One of the biggest changes introduced by the Omnibus updates was the expansion of HIPAA's reach to business associates. Business associates, such as medical billing companies, are now directly responsible for a new set of compliance measures, and are subject to fines and penalties for non-compliance.
To clarify the HIPAA policy updates and help medical billing companies benchmark against peers, we surveyed over 159 owners, managers, and staff at billing companies. These results:
First, we asked about general HIPAA knowledge and awareness of some recent key events.
The 2013 updates increased penalties for privacy/security violations, expanded HIPAA's reach to business associates like medical billing companies, and set out new rules for notifying patients and the public of security breaches. We asked if respondents knew of the updates before taking the survey.
75% from billing companies said they were aware of the “Omnibus” updates before taking this survey.
Business associates are now directly responsible for ensuring compliance with HIPAA's security rule, should adopt and adhere to a compliance plan, and should conduct a risk assessment on their current businesses.
Background: For more on the Omnibus Rule, read this alert from McGuireWoods or review the rule on the Federal Register.
Also, check out BNA's Health Care Policy Report, "Practical Steps for Business Associate Compliance With the HIPAA Final Rule." It's a great overview of the impact on Business Associates and offers tips for staying compliance.
The Office for Civil Rights (OCR) of HHS will conduct audits of physician practices, healthcare facilities and business associates like medical billing companies. These random audits examine adoption and implementation of HIPAA safeguards, such as privacy and security risk assessments, breach notifications; and training for policies and procedures.
When we asked respondents if they were aware that these audits were taking place, the majority (52%) of respondents from billing companies reported that they were NOT aware before taking the survey.
The first phase of the audit program was conducted in 2011 and 2012. For Phase 2, the OCR plans to send pre-audit surveys to 800 covered entities and 400 business associates; they'll select their audit targets based on the results of those surveys. This article gives a nice overview of Phase 2 of the audit program, and explains how the OCR's plans have evolved over the last few years.
Audits Delayed: The OCR planned to begin audits in October 2014, but decided to delay the start of audits in order to update their technology. An official timeline has not been released. The OCR's advice to covered entities is to use this time to "get your house in order."
This section focused on general compliance measures, including compliance plans, training, security/privacy officers, breach notifications, and risk analyses.
The first step in becoming HIPAA compliant is creating a plan. In fact, HIPAA requires it. A compliance plan is a set of policies and procedures that covers all aspects of compliance within your business, including:
69% of billing companies said they had a HIPAA compliance plan.
If you don't have a plan, you aren't HIPAA compliant.
A crucial component of your HIPAA compliance plan is your staff training policy. Training should be conducted at least once a year to make sure everybody at your business is on the same page. Everyone should know how HIPAA affects their day-to-day work, and how to respond quickly and appropriately to security breaches.
69% of owners and managers reported that their business provides its workforce with annual HIPAA training; of those, about half (53% ) said they have proof of this training.
When we asked staff if they had been provided with HIPAA training within the last year, 81% answered, "Yes." Of those, 81% said they had proof.
If you've offered/received training, obtaining proof is an easy win. Written documentation that backs up the training will come in handy in the case of an audit.
HIPAA Security and Privacy Officers are those in your business responsible for responding to questions and complaints. They also make sure problems and breaches are dealt with appropriately. Appointing these officers is a critical part of developing a strong compliance plan.
When we asked owners, managers, and administrators if their business has formally appointed these officers:
When we asked office staff if they knew the name and contact information of their business's HIPAA Officers
Unfortunately, this means that almost half of those surveyed are falling short on a major HIPAA requirement.
A "security breach" occurs under HIPAA if there is an unauthorized disclosure of electronic PHI (protected health information), such as a computer hacking or loss or theft of a laptop containing unencrypted PHI.HIPAA requires that business associates adopt a formal policy for notifying covered entities of breaches.
Only 60% said their business had a formal policy for PHI breach notifications.
Breach notifications have strong legal and business implications, and HIPAA requires some pretty specific action if a breach does occur.
HIPAA requires you to conduct periodic risk analyses at your business. Doing so is the best way to prepare for an audit and confirm that you have a solid compliance plan. To conduct an analysis, you'll need to consider how PHI flows through your business (whether on paper or via electronic devices); and identify ways that this information could be leaked or compromised.
About half (49%) the billing companies said their business had performed a PHI risk analysis to assess how and where inappropriate disclosures are likely to occur.
Of those that said their business did conduct a risk analysis, 75% said they conducted the analysis internally (only with their staff), and 10% said they conducted it with the help of an outside lawyer or consultant.
The Omnibus updates introduced some major changes for business associates. A business associate is a company that creates, receives, maintains, or transmits protected health information on behalf of a covered entity (directly or "through" another business associate). A Business Associate Agreement (BAA) is nothing more than the evidence that a company is requiring its business associate to handle information properly.
As a medical billing company, you can be on either end of a business associate agreement. For instance, if you're billing for a covered entity, such as a medical practice, you are a business associate of that practice and must assume certain responsibilities. On the other hand, your company might contract with outside vendors and consultants, making them business associates of your company. In that case, you would be responsible for creating a business associate agreement with these companies, and holding them accountable for PHI they use.
75% of billing companies were aware that the new "Omnibus" HIPAA rules require Business Associates of Covered Entities to establish Business Associate Agreements with third-party vendors that access PHI.
When we asked owners and managers about their progress in evaluating all of their BAAs, responses were as follows:
Earlier we pointed you to a BNA article called, "Practical Steps for Business Associate Compliance With the HIPAA Final Rule." We thought it made sense to mention it again - it's easy to understand, and it's packed full of good information.
Following questions about general compliance measures, respondents were asked about their knowledge of HIPAA compliance as it relates to the use of electronic devices. As the healthcare technology space continues to grow, it positively impacts our ability to provide quality care. However, it also also introduces an entirely new set of risks. This is no reason to be afraid of implementing new technology, but a great reason to make sure you're using technology effectively and in a way that keeps your patients' data safe.
HIPAA requires covered entities to keep track of all of their electronic devices that contain PHI. Having an overarching understanding of which devices you have, and where they are at all times, will help you identify potential risks, and discover breaches.
When we asked owners and managers from billing companies about their progress in cataloging all of their electronic devices, 40% said they've cataloged between 76% and 100% of their devices; 17% said they haven't cataloged any, and 15% said they didn't know.
The majority (55%) of respondents from billing companies said they were "very confident" that their electronic devices were HIPAA compliant. 10% said they were "not confident at all."
It's comforting to know that the majority feels very confident that their devices are compliant, but the 45% who don't represent a lot of room for improvement. Periodic risk analysis and ongoing cataloging efforts will help you confirm that your devices are compliant (and identify ones that aren't!).
Diving further into the idea of electronics used in medical billing companies, we asked a few questions about mobile devices (phones and tablets). More and more people in healthcare are using mobile devices to do their work, and we expect this trend to continue.
When we asked owners and managers at billing companies about mobile device usage in their businesses, we found that 44% said they use mobile devices for staff communication, while 19% reported using mobile devices for patient communication.
We asked office staff about their individual mobile device usage (instead of that of their business) -- while they look a little different on the surface, margins of error keep us from making a clear comparison.
The articles below give a great overview of how to make sure your business's mobile devices are HIPAA compliant.
Resource: Protect and Secure Health Info on Mobile Devices
Resource: Mobile Device Policies and Procedures - Fact Sheet
As our final question, we asked all respondents, "How confident are you that someone at your business is actively ensuring your business's compliance with HIPAA?"
When considering all respondents from medical billing companies, 55% said they were "very confident;" 37% said they were "somewhat confident;" and 7% reported "not confident at all."
This makes us wonder - Of those that said they're very confident, are they confident because they know for sure that somebody is keeping them compliant, or is it false confidence rooted in the assumption that "somebody is taking care of it?"
In either case, these numbers were a bit different than those reported by medical practices. Reasons for this are varied, if you have an insight into why this disparity exists, feel free to let us know in the comments.
Disclaimer: The video presentations on this webpage and the associated white papers featuring attorneys from the Daniel Brown Law Group, LLC, are for educational purposes only. Nothing in the videos or the white papers is intended to constitute legal advice or to create an attorney client relationship with any person or entity.
Have some insight on Billing Companies and HIPAA you'd like to share? Maybe a question you'd like answered? Leave comments below!