Click here to download the transcript.
Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors. We suggest you watch the video while reading the transcript.
Hi, everyone. This is Michael Miscoe with Miscoe Health Law with this week’s installment of ChiroSecure’s Growth Without Risk presentation. And this week, we’re going to talk about HIPAA the Health Insurance Portability and Accountability Act. And just. Step one in HIPAA, you can assess your HIPAA compliance.
If you thought it was spelled H I P P A then you probably need to get back into your privacy and security compliance book to get a refresher. It’s actually H I P A A. That’s a little bit of humor to start off, but if you haven’t thought about HIPAA in a long time it’s time to look at it and let me tell you why.
The Department of Health and Human Services Office of Civil Rights recently announced that they’re going to start random audits on covered entities and business associates this year. And the last time they did this was in 2017, so they have been silent for quite some time. I think part of that is a manpower issue.
I know they. have a huge backlog of cases because they have insufficient agents to investigate all of them and they tend to focus on the big cases, with health plans or pharmaceutical companies or people that have enormous resources. And they haven’t traditionally spent a lot of time, except through these audits, focusing on the little folks, the small to mid sized physician practices, unless, of course, there was a very notable are noticeable breach.
In 2017 they audited 207. Providers across the country. And it was what they called their phase two audits. For those people, they’re going to follow up with a survey, to find out, what corrective actions they’ve done, things that they’ve done since those audits to improve their HIPAA compliance.
Um, when you think 207 out of the total number of possible covered entities, which includes every insurance company, physicians, PTs, every type of healthcare provider, nursing homes, etc. It is a very small number and while you think hey, it’s so small, I don’t need to worry about it.
I did have clients that did get Audit surveys back in 2017 when this happened. Don’t necessarily consider that you don’t have to pay attention to this. The other reason you should think about HIPAA is because If there were, God forbid, a breach and your HIPAA privacy and security policies and procedures were not up to date OCR considers that a knowing violation and for a knowing violation the fine is minimum.
It starts at 50 grand. There are huge financial penalties for not paying attention to HIPAA. Now, before you start losing your mind, the first thing you need to assess is are you a covered entity under HIPAA? And if you’re not and you get a survey, you need to make sure that you respond appropriately saying that you’re not a covered entity and why.
A covered entity under the regulations by definition is someone who either submits electronic claims, in the 5010 transaction standard, either directly to a payer or through a clearinghouse. If you submit electronic claims you, you qualify as a covered entity and it only takes one. If you don’t routinely do it, that doesn’t matter.
If you submit an electronic claim, you’re in. The other thing that you can do to be a covered entity is you do electronic benefit verification specifically through a payer portal. So if you’re a participating provider with the Blues and you verify benefits, you get online and do any of that.
Type of activity electronically that makes you a covered entity. The last one is electronic remit or you do electronic claim reconciliation online. You can submit appeals and things like that if you think a claim was improperly denied. That also makes you a covered entity.
Now, if you’re entirely a cash practice, meaning you perform only non-covered services for cash. and you submit no claims, don’t do any electronic benefit verification, and you don’t accept electronic remits, then you’re not a covered entity under HIPAA and you don’t need to worry about this. You may get surveyed because you’re a provider and there’s a presumption that every provider is a covered entity, but if in fact you’re not because you do not engage in those things, then you would respond by saying that we’re not a covered entity as defined in the regulations, and you move on from there now, for those of you that are their announcement was interesting they’re coming up with a new strategy, and they seem to be focusing more on the security side meaning, how you store electronic products. Protected Health Information, Transmit, EPHI, and so forth.
And they’re looking to update the HIPAA security rule in the spring of this year, which is coming up shortly. And what they, their focus of these audits is to see how covered entities are implementing the changes. to the security rule. It doesn’t mean, that since this is an information gathering thing, they won’t find people who are non compliant.
But it does mean you should probably dust off your HIPAA security policy because things change every time you get a new computer, a new device, or something of that nature and the You need to account for that under your HIPAA security policies and procedures. Chain I had a situation where a wound care provider thought it was a good idea to take pictures of wounds on his personal cell phone, text them to his staff on that person’s personal cell phone.
And then they. Copied them into the computer. The question became, what happened to the PHI that was stored on those cell phones in terms of images and text? And their security policies did not address that because at the time they developed them they weren’t doing that. And of course, one of the cell phones got lost with all this PHI on it.
And it created a scenario where they had a breach, which then became, reportable and we had to do some dancing. Don’t assume that your security policies are up to date if they haven’t been reviewed in some period of time. Also, security policies, you have to evaluate your particular, so there’s no off the shelf HIPAA security product that is going to be appropriate.
For you because you have to assess, what your hardware infrastructure is, how you transmit data, where you store it, how you store it. Is it secure? Is it encrypted or not? Your EMR programs, if you got a new EMR program, you got to go through that analysis again. And if you have not done that then It’s certainly something you need to look at.
Now there are solutions for this that make this relatively easy. You can buy something off the shelf, but make sure you implement The things in there that it tells you to implement off the shelf products can only take you so far and most of them, especially in the privacy and security realm even in the fraud and abuse realm will say, okay, you have to do this.
What people do is they buy the book and they think that they’re done and they don’t ever bother to read it. Look at the policy security and privacy policies and procedures that you have. And I always know that providers are not paying attention to HIPAA when I get a new post payment audit case, the first thing they do is they start sending me audit reports with spreadsheets and all this PHI through unsecure email before they’ve even locked me down as a business associate.
And that tells me that they’re not thinking about HIPAA. In fact, in the last 15 years, I’ve had one client. actually send me a business associate agreement to sign before they would send that stuff. That tells me that most folks aren’t thinking about this as cautiously as they should. And it’s not your fault.
I remember when privacy came out and you had every huckster on the planet selling you disappearing ink sign in sheets and hermetic vaults for your records and all this stuff that you didn’t actually need. And, There was a element of burnout with HIPAA by the time the security rules rolled around four years later.
The privacy rules came out in 2002. The security rules came out in 2006. And I thought the security rules were much more significant and required a little more effort because they do. But by the time they came out, providers just didn’t want to hear about it. I understand and I get it, but because these audits are happening and are likely to continue to happen you need to pay attention.
The things that they found in their last audit, were what they said were widespread shortcomings in compliance. By both covered entities and business associates, and they did publish a report in December 2020 that described the critical areas of non compliance the two biggest ones were timeliness of breach notification meaning that there were breaches and notification either didn’t occur or didn’t occur within the time period that you’re supposed to notify patients and OCR of a breach.
Prominent posting of notice of privacy practices on provider websites. Just so you know, it’s not required to be posted on your website. You can post it in your office at your front desk or something. But that was one thing that um, they noticed. And then the third thing was compliance with patient rights to access their records.
And as well as the relative to the breach the breach notifications were not compliant. Providers were trying to downplay what was breached to, mitigate liability. And unfortunately, a breach notification has to have certain things in it and providers were non compliant with that.
So that’s what they found so I would recommend dust those policies and procedures off. Review them. Make sure that they’re up to date. They’re relevant, especially on the security side. And if you need help, there are online tools available. You have to pay for them. I do every year and but that’s how as a business associate, I maintain my HIPAA privacy and security policies because I realized as a lawyer, it just took too long.
To do this with clients it was way too expensive and there’s online tools that make it relatively simple for you, walk you through the process so that you have hopefully compliant policies and procedures. That’s all we have time for. This time next, oh, one last thing. I did want to give you an update.
Last month we talked about the Corporate Transparency Act and I encouraged everybody to file, just as an update federal court in Alabama struck that law down as unconstitutional, so for now that law is on hold so don’t worry about corporate transparency, but stay tuned. I suspect that That ruling to get up into the appellate courts the basis for unconstitutional, unconstitutionality was a bit unexpected but nonetheless keep an eye out to see what the status of that is going forward.
If I hear anything tune into a future Growth without risk presentation. As soon as I hear something new, I’ll give you an update on that. That’s all we have time for today. Thank you very much, and we’ll see you next month.
Click here for the best Chiropractic Malpractice Insurance
Get a Quick Quote and See What You Can Save