By Stacy Hu, OD, MS, FAAO
May 30, 2018
Complying with HIPAA privacy rights is important for your patients’ sake, and for the survival of your practice.
Offices that are not HIPAA compliant can be fined by the Department of Health and Human Services (HHS). Depending on the amount of negligence, fines can be $100-$50,000 per violation, or per violated record. The maximum penalty is $1.5 million per year for each violation.
Practices not only lose money when they are not HIPAA compliant, but it can also have a negative impact on their reputation. The practice’s name is permanently listed on the HHS’s Office of Civil Rights Breach Portal.
Little Steps Go a Long Way
Increasing your HIPAA compliance isn’t hard. You can start by doing small, simple things:
• Making sure that every computer has a password that is required for log in, and that passwords are not shared. However, lots of passwords, such as those used to log in for insurance verification, have to be shared.
• That computers lock out after a few minutes of inactivity, and require a password to log back in.
• Locking computers after walking away every time.
• Cross-shredding any paperwork that has protected health information (PHI) instead of throwing it into the trash.
• Having patients sign a release waiver before providers discuss medical information with anyone not directly involved with their care.
• Not discussing any protected health information in public spaces.
These steps are relatively cheap to implement; they just require time and commitment. The most expensive “small step” listed above is hiring a shredding company, which can be as cheap as $45 per month.
Doing these simple tasks reduces the risk of a privacy breach, thus making your practice more compliant with the law. This not only protects the patient, but also protects the practice against potential fines due to a HIPAA violation.
Take Bigger Steps to Increase Compliance Even Further
There are a lot of additional steps that need to be taken to be HIPAA compliant, such as encrypting every computer at the office, making sure that your office has a firewall in place and training your staff members every year to ensure they are up to speed on patient privacy.
These tasks are time-consuming, and thus, costly because of decreased productivity. Our office chose to hire an outside organization, Compliancy Group, to help us ensure HIPAA compliance, and meet the standards of the law.
Doctors Should Stay Updated on HIPAA Law
A practice’s owners, doctors, and other employees, need to know that HIPAA is a complicated, but common-sense, law. No one wants their private medical records information leaked out to the public without their consent.
As with all federal regulations, the law does change. Consequently, practice owners will find that it is helpful to have the support of an outside organization (such as a HIPAA support organization, doctors’ groups such as Vision Source or ODs on Facebook) to keep owners abreast of all the information required to stay compliant with the law.
While my practice worked with Compliancy Group, there are other organizations available whose sole purpose is to help medical and optometric offices stay compliant and up-to-date with the law. These compliance systems are about $1,500 per year, but membership in some organizations, such as the American Optometry Association or Vision Source, might confer discounts. HIPAA compliance is much more complicated and challenging than it may seem, and having these organizations’ support can give peace of mind to practice owners.
Make Time Each Week for HIPAA Oversight
Allocate a certain number of hours per week for yourself, or your staff, to work at HIPAA compliance when initially trying to become compliant with the law. I found that I needed about two hours a week to work only on HIPAA certification.