Ever since the Woodrow Wilson and the 16th Amendment gave us a Federal income tax back in 1913, Americans have had to worry about being audited by the government. The modern IRS was born in the 1950s and they get very busy every year after April 16th, pouring through millions of income tax filings, looking for mistakes and potential revenue.
This year, starting March 21st, another government agency started its second round of audits. These audits however have nothing to do with taxes. The Depart of Health and Human Services’ Office of Civil Rights (OCR) is conducting audits on healthcare providers and facilities that focus on HIPPA violations.
This second round of audits identifies 180 areas of focus for HIPPA compliance by healthcare providers. If you want to review all 180 of them (and you probably should), there is a not-so-easy to navigate webpage that explains them all at HHS.gov here.
Of course we all benefit from the security of our private medical information. Medical identity fraud is on the rise, so much that there is even a Medical Identity Fraud Alliance dedicated to addressing it. Of course healthcare facilities and providers are already concerned and are taking precautions to avoid private patient information falling into the wrong hands, but the added pressure of an audit and potential fines and sanctions raise the stakes even more.
With that, I’d like to offer 3 areas you may want to evaluate in your facility or practice to make sure you are compliant.
Confidential Communications- There is a delicate balance in play when it comes to patient communications. HIPPA has guidelines that require providers to facilitate access to a patient’s Private Health Information (PHI) in case they need access to it. This means Electronic Health Records (EHR) and other PHI cannot just be locked down in a vault. This makes things trickier as providers need to figure out how to provide secure access without compromising privacy. This confidentiality extends beyond verbal and written communications to electronic forms of communication as well. Healthcare providers should not only be evaluating their server client and storage area networks, but also their phone and video patient interactions. Providers should be choosing telemedicine platforms and hardware that make the “best effort” to secure patient information. Consumer grade cloud based teleconferencing may not be seen to fit this definition by the auditor looking into your procedures. Make sure you are confident in the encryption method and secure transmission and storage of any remote health care services you are providing via telemedicine.
Business Associate Contracts- As a healthcare provider, you most likely work with several other business to provide the best care for your patients. These associates could include pharmaceutical manufacturers, staffing companies, or even outsourced IT and data centers. They may also include technology providers that install and manage technology within your facility. HIPPA requires not only that you take the best effort to protect your patients’ PHI, but that you also choose partners that do the same. Make sure to enter business associate contracts with companies that understand the healthcare space and HIPPA requirements. This is your best bet in mitigating liability and avoiding sanctions and fines that may not even be your fault.
Facility Access Controls- One area of HIPPA compliance that may or may not be on your radar is physical access to your facility. Healthcare providers have a responsibility to limit access to information in the form of EHR and physical specimens (blood, DNA, Urine, etc) that may compromise a patient’s privacy. There is also a HIPPA guideline that states that a provider has a responsibility to verify the identity of anyone requesting access to a patient’s PHI. This is not only electronic access, but also physical access. The best way to control physical access and verify identity is to implement an access control system similar to that which would be used in a data center. Access control systems can use a combination of verification methods like key cards, PINs, and even biometric devices like fingerprint scanners, hand geometry readers or retinal scanners to assure the right people are accessing the appropriate patient information.
At the end of the day, you still may find an HHS auditor contacting you from the OCR. However, doing a proactive review of the technology within your facility may just help you avoid fines and sanctions by eliminating issues before the real audit ensues.
Avidex AV is revolutionizing the way healthcare facilities and doctors are delivering care. Their 20 years of experience is being leveraged to drive down the cost of care while promoting positive healthcare outcomes. Is your organization looking for a new kind of technology partner? Connect with one of our Account Executives today to learn more.
About Anthony Paoletti
Anthony brings over 23 years of audiovisual experience and has worn nearly every "hat" in the industry; from Consultant to End User; Account Representative to Install Technician; Project Manager to Systems Engineer. Contact Anthony at firstname.lastname@example.org