To clarify the HIPAA policy updates and help practices benchmark against peers, we surveyed over 1,000 providers, administrators, and medical office staff. These results:
First, we asked about general HIPAA knowledge and awareness of some recent key events.
The 2013 updates increased penalties for privacy/security violations, expanded HIPAA's reach to business associates, and set out new rules for notifying patients and the public of security breaches. We asked if respondents knew of the updates before taking the survey.
64% (659/1026) from medical practices said they were aware of the “Omnibus” updates before taking this survey.
While a majority of medical practices said they were aware of the updates to the final Omnibus Rule prior to taking the survey, 36 percent were unaware of the updates, which now include:
The Office for Civil Rights (OCR) of HHS will be conducting HIPAA audits of physician practices, health care facilities and business associates. These random audits examine adoption and implementation of HIPAA safeguards, such as privacy and security risk assessments, breach notifications, notice of privacy practices, and training to policies and procedures.
Only 32% said they were aware of the audits before taking the survey. This may be due to the lack of information available about the audits including an official timeline for when audits will begin.
The first phase of the audit program was conducted in 2011 and 2012. For Phase 2, the OCR plans to send pre-audit surveys to 800 covered entities and 400 business associates; they'll select their audit targets based on the results of those surveys. This article gives a nice overview of Phase 2 of the audit program, and explains how the OCR's plans have evolved over the last few years.
Audits Delayed: The OCR planned to begin audits in October 2014, but decided to delay the start of audits in order to update their technology. An official timeline has not been released. The OCR's advice to covered entities is to use this time to "get your house in order."
This section focused on general compliance measures in practices, including compliance plans, training, security/privacy officers, breach notifications, and risk analyses.
The first step in becoming HIPAA compliant is creating a plan. In fact, HIPAA requires it. A compliance plan is a set of policies and procedures that covers all aspects of compliance within your practice, including:
58% of respondents said they had a HIPAA compliance plan. While that might seem like a good sign, it's troubling that 19% weren't sure, and 23% said that they didn't have a plan.
Taking a closer look, we found there was also a disconnect between office managers and staff: 68% of OMs said their businesses had a plan, compared to only 43% of office staff. The important point here is staff needs to be familiar with the plan. Auditors will look to make sure everybody is on the same page.
If you don't have a plan, you aren't HIPAA compliant.
A crucial component of your HIPAA compliance plan is your staff training policy. Training should be conducted at least once a year to make sure everybody at your practice is on the same page. Everyone should know how HIPAA affects their day-to-day work, and how to respond quickly and appropriately to security breaches.
62% of owners, managers, and administrators said their business provided annual HIPAA training; of those, only 65% said they have proof.
When we asked office staff and (non-owner) care providers if they received HIPAA training in the last year, only 56% said yes. Of those, 70% had proof.
If you've offered/received training, obtaining proof is an easy win. Written documentation that backs up the training will come in handy in the case of an audit.
HIPAA Security and Privacy Officers are those in your practice responsible for responding to questions and complaints. They also make sure problems and breaches are dealt with appropriately. Appointing these officers is a critical part of developing a strong compliance plan.
When we aked owners, managers, and administrators if their business has formally appointed these officers:
When we asked office staff and (non-owner) care providers if they knew the name and contact information of their practice's HIPAA Officers:
Unfortunately, this means that almost half of those surveyed are falling short on a major HIPAA requirement.
A "security breach" occurs under HIPAA if there is an unauthorized disclosure of electronic PHI (protected health information), such as a computer hacking or loss or theft of a laptop containing unencrypted PHI. HIPAA requires that covered entities adopt a formal policy that specifies how they'll deal with a breach.
Only 45% said their business/practice has a formal policy for PHI breach notifications.
Breach notifications have strong legal and business implications, and HIPAA requires some pretty specific action if a breach does occur.
The best way to prepare for an audit, and to make sure you have a bulletproof HIPAA compliance plan, is to conduct periodic risk analyses at your practice. To conduct an analysis, you'll need to consider how PHI flows through your practice (whether on paper or via electronic devices); and identify ways that this information could be leaked or compromised.
Only 33% said their practice has performed a PHI risk analysis to assess how and where inappropriate disclosures are likely to occur.
Shining a little more light on the potential communication disconnect present in practices, 14% of owners, managers, and administrators said they weren't sure if their practice conducted an analysis, while 43% of office staff and non-owner care providers said they weren't sure. With potential audits just around the corner, these numbers don't bode well for practices.
Of those that said their practice did conduct a risk analysis, 70% said they conducted the analysis internally (only with their staff), and 20% said they conducted it with the help of an outside lawyer or consultant. It's perfectly fine to conduct the analysis yourself (internally), but hiring an outside expert will often yield a more thorough review. The trade-off, of course, is the price to get it done.
Risk Assessment Resources: check out the Risk Assessment Tool from healthIT.gov, then listen to Dan Brown as he shares why risk analyses are so important and gives tips for conducting one.
One major change introduced by the Omnibus updates is that Covered Entities are now required to establish Business Associate Agreements with third-party vendors that access their PHI. These third-party vendors could include medical billing companies, software vendors, and outside consultants.
60% of owners, managers, and administrators from medical practices were aware that the new "Omnibus" HIPAA rules require healthcare providers to establish Business Associate Agreements with third-party vendors that access PHI.
While that's the majority, the issue here is that 40% weren't informed.
When we asked owners, managers, and administrators about their progress in evaluating all of their BAAs, responses were as follows:
When we took a closer look at practices by size, we found that larger practices (particularly those with 10 or more providers) tended to do better when it came to compliance measures within the office - things like having a plan, training staff, appointing officers, and conducting risk analyses. This wasn't surprising, as larger organization usually have more resources to devote to regulatory compliance.
After covering some general compliance measures, we shifted our focus to electronic devices and communication. The healthcare technology space is moving fast - new devices and apps are popping up everyday. These advancements have extremely positive impacts on our ability to provide great care, but they also introduce a new set of risks. This is no reason to be afraid of the technology, but great reason to make sure you're doing things in a way that keeps your patients' data safe.
HIPAA requires covered entities to keep track of all of their electronic devices that contain PHI. Having an overarching understanding of which devices you have, and where they are at all times, will help you identify potential risks, and discover breaches.
When we asked owners, managers, and administrators about their progress in cataloging all of their electronic devices, only 27% said they've cataloged 76-100% of their devices. Another 27% reported that they haven't cataloged any; 21% said they didn't know.
When we asked owners, managers, and administrators how confident they were that their electronic devices were HIPAA compliant, only 31% said they were "very confident." 18% said they were "not confident at all."
When we asked office staff and (non-owner) care providers how confident they were that their practice's electronic devices were HIPAA compliant, a slightly higher percentage reported they were "very confident" (42%).
Even though the majority in both cases said they were "somewhat confident," we don't think that's good enough. If a practice conducts periodic risk analyses and properly catalogs all of their devices, there should be a lot less uncertainty.
Diving further into the idea of electronics in practices, we asked a few questions about mobile devices (phones and tablets). While many practices use mobile devices today, it will only become more commonplace over the next few years.
When we asked practice owners, managers, and administrators about mobile device usage in their businesses, we found that staff communication was the primary use, followed by patient communication, then charge capture.
For office staff and non-owner providers, we asked about their individual mobile device usage (instead of that of their business) -- their responses correlated well with those of owners, managers, and administrators.
For respondents that reported some type of mobile device usage, we found that it was most common for employees at practices to use their own devices, or a combination of their own and those issued by their practice. Following the same convention as the mobile device usage questions, we asked owners, managers, and administrators about their business in general, while we asked office staff and non-owner providers about their individual experience.
In addition to asking those that use mobile devices about ownership, we asked how confident they were that their mobile devices were HIPAA compliant.
When we asked owners, managers, and administrators how confident they were that their companies' mobile devices were HIPAA compliant, we found that only 18% were "very confident," with 30% saying "not confident at all." The most common response was "somewhat confident" (46%).
We asked office staff and non-owner providers how confident they were that the mobile devices they use were HIPAA compliant. Their responses, for the most part, matched up with those of owners, managers, and administrators.
These responses are troubling - in many cases, practices are using mobile devices that they don't believe to be HIPAA compliant.
The articles below give a great overview of how to make sure your practice's mobile devices are HIPAA compliant.
Resource: Protect and Secure Health Info on Mobile Devices
Resource: Mobile Device Policies and Procedures - Fact Sheet
Note: Upon further analysis, our data suggests that larger practices (especially those with 10 or more providers) are more likely to use mobile devices for staff communication. This makes sense, as employees at smaller practices might be more likely to work in the same physical location; and work with less people in a smaller space.
Email, texting, and social media all contribute the uncertainty surrounding compliance with online communication. Over the next few years, communication over these channels will continue to become more widespread, so it's essential that practices know how to use them appropriately.
We asked respondents about both staff and patient communication via email, texting, and social media. Practice owners, managers, and administrators were asked about their business in general, while office staff and non-owner providers were asked about their own individual communication methods.
Of email, texting, and social media, email was the most commonly used method of communication, followed by texting, then social media; this holds true for both staff and patient communication. This wasn't surprising to us - email has a been a common way to communicate for years, and use of texting and social media are a little newer to the healthcare scene.
For respondents that that said they do use email, texting, and/or social media for staff or patient communication, we asked how confident they were that communication over these channels was HIPAA compliant. Following the same convention as our question about mobile device compliance confidence, we asked owners, management, and administrators about their business as a whole; we asked office staff and non-owner providers about their personal use.
As with confidence levels for electronic and mobile devices, we feel the number of "very confident" responses should be higher. Here are a few resources that should help you gain some clarity on making sure your online communication is HIPAA compliant.
Note: It seems that larger practices (particularly those with 10 or more providers) are more likely to use email for staff communication. The same was true for mobile devices.
To wrap up the survey, we asked all respondents the same question - "How confident are you that someone at your business is actively ensuring your business's compliance with HIPAA?"
When considering all respondents from medical practices, 38% said they were "very confident;" 44% said they were "somewhat confident;" and 19% reported "not confident at all." When we broke the responses out by role (owners, office managers, providers, office staff, etc.), we weren't able to find any notable difference in confidence level.
The question at hand, then, is - Of those that said they're very confident, are they confident because they know for sure that somebody is keeping them compliant, or is it false confidence rooted in the assumption that "somebody is taking care of it?" Let us know your thoughts in the comments below!
Disclaimer: The video presentations on this webpage and the associated white papers featuring attorneys from the Daniel Brown Law Group, LLC, are for educational purposes only. Nothing in the videos or the white papers is intended to constitute legal advice or to create an attorney client relationship with any person or entity.
Have some insight on practices and HIPAA you'd like to share? Maybe a question you'd like answered? Leave comments below!