staff multi-tasking as compliance officers.
Let’s look at HIPAA compliance as a whole – the way OCR auditors do. If you do not have policy documentation for your practice (at least 80 of them for an average 1 physician practice) then you are not compliant even if you are doing everything right. In addition you will need to maintain some monthly, quarterly and a few weekly logs for continuous compliance and audit trails. If you can’t demonstrate it in physical documentation kept on a regular basis, OCR considers it non-compliance. Remember, this is government. Executing regulations is a “my way or the highway” proposition because conformity is more easily held to a standard, and audited.
Their way starts with your annual risk assessment. It is the first thing that any auditor will ask for. If you haven’t done it at least once every year then trouble is around the corner. Avoid the highway and get one. OCR strongly recommends engagement with experienced HIPAA professionals for this requirement. They have found that assessments performed internally fail due to lack of understanding of the law, misperception of internal processes, and unintentional bias.
The second major part of HIPAA compliance is IT infrastructure. Not only do you need documentation for all IT policies, or very good written reasoning for lack thereof, but IT policies need to be implemented according to their word. OCR has found that the greatest risks to your compliance revolve around information security and your IT. To your benefit, good HIPAA-compliant IT policies will result in fast, reliable computer systems.
HR is the third major part. HIPAA requirements overlap with general human resource law. Hiring and firing documentation, background checks, quarterly and yearly trainings, sanction policies and other HIPAA requirements not only make your patient-facing staff appropriate caregivers, but also increases trust, reliability and interdependency among your employees, increasing efficacy of your practice.
At Khan & Marshall, we understand why many physicians continually backburner adequately implementing HIPAA; it’s confusing, it’s time-consuming and it feels expensive. With over 10 years of compliance and healthcare IT experience, we remove those roadblocks and rapidly bring your practice into a safer state. The bottom line is OCR is unforgiving and fines are steep. Compliance costs much less. Case resolutions have demonstrated, and OCR has stated that even with all of the self-help tools available, compliance is very difficult to achieve without engaging external HIPAA experts. Having the right partner is worth the small amount of money to get the gorilla off your back.
Ali Khan is Chief Executive Officer of Khan & Marshall. Khan & Marshall has over 10 years of Healthcare IT industry experience. A Certified HIPAA Professional, Certified Security and Compliance Specialist and Certified HIPAA Privacy and Security Expert, Ali has extensive experience in mobile health (mhealth) compliance, developing compliant healthcare IT infrastructure including cloud-based and fluid scale systems, and network design and administration.