Providers One Stolen Laptop Away from HIPAA Violation

Remaining HIPAA compliant is one of the most important challenges a provider faces. An errant flash drive, an overheard conversation or a stolen laptop can wreak havoc on a practice. Luckily, we recently spoke with Jim Johnson, President of Live Compliance, about, you guessed it, the importance of compliance in the provider practice.

Jim sums up the reason why it’s so important: “Do a Google search on the topic and you’ll see a violation takes a lot of time and money to fix.”

The last thing you want to do is end up on the U.S. Department of Health and Human Services’ list of patient information breaches.

Jim’s five compliance tips follow:

TPS: Jim, thanks for taking the time to talk with us today about compliance. Let’s get started with the basics. How important is compliance in the healthcare world? And is difficult to remain compliant over time?

Jim Johnson: Compliance, really the concept of taking steps to prevent a privacy breach or remaining compliant with various regulations, is top-of-mind for all provider organizations. In my experience, I’ve found providers sometimes become uncompliant. It’s rarely intentional. It’s just one of those things that happen as practices grow and change, and employees come and go.

TPS: Why is it important for organizations to be compliant?

Johnson: No one wants to get caught up in a HIPAA violation or any other type of compliance issue. Do a Google search on the topic and you’ll see a violation takes a lot of time and money to fix. Those are big reasons to have a good compliance program in place. But I also know violations can destroy patient trust, and that alone is a really important reason to have a good program in place.

TPS: How do compliance issues usually arise?

Johnson: In many cases, it’s usually an accident. But when it does happen, technology and office staff are often the sources of inadvertent HIPAA disclosures and compliance failures. Whether it’s a computer left unattended, staff talking about a patient in an open area, patient records on an unencrypted flash drive or lack of records maintenance, compliance issues are just waiting to happen. And they do.

Since April 2003, the Office for Civil Rights (OCR) received more than 154,000 HIPAA complaints. And they investigated and resolved more than 25,000 cases. During the same time period, the OCR collected more than $70 million in fines for HIPAA violations from health organizations of different sizes.

Those are significant numbers, but there’s no reason organizations have to become part of these statistics.

TPS: So what should provider organizations do if they don’t want to get caught up in the web of non-compliance?

Johnson: Over the years, I’ve arrived at five steps that can get any organization moving in the right direction. And it doesn’t matter if the organization is large or small. These steps can work for every organization.
  1. Get audited. Have an outside organization pick apart your practice to look for areas of weakness. These areas could be the ways patient information is processed or stored, staff training needs or records maintenance. Perform physical, technical and administrative risk assessments to understand where improvements should be made. Gather and review any written documentation, including business associate agreements.
  2. Make a plan. Create and implement a corrective-action plan outlining ways to mitigate any existing problems.
  3. Take next steps. Build a formal compliance action plan for the practice to focus on. Understand and plan for what needs to be done moving forward to remain in compliance. Implement new security and training recommendations. Budget for any expenses related to the new plan, including new equipment or ongoing training.
  4. Get trained. Train the entire staff—physicians, nurses, office staff, interns—on HIPAA privacy and security relevant to your compliance program, not just generic HIPAA training.
  5. Roll it out. Implement your new compliance plan and perform regular internal audits to ensure all staff fully understand the policies and procedures. Make adjustments and improvements. Repeat.
TPS: Those are great tips. Is there anything else an organization should do once they’ve made their way through a new or updated compliance plan?

Johnson: Once the audit is complete, take a step back to evaluate your new plan. Make sure it fits with your culture and staff. And ask yourself a few questions:
  • Can your staff do the work necessary to remain compliant every day, month and year?
  • Is our plan actionable?
  • Can I budget for costs associated with future self-audits?
The best advice I can give is to make sure the plan is relevant to your practice. It needs to be actionable and easy to implement. Otherwise, it’s the same as having no plan at all.
Blog Comments

Blog post currently doesn't have any comments.
 Security code

TriZetto Provider Solutions® Powered by Cognizant

We help physicians, hospitals and health systems simplify business processes and get accurate payments quickly. We will always look for new ways to help you improve revenue and increase cash flow. We will stay ahead of regulatory changes so your office will never struggle to keep up. All so you can focus on the one thing that really matters: doing what is best for your patients.

Learn More