Tired of hearing about HIPAA compliance?
Rehab Regs, June 3, 2005
Here's why you shouldn't sweep it under the rug
If you scrambled to meet all of the various HIPAA deadlines in the past few years only to experience what seems like an overall lack of enforcement, you're not alone. However, this doesn't mean you should forget why HIPAA regulations exist or that enforcement measures won't eventually crop up.
Unlike the privacy rule enforced by the Office for
Civil Rights, CMS will enforce the recently enacted security rule. This could mean more enforcement, say some experts.
"CMS has a much larger budget for investigators and knows healthcare a lot better," says Tessa Chenaille, CHC, president and chief executive officer of Chenaille Compliance Consulting, LLC, in Medford, MA. "Nobody knows for sure what will happen, but there's speculation that once CMS becomes involved, things will change."
Future enforcement measures may be up in the air, but experts suggest that you err on the side of caution. The following potential enforcement areas could become reality as CMS begins monitoring HIPAA security measures:
If CMS conducts an audit in a facility and discovers a HIPAA violation, will it be required to act on it?
The Occupational Safety and Health Administration (OSHA) will only perform investigations if it receives a complaint or sees a violation. Will this be the same philosophy for CMS regarding HIPAA violations?
On April 18, the U.S. Department of Health and Human Services (HHS) published proposed enforcement measures for the administration simplification portion of HIPAA, which includes the privacy and security rules.
"[It wants] to implement the same investigation process and fines for all sections of administrative simplification," says Chenaille. "When HIPAA was originally written, only enforcement for the privacy rule was published. This proposal would allow HHS to impose the same enforcement for the security rule without writing a separate policy."
Originally established under the privacy rule, enforcement can result in a maximum penalty of $100 for each violation and $25,000 for identical violations in a calendar year. But remember, these are civil fines and, based on the severity of the infraction, a facility or individual could also be liable for criminal penalties.
Although future CMS enforcement actions are up in the air, it might be useful to compare HIPAA to the Occupational Safety and Health Act of 1970 to speculate about what might occur. The act resulted in the creation of OSHA. "An OSHA investigator isn't just going to show up unless [the agency] gets a complaint or if [it sees] something," says Chenaille. "With HIPAA, if CMS is doing other types of audits or reviews [at your facility], it could also be required to act on what it sees."
Government initiatives such as HIPAA usually follow already established protocols, such as OSHA standards, says Chenaille.
With any compliance issue, make complying with any state or federal laws an evolving process.
"When Medicare corporate compliance first reared its head, clinicians were big on creating a plan," says Lynn Steffes, PT, president of Steffes & Associates, a consulting firm in New Berlin, WI. "When you implement these policies, you should revisit them quarterly to see how things are working." Expect to spend at least a half day with your staff looking over your policies and procedures. "Be an innocent observer," says Steffes. "If you find a problem, it will make everyone more alert."
Even if the security rule goes the way of the privacy rule and HIPAA enforcement continues at a minimum, experts urge providers not to take risks. Here's why:
It's the law. Regardless of whether you could be found noncompliant, HIPAA regulations are in place to protect patients. Do your best to meet them.
You can't afford the fines. If you think you can't afford to put HIPAA requirements in place, consider whether you can afford the fines should you be found in violation of the rules.
Sometimes being a little bit paranoid can keep you out of hot water. "A lot of agencies put time and money into HIPAA privacy [compliance] and nothing happen-ed," says Chenaille. "But just because people haven't heard about enforcement doesn't mean it's not there."
The longer you wait to comply with HIPAA, the harder it will be to come up to speed should enforcement become aggressive.
"The further you get away from it, the harder it is to control," says Steffes. "You could face an audit, and patients are also savvy, so you're always at risk [of a complaint]."
Visit the Federal Register's Web site at www.archives.gov/federal_register/index.html to view the HHS' re-port, 45 CFR Parts 160 and 164 HIPAA Administration Simplification; Enforcement; Proposed Rule. The comment period ends June 17.
Most Popular
- Articles
-
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Topic: CMS, OESS post new security compliance review information, checklist
- HIPAA Q&A: Answering service messages
- Q/A: Volume requirement for reporting hydration services
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- Are your workforce members texting PHI?
- OB services: Coding inside and outside of the package
- The debate continues: Nurses who reported physician to the Texas Medical Board file federal appeal
- E-mailed
-
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Are your workforce members texting PHI?
- Don't let these sentinel events trigger falsely
- Arkansas woman convicted for HIPAA violation
- Reasons for inadequate fluid intake in the elderly
- Q&A tackles coding questions about injections and infusions
- Joint Commission Center announces handoff communication solutions
- Inside best practice: Reduce patient falls with a stoplight
- Identify modifiable risk factors to prevent patient falls
- Hospitalist-surgeon comanagement has no effect on outcomes
- Searched