By MARK LANTON
You know that HIPAA is mandatory, and you know the significance of complying with HIPAA. But, do you really know what all HIPAA commands of you? I use the word "command" because of the heavy hand of the government and the serious consequences, even if due to a simple infraction on the physician's part. This may surprise you, but according to the government, more than 70 percent of all physician practices are NOT compliant. You have to ask yourself the question, "is my practice in compliance?" And if you think you are, how do you know?
Not knowing for sure if you are completely in compliance is like playing Russian Roulette with your practice. For instance, a three-physician dermatology practice in Massachusetts was fined $150,000 because an office employee backed up patient records on an unencrypted thumb drive that was stolen. This was not an intentional HIPAA violation, but not paying attention to details are the cause of a significant number of HIPAA violations nationwide. Another example of a HIPAA blunder was an employee at the University of Iowa Student Health Center who had noticeably displayed her surprise when she learned the results of a high-profile athlete's pregnancy test.
Even though the employee had compliance training, this employee made a supposedly virtuous remark in wishing the young couple well. The employee was "thinking out loud," but was overheard by other employees who reported her statement. The employee was then fired. I can go on-and-on with examples of HIPAA violations that were easily preventable. It is reported that there have been more than 27,000,000 medical records disclosed in the past three years. That number is more than the population of many nations around the globe. Doctors, nurses, office managers and healthcare professionals all share in the confusion that is linked to HIPAA.
Who is responsible for following HIPAA? Every covered entity (CE), physician practice must appoint a Compliance Officer within the practice. A Compliance Officer can be the Office Manager or physician. The Compliance Officer carries a heavy load on their shoulders because the fate of the practice can depend on the quality and thoroughness in maintaining compliance. If you are responsible for maintaining the compliance in your practice, your employment, finances and freedom can be all at risk. Fines can range in the neighborhood of $50,000 or more.
Recent legislation has increased the government's ability to audit and penalize to the fullest extent. If your Officer Manager or in-house biller is undercoding or unbundling codes, the possibility of being audited is greatly increased. It has been shown that outsourcing to billing/coding companies have proven to dramatically decrease government audits, and increase a practice revenue.
What happens to a practice that is not found in compliance? Several things can happen, depending on the violations. In the case of a data breach, in addition to the hefty fines by HHS, the HITECH Act also gives the State Attorney General authority to impose civil penalties for violations. A practice can also run the risk of receiving negative publicity. Here's how. If there is a breach in protected health information (PHI) of more than 500 patients, the covered entity (CE) is required to notify each affected patient, and also report the data breach to the media.
There will be various additional sanctions on this practice as a result of the data breach. A scenario like this can certainly cause significant problems to a practice, and patient trust in this practice will be minimal.
What can you do to secure a compliant practice? You have to follow the rules. How do you know what rules to follow? By having security and privacy procedures in place that will protect PHI. Although you can do it yourself, it is proven that using a purchased product, such as an independent medical revenue management company to identify the compliance and security "pain points" of a practice has been highly effective.
Solutions can then be formulated, which will result in increased practice efficiency and compliance.
The HHS has clearly communicated their goal in strict enforcement of HIPAA. Don't let your practice become a bad example. You can be publicly censured by the government for unintentional infractions. You can be subject to enormous fines, loss of patients and possible imprisonment. The reality of being forced to do the figurative "perp walk" of shame because of something that was preventable, is easy as accidentally forgetting to lock your computer when you leave the office for lunch. We want your practice to thrive and focus on giving great patient care instead of dealing with insurance companies, complicated paperwork and the over-bearing government. Take an inventory of your practice and ask yourself this question. When was the last time your practice had a checkup?