HIPAA Compliance Efforts: Planning for the Worst and Hoping for the Best
As a busy healthcare professional, you are dealing with multiple roaring fires all day long every day. It is easy to view HIPAA compliance efforts as a barely burning ember, at best. The problem is that ember can quickly become an uncontrollable forest fire if it is not tended to. We so often put the task of HIPAA compliance off thinking that nothing will ever happen to us. We are simply hoping for the best. The problem is, we have not sufficiently prepared for the worst.
There are several problems with this failure to plan: The Office of Civil Rights (OCR) is conducting audits to ensure compliance and healthcare breaches are on the rise resulting in costly fines – it is no longer IF you will experience a breach, but, rather, WHEN.
The risk of an audit from the OCR is a very real one. Since its inception, the government has complained about the lack of teeth in HIPAA. Until the audits started rolling out, organizations were reactive in their compliance efforts versus proactive. The problem of reactive versus proactive compliance is easily illustrated if you think of it from a health viewpoint. You counsel your patients that obesity and sedentary lifestyles can lead to morbidities such as hypertension, CVD, kidney disease, diabetes, and the list just goes on. You advise them to take a proactive approach to their wellbeing by watching what they eat and exercising regularly in order to prevent these diseases. You warn them that if they do not take these proactive measures, they will experience life-long consequences that go along to reactive measures to treat the diseases brought on by unhealthy living.
HIPAA compliance, in the eyes of the OCR, is no different than treating risky behaviors in your patients. A proactive approach to ensuring your patients’ information is maintained in a secure and private manner is imperative to the health of your business. Fines can reach as high as $1.5 Million per incident per calendar year. The largest HIPAA fine was $4.8 Million and was issued last year. Failing to be proactive in your HIPAA compliance efforts will not only put you at risk if you are audited; but, will also put you at increased risk for a breach with a lofty fine.
To plan for the worst, it is necessary that you start by conducting an assessment of your current policies and procedures. It is imperative that you not only review that you have all the necessary policies and procedures; but, that you are also following them and keeping documentation of your compliance efforts.
It is also important that you remember that conducting a risk analysis is not an optional task for HIPAA covered entities and their business associates, but is a required action. Your organization must determine how often a risk analysis should be conducted as well as the methodology for conducting the risk analysis.
Contingency Planning in the event of a disaster – whether it be manmade, natural, environmental, or external (such as from a hacker) – should also be an important part of your planning for the worse.
I understand that all this can be overwhelming; however, it is necessary to remember that compliance is not a checkbox that can be marked and then forgotten. Compliance is a journey that must be taken one step at a time. Unfortunately, it is not a journey that has an end point. There are however, many tools and resources out there to help you along the way – like HIPAAtrek! Contact one of our HIPAAsherpas to find out how we can help you on your HIPAA journey!