If you think breaches are the only issue you have to worry about regarding HIPAA enforcement, you're wrong, according to David M. Vaughn of Vaughn & Associates, LLC, in Louisiana. Vaughn presented Compliance for Success: OIG and HIPAA at the American Society of Interventional Pain Physicians' annual meeting last weekend in New Orleans.
Of all the HIPAA cases the government reported so far, fines range from $50K to about $2.3 million, according to Vaughn. If you analyze those cases, about half of the penalty amounts were related not to the breaches themselves, but the organizations' failures to produce written HIPAA policies and procedures, written risk assessments or HIPAA training certificates for employees.
In other words, if you have a breach but can prove to the government that you took the required steps to prevent one, the fine you end up paying is significantly less severe.
That's not all of the valuable advice Vaughn, who has to date defended about 10 alleged HIPAA infractions, shared with attendees. Consider the following best practices:
Ensure your business associate agreements (BAA) include an indemnity clause. What this clause states is that if your business associate (BA) is responsible for a breach, that the BA is responsible for paying any fines. Many BAs will attempt to pass agreements that lack an indemnity clause so that the healthcare organization will be left paying the penalty or refuse to sign a BAA that includes the indemnity clause. "If they won't sign, find somebody who will," Vaughn said. "It's a big deal because there are literally hundreds of thousands of dollars at risk here."
Obtain cyberliability protection. Because of the risk of vendors who handle your protected health information (PHI) going out of business, Vaughn recommended practices not only obtain cyberliability insurance for their own organizations, but also and make sure BAs you work with carry $1 million in cyberliability coverage. "That protects you in case they go broke," he said.
Encrypt all PHI-containing equipment. "If it houses PHI, if it smells of PHI, you've got to encrypt it," Vaughn said. This includes cell phones, tablets, work stations, thumb drives and any other electronic data. "Is it required? No. But in half of the cases we're going to look at, people got into trouble because was some sort of device that was unencrypted that got stolen or lost." What's more, if your computer does get stolen and it's encrypted, you don't have to report to the government a breach of an unsecured piece equipment--because you did in fact secure it.
Create policies on removing records from the office. "In the compliance policies I do, there are specific policies about how long you can have records in your vehicle and what they have to be in," Vaughn said. He recommends policies requiring that employees keep any records leaving the office in a locked briefcase or car trunk, and for no more than 15 minutes at a time. "These are the policies that the government wants you to think about, because you're increasing the risk that somebody will steal something if you leave it unattended for two hours at a time."
Set rules about removable devices. Clarify in your policies who is authorized to remove devices containing PHI from the office and under what circumstances, Vaughn said, adding that you may want to avoid using thumb drives altogether. "One of the things for me in my office, since I deal with auditing records all the time--I've got PHI all over my office--is that I don't allow thumb drives in my office. It's just too easy to walk off with them. And because they're so small, they could easily get lost."
Conduct adequate risk assessments. At one time, Vaughn created risk assessments himself in about four hours. But today, the complexity of the process and number of devices and systems to analyze really requires healthcare organizations to hire a third-party expert to conduct the risk assessment, he said. Further, don't forget that after your initial risk assessment, you're also required to conduct periodic risk assessments going forward. "It's not one and done when it comes to risk assessments," he said.
To learn more:
- here's the meeting website