HIPAA, Covered Entity, OSHA, HITECH – – Compliance. What’s happening in the world of compliance and why do you as a chiropractor need to be educated and remain in the know? Find out below . . .
First and foremost, according to the Health and Human Services (HHS), chiropractors are included in the covered entity category, and this is regardless of whether or not you have received Electronic Health Records incentive monies. Covered entities are required by federal law to comply with all areas of protected health information and employee safety standards. Impact of non-compliance? In February 2016, a covered entity was fined $239,800 for non compliance.
Further, according to a March 2016 survey among small practices designated as covered entities, 60 percent of the 900 plus professionals surveyed are still unaware of pending compliance audits, and 58 percent have not appointed a securities/privacy officer in their practice. Audits to our profession are forthcoming, and we cannot opt out. Keep reading on how to safeguard yourself and your practice. Also keep in mind that it takes approximately 40 to 50 hours to develop and secure a compliance program.
The three main areas of compliance you need to be aware of, educated in, and be an active participant include: HIPAA, OSHA, and IT Securities.
Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA) law of 1996 was enacted to improve the portability and accountability of health insurance coverage, and it brought individual privacy rights to patients and requires that we notify them of their rights. It also serves to eliminate fraud, waste, and abuse in healthcare. The focus here is to safeguard your practice by securing personal (patient) health information (PHI) and personal identifiers, be it paper or electronic (ePHI). This can include data encryption, secure messaging, compliant Cloud storage, compliant software, and unique password setups. One of the areas I assess when I visit a clinic is locating where the patient paper files are kept and if they are well out of viewing from others.
Your HIPAA requirements to be compliant at the clinic level include:
- Designating a compliance/privacy officer whose primary responsibility is to ensure compliance with the regulations
- Establishing and implementing at least annually, training programs for all employees and doctors.
- Implementing appropriate policies and procedures to prevent intentional and accidental disclosure/release of PHI or ePHI. Encrypting your data for example will lower your chances of ransomware or cyberattacks.
OSHA
The United States Occupational Safety and Health Administration (OSHA) Act was signed by President Nixon in December 1970. It is designed to protect worker safety and promote healthy work environments. Some of you Docs have been involved in workplace safety and onsite workplace assessments in factories. Kudos to you! You were advocating OSHA’s mission by: Educating your client and their employees on workplace safety by conducting posture and ergonomic assessments, and finding the best ways for workers’ compensation patients to get back to work and continue contributing safely and appropriately within their restrictions.
At the clinic level (can be delegated), your requirements to meet OSHA requirements include:
- Displaying the required workplace safety and employee rights posters for all employees to review
- Establishing annual training for yourself and your employees. Local fire departments usually are able to conduct these trainings and are willing to include other participants.
- Developing a written emergency plan in case of fire, severe weather, etc.
- Drawing up an exit plan and post for employees and patients to see. See example below:
- Developing written procedures (universal precautions) to minimize risk exposure to bodily fluids such as blood, vomit, saliva.
- Obtaining Safety Data Sheets for disinfectants used at the clinic, as well as if you process X-rays.
- Have handy your Quality Assurance X-ray manual, follow it, and ensure it is accessible to those who take/process X-rays.
- Ensuring ergonomic workplace assessments are conducted at the clinic and documented. This could include posture screenings for your employees and requiring stretch breaks – for you, too!
Information Technology (IT) Security/HITECH
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of HIPAA and the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Section 1176(a) of the Social Security Act was revised during this timeframe to allow for significant monetary penalties up to $1.5 million for breaches/violations of protected health information. However, an interim revision (later known as The Omnibus Rule) set prohibitions on enforcing such significant monetary penalties if it was found in investigation that the covered entity did not know and with the exercise of reasonable diligence would not have known of the violation. In these cases, the breaches were punishable under the lowest tier of penalties, and further, prohibited the imposition of penalties for any violation corrected within a 30-day time period, as long as the violation was not due to willful neglect. A final ruling in January 2013 reiterates all of the above standards.
Your responsibilities to get IT Securities compliant include:
- Assigning a securities officer
- Conducting a risk assessment
- Ensuring your EHR vendor and billing clearinghouse are HITECH/HIPAA compliant
- Ensuring every vendor you work with has signed a Business Association Agreement with your office and you have those Agreements on file. These need to be updated at least annually.
- Ensuring the clinic’s computer systems are backed up regularly, have virus-checking software, firewalls, and encrypted operating systems
- Establishing securities policies and procedures, including on your social media networks.
- Creating a disaster recovery plan
- Creating a policy and procedure of notification, in the event of a data leak or leak of PHI/ePHI
Impact of non-compliance? Another covered entity was fined $25,000 for posting patient information online.
Feeling overwhelmed? We can help. Contact me on how you can get an initial Compliance Assessment and a Medicare Documentation Assessment with a Report of Findings sent to you, for a ridiculous low price of $299!*
References:
- nueMD Cloud-based health information technology, http://www.nuemd.com/webinars
- HIPAA Journal, http://www.hipaajournal.com/
- United States Health and Human Services, http://www.hhs.gov/hipaa/
- United States Occupational Safety and Health Administration, www.osha.gov/
- Federal Register/Rules and Regulations Publication Vol. 74 No. 209
- Federal Register/Rules and Regulations Publication Vol. 78 No. 17
- Emergency Exit Diagram: www.steamwire.com business continuity templates
*Mileage cost may apply.