The physicians lifeguard

HIPPA coaching

Why a Doctor's Office of Any Size Needs HIPAA Coaching Now?

Small and medium-sized medical practices offer a level of personalized care that patients appreciate. Of course, this “old-fashioned” approach to provider-patient relationships can make it easier to forget the intense scrutiny that all medical practices are under. Everyone who deals with patients or patient data in any capacity needs HIPAA training. This can place a smaller doctor’s office at a disadvantage because staff may not have the training or technical skills to develop and operate a fully compliant environment. Outside HIPAA coaching can often take care of this problem. However, it’s important to understand the complexities of obtaining and keeping HIPAA compliance in a data-driven medical landscape before implementing a plan.

The Damaging Impact of HIPAA Complaints

A HIPAA complaint can be damaging and costly for a medical practice. Unfortunately, doctors and practices face some steep fines when HIPAA violations are uncovered. Violations are grouped into four separate tiers:

  • Tier one: $100 to $50,000 per violation.
  • Tier two: $1,000 to $50,000 per violation.
  • Tier three: $10,000 to $50,000 per violation.
  • Tier four: $50,000 per violation.

Fine caps range from $25,000 to $1.5 million per year. Few medical practices could sustain a hit of hundreds of thousands of dollars in fines in a single year. Receiving a letter from the U.S. Department of Health and Human Services (HHS) regarding a HIPAA violation is a very serious matter. HHS is collecting HIPAA fines at record numbers. In fact, the agency collected $28.7 million from HIPAA-covered entities and associates in 2018 alone. That figure follows several years of record-breaking fine collections.

The Complicated Task of Being HIPAA Compliant in a Data-Driven World

Each patient creates a complicated data trail that has to be stored and handled in very specific ways to avoid HIPAA violations. What’s more, medical practices of all sizes are required to follow specific administrative processes to prove that HIPAA compliance is being followed. Here’s a glance at the requirements that need to be in place:

  • A security-management process for preventing, detecting and containing all potential risks or violations.
  • Assigned security responsibility for one designated official.
  • Workforce-security protocol designed to control and restrict access to information.
  • Information-access management that restricts access to protected information via permission channels.
  • Security awareness and training that shares and enforces rules across an organization.
  • Security-incident procedures for addressing actual and potential data breaches.
  • Contingency plans for emergency situations that require data recovery or backup.
  • Evaluations that review, maintain and update policies and procedures based on the latest HIPAA updates.
  • Arrangements for associates and contractors to ensure compliance when working with third-party entities.
  • Facility-access controls that safeguard computers, servers, and storage systems.
  • Protocol for workstation/computer usage to avoid vulnerabilities.
  • Device and media controls that initiate procedures for storing or disposing of hardware, removable storage, and devices.
  • Access controls that establish privilege levels.
  • Audit controls for analyzing activity in the event of a data breach.
  • Proof of integrity.
  • Person or entity authentication through password protection, scans, and other data safeguards.
  • Transmission security when sending or transferring data.

It’s important to remember that a person’s intentions don’t need to be nefarious in order to qualify as a HIPAA violation. Accidentally losing a non-encrypted laptop containing patient records or emailing an unsecured document to a third-party can qualify. That’s why HIPAA-compliant systems and protocols must be in place for every transaction. What’s more, the protocols required to protect data from both internal and external threats.

What Counts as a HIPAA Violation?

There are really countless ways to violate HIPAA requirements. Many don’t seem obvious. The majority of violations made every year are due to negligence or partial compliance. Yes, theft or data hacks are sometimes responsible for violations. However, most violations happen because of innocent mistakes resulting from procedures that don’t follow compliance requirements. Here’s a look at common causes of HIPAA violations:

  • Discussing personal health information in public.
  • Posting personal health information online or via social media.
  • Theft or loss of computers or equipment containing personal health information.
  • Hacking, phishing scams and malware.
  • Emailing, mailing, faxing or transferring personal health information to the wrong recipient.

Unfortunately, many violations are simply caused by poor judgment on the part of office staff. This is why training is important for protecting the reputation and integrity of a medical office. Effective HIPPA coaching requires a mix of technology coaching and reinforcement regarding “best practices” for privacy.

How to Create an Effective Compliance Program at a Doctor’s Office

The Department of Health and Human Services (HHS) is very specific when it comes to the elements that need to be included in a HIPAA training program. The agency highlights seven core principles that should guide any training initiative. Here’s a look:

  1. Implementing written policies, procedures and standards of conduct.
  2. Designating a compliance officer and compliance committee.
  3. Conducting effective training and education.
  4. Developing effective lines of communication.
  5. Conducting internal monitoring and auditing.
  6. Enforcing standards through well-publicized disciplinary guidelines.
  7. Responding promptly to detected offenses and undertaking corrective action.

The HHS also stresses the importance of making compliance a priority now. A big part of coming into full compliance is knowing your office’s fraud and abuse risks. This is where a full audit comes into the picture.

Why Medical Offices Need HIPAA Coaching

It often takes an outside eye to achieve HIPAA compliance and HIPAA coaching. When you bring in a compliance coach, you’ll be empowered to conduct a self-audit, identify deficiencies and correct deficiencies. Correction can come in the form of a comprehensive plan for gap remediation, training and policy templates that’s supported by cloud-based, automated reporting, tracking, and attestation tools. Your office will be left in a position of being equipped to detail compliance for auditors, associates, and covered entities. Contact us for more details and HIPAA coaching.

The Physicians Lifeguard