In my last blog post, I talked about how the environment of HIPAA enforcement has changed recently, and how a much greater degree of HIPAA enforcement is just on the horizon. HIPAA fines and penalties have increased, the Office of Civil Rights is using money it has recovered to pay for additional enforcement activities, attorneys general of the various states now can prosecute HIPAA violations and OCR is teaching them how. Individuals who have been injured now can get a “piece of the pie” when fines are levied. All of these point to increased enforcement.
So what should you be doing so you don’t end up as road kill on the HIPAA highway? Naturally, you need to do the headline stuff: have forms (Notice of Privacy Practices, Business Associate Agreements, HIPAA-compliant authorizations for non-standard releases), train your staff and draft policies and procedures. Documentation is fine, and necessary, but not enough. You really need to implement and adapt. If you suffer a data breach, or a patient files a complaint and the Office for Civil Rights comes a'knocking, a dusty, three-ring binder with the word "HIPPA" on the spine won't be enough (especially if you misspell HIPAA.)
Having solid HIPAA policies and procedures (P&Ps) will go a long way in answering to OCR. OCR can't really tell at first blush whether you're a good actor or bad when it comes to how you protect medical record privacy and security. They'll only know when they come in and kick the tires some. But they'll take their cues and develop some first impressions based on what they see as part of their initial investigation, and they always ask to see your policies and procedures. If you're strong there, you might get the benefit of the doubt. If you're weak, they may look a little harder at how the bad incident occurred in the first place, and whether there's some fault to be laid at the entity level. More importantly though, solid P&Ps will prevent incidents that result in a visit from OCR. You can't stop everything, and "stuff" happens, but (i) it's much less likely to happen, (ii) what happens will be less damaging, and (iii) OCR will treat you more kindly if you're solid on your P&Ps.
There are three keys to good P&Ps: they need to be complete and comprehensive; they need to be adapted to your particular situation; and they need to be followed. You can see what's required (and what's addressable) by looking at the Security Regulations, 45 CFR § 164, subpart C (164.302 – 164.318 and the appendix). You can also get standard forms from a number of different HIPAA vendors (or your friendly HIPAA lawyer), and those will give you a good starting point. But that's certainly not your stopping point and, for that, you need to personalize, customize and adapt. How do you do that? You've got to start with a thorough review of your operations and the required "HIPAA Risk Analysis." That will be the subject of the next blog post, so stay tuned.