Are you wandering what in the heck is HITECH and how this impacts your business? Let’s do a very simple review of the increased accountability and higher penalties. All existing HIPAA requirements are unchanged; however, if you have not effectively implemented HIPAA policies, training, compliance auditing, and security within your office it is crucial to get busy. The penalties are as substantial as with penalties associated with billing non-compliance.
With the new HITECH requirements:
- The privacy and security requirements and penalties extend to the business associates,
- Establish a mandatory reporting requirement for any breach by covered entities and business associates of unencrypted data,
- Creates new privacy requirements for covered entities and the business associates which include accounting requirements for the electronic health records, restrictions on marketing and fundraising activities, and others,
- Creates new criminal and civil penalties for non-compliance which are substantially more than in the past,
- Establishes a federal audit protocol to ensure compliance, it is no longer complaint driven audits.
This means you need to cover your back-side through a proactive HIPAA security & privacy audit. It will be much cheaper to pay a little up front for protection than be hit with the outrageous penalties plus face criminal and/or civil action. I have included a short check list for the basics:
- Do you have Privacy Notice of Uses and obtain a Signed Acknowledgement for them?
- Do you obtain a Authorization to Release information to spouses or any other party prior to sharing information?
- Does each employee have a unique username and password to the EMR or billing system?
- If you have a patient portal, how often do you require them to change their username and password?
- Are patient files stored in a locked file cabinet or locked room at the end of the day?
- Do you obtain business associate agreements for vendors that work with your company?
- Do you have annual HIPAA training?
- Do you have an annual security audit for all systems access and back-end IT fields?
- Do you have annual privacy compliance audits, which is more patient “chart” related?
- Are all your programs and network encrypted with the latest or highest encryption possible?
This is a short list of areas for HIPAA Compliance but is not all inclusive. If you have answered no to any of the above questions, it is very important that you improve those areas to prevent costly penalties. The penalties associated with unauthorized disclosures or breaches of information can be as severe as penalties associated with false/erroneous billing. We can help you get in compliance. You may be doing some of these things but don’t have the policies to back it up. It is important as with any compliance program to have written policies and procedures, implement the program, have on going training, periodic audits to test policies, and options for reporting potential violations or concerns. All of these actions will show best efforts and mitigate exposure becoming criminal and/or penalties that may be associated with any breach.