When I look back on 30 years of involvement with HIM, it's hard to believe that I was also passionate about another profession at one time. But I actually came to my career as a coder by way of my associate's degree in veterinary science.
The Office for Civil Rights (OCR) stepped up HIPAA enforcement in a big way this year. The agency handed down more than $5 million in HIPAA settlement fines in one week in March, and in July reached a HIPAA violation settlement with Advocate Health Care in Illinois that carried a $5.55 million monetary payment. OCR kicked off phase two of its HIPAA Audit Program and will likely complete desk audits of covered entities (CE) and business associates (BA) by the end of the year. Comprehensive on-site audits may occur early in 2017.
However, breaches continue to come at a relentless pace and questions have been raised about OCR's handling of HIPAA violations, particularly repeat HIPAA offenders. And a truly permanent HIPAA audit program may not yet be in sight: OCR states that phase two audits will help the agency plan for a permanent audit program but doesn't state when that might launch.
In a September 2015 report (https://oig.hhs.gov/oei/reports/oei-09-10-00510.pdf), the Office of Inspector General (OIG) said OCR—and HHS as a whole—should strengthen its oversight of CEs and be proactive rather than reactive in its approach to HIPAA enforcement. The report found that in 26% of closed privacy cases, OCR did not have complete documentation of corrective actions taken by CEs. In addition, OCR's case tracking system has significant limitations and makes it difficult for the agency's staff to check if a CE under investigation has been the subject of previous investigations.
All of this may make some CEs and BAs feel that HIPAA compliance is merely optional, and that leads to a weaker privacy and security culture throughout the industry. Although OCR does take action to make its presence felt, it could do more, Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona, says.
"I do believe that OCR is trying to let people know that it considers HIPAA compliance an important objective," he says. "With its guidance and ongoing alerts about the occasional enforcement actions here and there, I see OCR's enforcement a small step above being a paper tiger in terms of how seriously people take it."
The cost of healthcare is quickly rising across the nation, and patients are shouldering the majority of the price increases through higher deductibles and out-of-pocket expenses as expenditures continue to shift from employers to patients. According to a TransUnion Healthcare report released during HFMA's 2016 National Institute in Las Vegas (www.marketwired.com/press-release/-2137926.htm), patients experienced a 13% increase in medical costs between 2014 and 2015.
A rise in self-pay patients usually signifies an increase in bad debt risk that can have a sharp and negative effect on revenue streams. As expected, healthcare organizations responded to this upward trend in patient financial responsibility by dedicating more attention and resources to managing their self-pay accounts. But are additional complications necessary? Can self-pay accounts be managed more effectively by actually taking fewer and more logical steps?
Recent work with pre-acute care providers, such as emergency medical services (EMS) and emergency medicine physician groups, reveals that most of these providers are struggling to address self-pay accounts. Hospitals and health systems report similar concerns. Addressing the rise in self-pay patients requires a shift change in revenue cycle management strategies and tactics.
Instead of raising the level of complexity required to manage self-pay receivables, providers should try to simplify efforts?work smarter, not harder. Determining patient propensity to pay is one of these practical steps. Using the pre-acute care sector as one example, qualification for accounts management can be radically simplified with significantly fewer steps.
Threats to PHI are coming fast and furious. Although many organizations are ready to take HIPAA compliance seriously, it requires sustained attention and resources for organizations to protect PHI. That can't happen if privacy and security officers aren't being heard by the board and senior leaders.
In July, OCR announced it reached a HIPAA breach settlement with Oregon Health and Science University (OHSU), an academic health center. In its statement on the settlement, the agency drew attention to the vital role hospital executives and senior leaders play in HIPAA compliance. OHSU did complete risk analyses and identify vulnerabilities, including those that caused the two massive breaches named in the settlement, but no action was taken to mitigate these vulnerabilities. Without support from the top, OHSU's security risks remained unaddressed until it was too late. Failure to address these risks came with a $2.7 million price tag, a strict three-year corrective action plan, and the kind of bad press that's difficult to put a positive spin on.
Privacy and security officers need executive support, but obtaining it may be a challenge. Alliances with key staff and an understanding of the concerns senior leaders face can be a win for privacy and security in the boardroom.
Growing threats to PHI, particularly ransomware, have drawn attention to privacy and security this year. Senior leaders and members of the board may be feeling the pressure to change the way their organizations operate and step up security measures.
There are no federally recognized HIPAA certification standards for covered entities (CE) and business associates (BA) and it's unlikely one will be. However, that doesn't stop larger CEs from requiring some form of certification to demonstrate compliance with HIPAA and proof that BAs have implemented sound information security programs. The Health Information Trust Alliance (HITRUST) published its first common security framework (CSF) in March 2009 with the goal of focusing on information security as a core pillar of the broad adoption of health information systems and exchanges. Larger CEs, primarily large health plans, now require their BAs to become HITRUST certified.
Q: We recently received a request for a patient's records. The patient transferred to another provider several years ago and we subsequently transferred all the patient's records to the new provider. Should I direct the request to the provider the patient transferred to? I'm unsure that we should be responsible for retrieving and releasing information for this patient since we transferred the patient's entire record to the new provider.
A: If you sent a copy of the patient's records to the new provider and still have the original records, it would be appropriate for you to respond to the request. If you transferred all records to the new provider and no longer have the patient's information, refer the request to the new provider.
Editor's note: Mary Brandt, MBA, RHIA, CHE, CHPS, is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.
