In 2014, NueMD, an Electronic Health Record (EHR) and billing software company, distributed a questionnaire to medical practices and billing companies to gain insights on their knowledge of HIPAA regulations, compliance measures, and communication methods.¹ There were 1197 responses, with 1037 medical practices and 160 billing companies. Two years later in 2016, the survey was distributed again to determine how much has changed in relation to the participants’ knowledge.² This time it was a total of 927 responses, with 799 medical practices and 58 billing companies. The respondents were clients of NueMD.
In this blog, we compare the data found in these two surveys. The results are surprising.
2014: In 2014, only 32% of those surveyed were aware of HIPAA audits
2016: In 2016, 40% participants reported that they knew about HIPAA audits
Currently, audits of business associates are taking place. The first round in 2016 looked at covered entities (primarily healthcare providers). In October 2016, HIPAA audits expanded to include business associates. HHS is drawing from a list of 20,000 BAs identified in the first round of audits. Next year, OCR plans to conduct full audits for a selected group of covered entities and business associates. These audits will be more intense than previous ones because they involve auditors coming onsite for several days. HHS gives the practice 10 days to prepare. For those organizations that have not started the compliance process in advance, there is almost no way to prepare in time if you are selected for an audit.3
HIPAA Compliance Plan
2014:In 2014, 58% of those surveyed stated they had a HIPAA compliance plan in place. However, there was a disconnect between managers and staff. 68% of managers claimed to have a HIPAA compliance plan but only43% of staff.
2016:In 2016, a whopping 70% of respondents reported that they have a HIPAA compliance plan.
All organizations that come in contact with PHI should have a compliance plan in place. There are several important documents that a medical practice must complete to have a comprehensive plan. This includes Privacy and Security Policies and Procedures, Business Associate Agreements and a Risk Assessment. Based on the response to the next two questions, it is likely that not as many healthcare providers are really as compliant as they indicate.
Business Associate Agreement (BAA)
2014: 60% of those surveyed were aware that the Omnibus Ruling requires BAAs with third party vendors.
2016: The number rose to 68% of participants knowing about the BAA rules.
Business Associate Agreements Reviewed and Updated
2014: 24% of respondents had “all” of their BAAs reviewed and updated since the 2013 Omnibus Rule, and 21% surveyed said “some”.
2016: There was an increase from 2014 to 2016, with 29% responding “all” BAAs are updated and reviewed, and 19% having “some” of their BAAs up to date.
Recently OCR was notified that Women and Infants Hospital (WIH) of Rhode Island lost unencrypted backup tapes of ultrasounds of over 14,000 patients. The tapes also included PHI like names and dates of birth. WIH is a covered entity member of Care New England Health Center (CNE). CNE provides centralized corporate support for its covered entities. The two organizations signed their BAA in 2005 and had not updated it since. he Omnibus Ruling in 2013 added extra requirements to Business Associate Agreements. Failure to update their BAA to incorporate these new requirements rendered their 2005 Agreement ineffective. In the end, the outdated BAA resulted in a $400,000 settlement.
2014: Only 33% said they performed a risk analysis
2016: This question was not included in the NueMD 2016 HIPAA Survey Update
If there is a audit, one of the first things OCR will ask to see is a Risk Assessment. This helps organizations realize their potential areas of risk in regards to the PHI they handle. Failing to assess potential areas of risk in your organization is failing to protect PHI.
In July 2016, a settlement was reached with U-Miss Medical Center after a breach that affected 10,000 people. It was found that UMMC did not take adequate risk management security measures. They settled with OCR for $2.75 million.5
2014: 62% of managers reported that they provided HIPAA training for their employees.
2016: This number surprisingly dropped over the 2 years. Only 58% of organizations surveyed claimed to have provided HIPAA training.
Proper HIPAA training should educate people on the Law. Lack of training equals lack of knowledge and translates into more risk. On October 17, 2016, St. Joseph Health (SJH) settled potential violations with HHS following the report that files containing PHI were publicly accessible through internet search engines from 2011 until 2012. SJH will pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan. As part of the corrective action plan, with HHS’ final approval of the training materials, SJH must train all appropriate workforce members, in accordance with SJH’s applicable administrative procedures and provide annual retraining.6
To help comply with the current compliance regulation, check out Total HIPAA’s latest service, HIPAA Prime™. HIPAA Prime is an easy-to-follow, cost-effective online solution for quickly developing and implementing your personalized HIPAA Compliance Plan. Whether you are a small or large organization, HIPAA Prime will satisfy all of your documentation and training requirements.