Resolving HIPAA Pain Points
The Right of Access Initiative by the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) was introduced in 2019. On September 20, 2022, the OCR noted that three new investigations pertaining to patients' right of access under the Health Insurance Portability and Accountability Act (HIPAA)—focused chiefly on dental practices—were underway. With these additional investigations, the OCR has issued 41 enforcement actions since the initiative began.
Simply put, healthcare providers subject to these investigations, whether knowingly or not, were not granting patients’ proper access to their records. The issues typically aren’t willful neglect, but might have arisen based on a lack of standard operating procedures, having data not stored centrally, or a lack of understanding regarding staff responsibilities for records.
In general, the investigations point to the fact that it’s not hard to run afoul of HIPAA compliance regulations, and the potential penalties aren’t minor. While the OCR prefers to resolve HIPAA violations using non-punitive measures, such as voluntary compliance or issuing technical guidance to help covered entities address areas of non-compliance, serious violations can result in financial penalties of anywhere from $100 up to $50,000 per violation, with an annual penalty cap of $1,919,173.
If your practice is investigated, it could also wind up on the “Cases Currently Under Investigation” list, the OCR’s very public chart of entities under investigation in the past 24 months.
Even if your practice is relatively small, don’t assume the OCR won’t target you.
“You might think the OCR is only looking for ‘big fish’ practices,” says Mike Vincelette, Integrity Systems & Solutions co-founder and Finance Manager, “but it depends on who’s looking and if you’ve had an incident. It pays to be diligent.”
Common HIPAA Compliance Pain Points
While HIPAA compliance isn’t easy, there are some typical issues faced by every practice—challenges that can often be easily resolved in many cases. Here are a few of the more common pain points:
Proper Documentation is Critical
“Documentation is about 50 percent of HIPAA, and practice managers can sometimes have difficulty with it,” notes Jon Northway, Integrity co-founder and Senior Technology Consultant. “We understand that, but solid documentation of processes and procedures—for example, what you do in the event of a disaster or a breach—and patient interaction is perhaps as important as any protection you can offer your own practice. We can refer customers to vendors that can help with the documentation side, but there still needs to be some work done on their end.”
Secure Email Communication with Encryption
Also big on the list is a resistance to using encrypted email.
“For dental and medical practices, encrypted email is very easy for us to set up, yet some operators seem to have difficulty with it,” notes Operations Manager Eric Adams. “It might be that they just don’t want the government—in the form of HIPAA—telling them what to do. That’s something any small business owner can relate to, but it’s just generally good security practice. Think of it this way: sending information of any kind through unencrypted email is like sending a postcard—anyone can get their hands on it. And it’s a minimum security bar as far as the government is concerned.”
If you keep your medical records locked up and control access to them, Adams adds, doesn’t it make sense to put the same security controls on your public-facing emails?
Vet Compliance Vendors
Another area related to compliance that practices need to be aware of is vendors that offer compliance protection and guidance. In those cases, Northway notes, it pays to do due diligence before agreeing to work with anyone.
“I’m not sure that I’ve seen big differences in compliance between our customers that use those firms and those that don’t, but we are always happy to help guide them through that process,” he says. “Because these services can be expensive, we urge customers to move cautiously and make sure they’re dealing with reputable companies.”
You might not think about your technology as it relates to compliance, but it does come under HIPAA scrutiny.
“You need to make sure that you have an operating system that is capable of receiving critical updates. If you don't, you're technically out of compliance,” says Adams. “If you are audited, an out-of-date operating system means that a potential for a breach exists. The same applies to antivirus protection and laptop and PC encryption. Most importantly, OCR needs to know that you’re taking steps to ensure that data is protected. We go through HIPAA certification every year and that might be the most critical issue. They want to make sure you’re making best efforts to train employees properly in handling data.”
It all comes back to documentation, says Northway. “You need to be able to prove you’re taking reasonable steps in all these areas. If you can show OCR that you have these processes and trainings documented, it shows good faith effort and makes it less likely that HIPAA violations will be an issue for your practice.”
At Integrity Systems & Solutions, we know how important HIPAA compliance is and how hard it can be to achieve. We also know the dangers of not being in compliance, so we're committed to helping you know where your practice stands and where you need to make improvements. Use our free HIPAA Assessment Calculator to determine if your practice is following HIPAA guidelines or if you're at risk for being in violation.