Avoid Small HIPAA Compliance Issues that Can Cost Big Money

In this post, BCMS will pointout How can you avoid HIPAA compliance issues costing big money for providers. The Office of Civil Rights compiled a list of the top 10 HIPAA compliance issues for 2017.   Their investigations and enforcement of HIPAA resulted in millions of dollars in fines and penalties.   Take a moment to look at the top issues and ensure you are not making the same mistakes!

Avoid HIPAA Compliance Issues Costing Providers Big Money

#1 – Affirmative Disclosures Not Permitted.  This means sharing/posting/disclosing patient photos, reviews, videos etc. without signed disclosures must be avoided.  Double check patients in the background of posted media.  Do you have permission of everyone that is shown?  Having written policies and procedures in place prior to disclosing PHI would ensure that all disclosures are permitted.

#2 – Lack of BAA.  You must have a signed Business Associate Agreement for all Business Associates who have access to your PHI/ePHI.  Be sure you have signed agreements with EMR, IT, Marketing, and other vendors!  A $31K fine was levied last year to a small practice that was missing a BAA.  Be proactive and send a BAA to your vendors; don’t wait until they send one to you.  Per the rule you cannot share PHI/ePHI prior to having a signed BAA in place. Avoid this costly mistake and ensure all yours are in place and signed.

What Is a “Business Associate?” A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  A member of the covered entity’s workforce is not a business associate.  A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.  The Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a business associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.   For more details, see the HHS.gov overview.  

#3 – No, Incomplete or Inaccurate SRA.  You must have an annual Security Risk Analysis per the Security Rule.  This is a comprehensive analysis that includes both an assessment and a review for system vulnerabilities.  The assessment looks at physical, technical and administrative safeguards for ePHI.  It is possible to conduct your own SRA however ensure that the person conducting the assessment has the knowledge and skills necessary to complete the task.  Also, be sure your assessment does not include bias and is objective to ensure your practice is taking the right steps to protect ePHI.  Consider outsourcing this process as a solution to both the knowledge and bias concerns.

Under the HIPAA Security Rule, you are required to conduct an accurate and thorough analysis of the potentialrisks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity or business associate. Once you have  completed the risk analysis, you must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels.  (45 CFR 164.308(a)(1)(ii)).   Click HERE for the Security Risk Analysis Tip Sheet from CMS

BCMS is a full-service compliance consulting firm specializing in outpatient physical therapy practices.  Our focused, PT specific compliance program can help you meet all your compliance needs.  We also offer on-site SRA and include BAAs in our compliance program.  Contact us for more information.  We are the key to unlocking the compliance mystery.  For more information or to contact us, click HERE

Physical Therapy Private Practice Compliance – Where to Start

Many practice owners believe that physical therapy private practice compliance is a complex problem.  It doesn’t have to be.  In this post, we will outline exactly where you should start.

Physical Therapy Private Practice Compliance Points to Address

First, identify the regulations, laws, rules and policies that govern your work.  These could include:

  • Federal, state and local labor laws
  • State Practice Act and Licensing Requirements
  • HIPAA, HITECH and the Security Rule
  • Medicare
  • Other federal and commercial payors
  • OSHA
  • ADA

If you don’t know where to start, the APTA has a great resource with links to physical therapy practice acts in each of the 50 states.

Licensure is required in each state in which a physical therapist practices and must be renewed on a regular basis, with a majority of states requiring continuing education as a requirement for renewal. PTs must practice within the scope of physical therapy practice defined by these state licensure laws (physical therapy practice acts). The entire practice act, including accompanying rules, constitutes the law governing physical therapy practice within a state.  Reference: APTA Website

Next review your existing policies and procedures.  Do you have them in place?  Are they updated annually including staff review and sign off?  Over 70% of a successful compliance program is having the appropriate written policies and procedures in place and understood by staff.  Policies really do matter!

As you implement your policies look at how you do your work. For example, email containing PHI must be encrypted.  Numerous programs are available to facilitate compliance with this requirement, but do you really need the added expense?  Review how often and in what instances you are sending PHI via email.  Perhaps the same outcome can be accomplished by using your EMR internal communications?  A little time looking at the process can save money, and even more time, in the long run.

Finally, create a culture of compliance.  The entire team must work together to ensure your practice stays compliant.  Share the ‘fun’ and have your staff involved in the ongoing compliance requirements. Have regular meetings to discuss successes and challenges.  Encourage suggestions to overcome compliance obstacles. Build a culture and compliance will no longer be a ‘task’ on a to do list but the way your practice moves forward every day!

BCMS is a full-service compliance consulting firm specializing in outpatient physical therapy practices.  Our focused, PT specific compliance program can help you meet all your compliance needs.  Contact us for more information.  We are the key to unlocking the compliance mystery!

For more information and to contact us, click here.