HIPAA Privacy & Security Audits Have Begun!

Has the Affordable Care Act impacted your business yet? If you’re a medical practice or if you have medical practice clients, HIPAA Privacy documents need to be updated.

The OCR (Office for Civil Rights) is responsible for making sure medical practices have implemented the new privacy and security requirements and they’ve begun auditing to see who is complying. Are you compliant?

According to the OCR website, the use of health information technology continues to expand in health care. Although these new technologies provide many opportunities and benefits for consumers, they also pose new risks to consumer privacy. Because of these increased risks, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) include national standards for the privacy of protected health information, the security of electronic protected health information, and breach notification to consumers. HITECH also requires HHS to perform periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. HHS Office for Civil Rights (OCR) enforces these rules, and in 2011, OCR established a pilot audit program to assess the controls and processes covered entities have implemented to comply with them. Through this program, OCR developed a protocol, or set of instructions, it then used to measure the efforts of 115 covered entities. As part of OCR’s continued commitment to protect health information, the office instituted a formal evaluation of the effectiveness of the pilot audit program.

We can help by either reviewing your current documentation and recommending the necessary updates, or we can put together a new set of compliant documents for your practice, train your staff and leave you with a HIPAA Policy Manual.

 

Types of Chart Reviews

So you’ve decided to implement an internal audit program for your practice.  Excellent!  There are so many external parties who can scrutinize your internal documentation, so it is a really good idea to see your practice from their perspective.  An internal audit/review is an outstanding and comprehensive tool.

The first decision is to determine what you want to get out of your audit/review.  Here are some examples of reasons to perform an in-depth, structured, peek into your own medical records:

 · “How are we doing?” review.  This is an excellent way to initiate an internal review process when you don’t have a lot of time, money, resources and have no reason to think there is anything specifically wrong.  Depending on the size of your organization, you select a very small sample:

  •  1-5 records from each provider
  •  representing a variety of services performed by that provider
  1. E/M
  2. Surgery
  3. office procedure
  4. studies
  • every piece of documentation that supports the service

 ·  Formal compliance review.  This process would follow the detailed description contained in the practice’s formal Compliance Plan.  Don’t have a Compliance Plan?  Well, that’s another blog post for another day.

 · “Someone else we know had a problem” review.  A news report or a colleague reports an awful experience with a payor or other oversight entity.  Your initial response is panic, then denial.  Eventually you realize the best path to peace of mind is to perform an internal audit/review to make sure you don’t have any of the same issues in your practice.

 · “We think we have a problem” review.  Somehow it’s been brought to your attention that one area in your operation may have documentation or compliance concerns.  An internal review can be a solid first step in determining if the problem does exist, and to determine the extent of it.

 · “We KNOW we have a problem” review.  At this point, an internal review should only be one component of a larger strategy.  Coordinating efforts with your Compliance department, and potentially Legal counsel, is imperative.  Once you’ve been alerted to a problem, the steps taken and the speed with which you correct the problem can be instrumental in mitigating consequences.

If you’ve got any questions about chart reviews, we can help.  Contact us at sue@habaneroinc.com.

Be Your Own Medical Record

 

It started as a professional curiosity, but now it has become a habit, and I recommend it to everyone.  Maintain your own medical record.

I’ve found this helps me better understand what is going on with my own health, and it also makes it easier to communicate amongst the various healthcare practitioners you may see over the years.

Medical filesFor example, I recently went for a DEXA scan for bone density. It’s something that is recommended, especially for women, and especially for women with bone issues. My GYN had ordered the test, and when I went to have it done, I asked the technician for a copy of the scan and she printed it out right then and there.  Same thing when I had some 3D dental xrays taken a few months ago.  It made it easy for me to get second opinions, and eliminate a potentially unnecessary over exposure to another xray.

I suggest maintaining copies of all your blood results too.  This can help you when you are doing your own research into health related topics, be it research into traditional or alternative medical topics.

You may also want to consider doing this for any children, friends or relatives for whom you have, or may have, responsibility for.  For example, if an elderly relative were suddenly in need of medical care, would you be able to provide a list of their medications to emergency responders?

The bottom line, in today’s healthcare arena, we all need to be proactive in taking care of our health and the health of our loved ones.  As in many other areas of life, information is power!

– As published in GEM Magazine. Author: Susan Montana

Please direct your health care reimbursement questions or topics you would like to know more about to Sue@HabaneroInc.com.

Private Practice #1 Target for HIPAA Compliance

Yikes!  Want to know why all this HIPAA stuff is so important for medical practices?  Look at who is Number One on the hit list – private practices. Are YOU in compliance??? 

Here’s what HHS says: 

“Since the compliance date in April 2003, HHS has received over 90,001 HIPAA complaints. We have resolved 94% of complaints received through investigation and enforcement (over 22,026)! 

The most common types of covered entities that have been required to take corrective action, in order of frequency:

1.   Private Practices;
2.   General Hospitals;
3.   Outpatient Facilities;
4.   Health Plans (group health plans and health insurance issuers); and,
5.   Pharmacies.

The compliance issues investigated most are, in order of frequency:

A.    Impermissible uses and disclosures of protected health information;
B.    Lack of safeguards of protected health information;
C.    Lack of patient access to their protected health information;
D.    Uses or disclosures of more than the minimum necessary protected health information; and
E.    Lack of administrative safeguards of electronic protected health information.”

Habanero, Inc. has developed a basic HIPAA & HITECH Privacy Policy & Procedure product that is customized to YOUR practice, provides easy to follow instructions for your Privacy Officer, personalized set of HIPAA Privacy forms and documentation & training materials for your staff, including a staff assessment and acknowledgement process.  Call today at (631) 244-5661 to get your own and be prepared for HHS’  OCR Privacy auditors.