Tips for small covered entities charged with HIPAA compliance
"OCR has bigger fish to fry than me."
You may have heard that before—or even said it. Maybe you're an employee in a tiny healthcare facility. Or maybe you've seen the big headlines on data breaches, noted how they seem to always involve large insurance companies and massive healthcare facilities, and thought, "That won't happen to us."
Know thy BA
BAs are a part of HIPAA life—no matter how big or small your entity is. So how far should CEs go to ensure their BAs are HIPAA compliant?
Roger Shindell, CHPS, the CEO of Carosh Compliance Solutions in Crown Point, Indiana, notes that things changed in the HIPAA Omnibus Rule, HHS' biggest set of modifications to the HIPAA Privacy and Security rules per the HITECH Act. Prior to 2013, if a CE had a valid BA agreement in place, and the BA had a breach, the CE had a safe harbor exemption for the breach, he notes.
Entities are required to conduct an "accurate and thorough assessment" of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI.
BA agreements stipulate that the BA will comply with all the requirements under HIPAA/HITECH, per the HIPAA Omnibus Rule. So BAs need to be ready, just like you.
Should CEs offer training to the BAs? No, says Shindell.
"The BA has their own obligation to conduct training," he adds, "and if training is on specific policies and procedures, the CE would not know what these are and what is appropriate."
OCR's long-awaited Phase 2 HIPAA Audit Program is finally in full swing. On March 21, OCR announced that it will begin verifying the contact information of covered entities (CE) and business associates (BA) selected for audits (www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/phase2a...). This shouldn't surprise savvy healthcare organizations. The audits kicked off after a flurry of activity from OCR and HHS, including pricey HIPAA settlement fines and the publication of user-friendly HIPAA guidance for providers, developers, and patients.
Accurate patient matching within the EMR should not be a concern limited to HIM professionals. Ensuring that medical record data is correct and complete and that duplicate records are not created is key to various healthcare initiatives, including population health management, analytics, information governance, patient-centric care, health information exchanges, and finance. It all starts with the patient's record. Reducing the number of duplicate records at a hospital and being able to effectively match records is critical to ensuring that these healthcare initiatives are successful, says Lesley Kadlec, MA, RHIA, CHDA, director of HIM practice excellence for AHIMA.
"Patient matching is really the underpinning of all the strategic initiatives that are going on in healthcare," Kadlec says. "You have to have accurate patient information to have accurate patient care. Ensuring that you have the right patient and the right information at the right time is really what drives the physicians' and clinicians' ability to actually provide that patient with care."
More than half of HIM professionals work with mitigating duplicate patient records, and of that group, 72% do so on a weekly basis, according to a recent survey of AHIMA members. Unfortunately, less than half of all respondents have quality assurance in place for their registration or post-registration processes. (A summary of the data is available in the Journal of AHIMA.)
"The challenge is having the staff to be able to dedicate to making the corrections, doing the matching, and ensuring that everything is getting put back together," Kadlec says.
Patient matching and duplicate records are a major issue right now because hospitals are using so many different systems and there is often a lack of information governance across those systems, says Megan Munns, RHIA, identity manager at Just Associates, Inc., based in Denver.
CMS proposed an extensive five-year, two-phase plan to overhaul Part B drug payments for physicians and hospitals in March outside of the normal OPPS rulemaking cycle that could be implemented as early as this fall.
Few in the healthcare industry would argue that the way the government currently pays for drugs is the most cost-effective, efficient, and equitable method possible.
