HIPAA Compliance Obligations
A guide to identifying and prioritizing the components of a compliance program
By Clay J. Countryman, JD
Physician practices face many challenges in complying with the HIPAA Privacy and Security Rules that apply to patient information used by practices to treat patients and coordinate services with other providers. A common question by physicians and practice administrators is what components should be part of a HIPAA compliance program, at a minimum, to avoid fines and penalties under the HIPAA Rules.
Although an answer to this question generally depends on the size and specialty of a physician’s practice, as well as many other factors, information requested by the Office for Civil Rights (OCR) during a HIPAA investigation, and resolution agreements in settlements by the OCR of HIPAA violations, offer good examples of a framework and minimum components for a physician practice HIPAA compliance program.
For example, the following is a list of common information requests by the OCR in the initial stages of an investigation. This list may also serve as part of a checklist for a practice’s HIPAA compliance program:
Name and contact information of the privacy officer.
Evidence of any internal investigation (timeline of events,
persons interviewed, dates, outcome, and relevant documents).
Any mitigation factors that were employed.
A copy of any risk assessment of any alleged breach of patients’ protected health information (PHI).
Copies of any policies and procedures regarding safeguarding of PHI.
Copies of any policies and procedures regarding disclosure
of PHI.
Information about any sanctions imposed on any employees.
On April 13, 2012, the OCR entered into a settlement and corrective action plan with a cardiothoracic surgeon’s practice in Phoenix, Arizona, based on certain violations of the HIPAA Privacy and Security Rules. The OCR required the practice to take several actions, including adoption of written policies and procedures to bring the practice into compliance with the HIPAA Rules.
The following actions identified in the resolution agreement for this practice’s settlement agreement highlight possible areas of physician practice operations that may subject the practice to liability under the HIPAA Rules. The OCR specifically noted that this cardiothoracic practice:
Failed to provide and document training to each workforce member on required policies and procedures with respect to PHI as necessary and appropriate for each workforce member to carry out his or her responsibilities.
Failed to have in place appropriate and reasonable administrative and technical safeguards to protect the privacy of patients’ PHI.
Failed to implement required administrative and technical security safeguards for the protection of electronic PHI.
Failed to identify a security official.
Failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the ePHI held by the practice.
Failed to obtain satisfactory assurances in business associates agreements.
A common requirement in resolution agreements between the OCR and health care providers in HIPAA enforcement cases is a requirement that a provider adopt written policies and procedures that ensure administrative, physical and technical safeguards to protect both non-electronic (hard copy) and electronic patient information (protected health information). These policies should generally address all types of patient information used and disclosed by a physician practice, including the disposal of patient information.
In addition, physician practices (and all health care providers) should focus their compliance efforts on the following areas of the HIPAA Security Rule:
Risk analysis and risk management. Conduct a thorough security risk analysis and risk management plan, identifying and addressing the potential risks and vulnerabilities to all electronic PHI.
Security assessments. Conduct periodic security evaluations and ensure that appropriate physical and technical safeguards remain in place, including office moves or renovations, and conduct appropriate technical evaluations for software, hardware, and websites upgrades that may impact PHI.
Portable electronic devices. Safeguard PHI stored and transported on portable electronic devices, such as through encryption.
Physical access controls. Verify that physical safeguards limit access to facilities and workstations used to maintain or access PHI.
Disposal of patient information. Adopt policies and procedures for the proper disposal of PHI in both paper and electronic forms. Electronic devices and media (laptops, copy machines, fax machines) that may contain PHI should be purged or wiped before they are recycled, discarded or returned to a third party, such as a leasing agent.
The items described above are just a few of the available sources practices can use as a guide in determining what is needed in their HIPAA compliance programs. Copies of resolution agreements from settlements of HIPAA enforcement actions are available on the OCR website at www.hhs.gov/ocr/privacy.
Document Actions