The complexity of the HIPAA regulations is daunting. For most providers, the HIPAA Privacy rules became effective in 2003, with the Security rules following in 2005. Because of lax enforcement by the federal government, many providers have been less than diligent in following these rules. In fact, physician practices and even small hospitals never got around to implementing any HIPAA security policies.
The stakes for providers have risen. In February 2009, the HITECH Act, included as part of the stimulus bill, specified major revisions to the HIPAA regulations. Jail time for egregious offenses remain at a maximum of 10 years, while monetary penalties were dramatically increased to levels that reach millions of dollars. With this new penalty structure in place, over the last 2 years multi-million dollar fines have been levied on pharmacy chains, health plans, hospitals, and physician groups. In February 2011, an 8 physician group in the Washington DC area was fined $4.3 million for 41 violations. Also new with the HITECH act, state attorney generals may now enforce the HIPAA rules.
The HIPAA regulations are a moving target. The changes mandated by Congress in 2009 are being translated into final regulations by the Department of Health and Human Services in bits and pieces. Some are finalized, with more to come, probably until 2012.
Further, to earn the well-publicized electronic record incentive payments, hospitals and doctors must “meaningfully use” these systems. Part of “meaningful use” is to conduct the HIPAA mandated computer security risk assessment, and to address any issues identified as part of its ongoing security management process. This effectively means that doctors and hospitals must comply with the HIPAA Security rule as part of meaningful use. The Office of the Inspector General has announced that their work plan for 2011 includes audits of meaningful use payments — so skimping on HIPAA compliance could become very costly.
Eagle has trained hundreds of medical practices, government agencies, and health plans in HIPAA compliance procedures and has consulted with numerous practices and other providers. Compliance engagements begin with an audit of compliance including a review of existing policies and procedures, the preparation of an audit checklist, on-site audit including a review of physical facilities, computer systems, and required compliance documentation. Overlapping state and federal confidentiality laws will be identified. We then work with a designated privacy and/or security officer to adjust policies and procedures as appropriate, and to prepare a corrective action plan. A corrective action plan will include tasks such as adjusting the computer backup procedures, making physical changes in the office, conducting staff training and other measures. Eagle can assist with implementation if this plan.
Once policies are in place, practices may subscribe to optional update and compliance services. On an annual basis, Eagle performs an audit of compliance with existing procedures, provides policy updates as appropriate based on regulation changes, changes in the computing ecosystem, physical changes in practice facilities, and staff turnover. Assistance with compliance tasks such as an annual computer security risk assessment, an annual security evaluation, and audit trail review can be provided.
The complexity of the HIPAA regulations is daunting. For most providers, the HIPAA Privacy rules became effective in 2003, with the Security rules following in 2005. Because of lax enforcement by the federal government, many providers have been less than diligent in following these rules. In fact, physician practices and even small hospitals never got around to implementing any HIPAA security policies.
The stakes for providers have risen. In February 2009, the HITECH Act, included as part of the stimulus bill, specified major revisions to the HIPAA regulations. Jail time for egregious offenses remain at a maximum of 10 years, while monetary penalties were dramatically increased to levels that reach millions of dollars. With this new penalty structure in place, over the last 2 years multi-million dollar fines have been levied on pharmacy chains, health plans, hospitals, and physician groups. In February 2011, an 8 physician group in the Washington DC area was fined $4.3 million for 41 violations. Also new with the HITECH act, state attorney generals may now enforce the HIPAA rules.
The HIPAA regulations are a moving target. The changes mandated by Congress in 2009 are being translated into final regulations by the Department of Health and Human Services in bits and pieces. Some are finalized, with more to come, probably until 2012.
Further, to earn the well-publicized electronic record incentive payments, hospitals and doctors must “meaningfully use” these systems. Part of “meaningful use” is to conduct the HIPAA mandated computer security risk assessment, and to address any issues identified as part of its ongoing security management process. This effectively means that doctors and hospitals must comply with the HIPAA Security rule as part of meaningful use. The Office of the Inspector General has announced that their work plan for 2011 includes audits of meaningful use payments — so skimping on HIPAA compliance could become very costly.
Eagle has trained hundreds of medical practices, government agencies, and health plans in HIPAA compliance procedures and has consulted with numerous practices and other providers. Compliance engagements begin with an audit of compliance including a review of existing policies and procedures, the preparation of an audit checklist, on-site audit including a review of physical facilities, computer systems, and required compliance documentation. Overlapping state and federal confidentiality laws will be identified. We then work with a designated privacy and/or security officer to adjust policies and procedures as appropriate, and to prepare a corrective action plan. A corrective action plan will include tasks such as adjusting the computer backup procedures, making physical changes in the office, conducting staff training and other measures. Eagle can assist with implementation if this plan.
Once policies are in place, practices may subscribe to optional update and compliance services. On an annual basis, Eagle performs an audit of compliance with existing procedures, provides policy updates as appropriate based on regulation changes, changes in the computing ecosystem, physical changes in practice facilities, and staff turnover. Assistance with compliance tasks such as an annual computer security risk assessment, an annual security evaluation, and audit trail review can be provided.