“A Culture of Compliance” In a Changing Security Environment

By: Donna Henson, CPA, CFE, CISA

While we have all heard of the Health Insurance Portability & Accountability Act (HIPAA), the question still asked is “If I have security for my computers and use the required forms, aren’t I covered?”

The answer is it all depends. In order to determine how compliant your practice is, let’s take a look at what would make a reasonable foundation for HIPAA compliance. Does your practice maintain the following?

1. A Security Risk Analysis – Annually
2. Implemented updated HIPAA documentation that includes but is not limited to:
a. Written policies and procedures;
b. Business Associate Agreements; and
c. Notice of Privacy Practices.
3. Complete and documented HIPAA Compliance Training
4. Entities identified as a “Covered Entity”, providers, insurance companies, pharmacies, clearing houses, must provide patients with a Notice of Privacy Practices

These four actions are the steps to compliance and can mitigate some of a practice’s liabilities in the case of a breach.

What exactly is a breach when you are talking about HIPAA? Did you know that if your team misaddresses billing information, it is considered a breach? The Office for Civil Rights (OCR), the group that investigates issues and performs HIPAA audits, has a breach report for all 50 states at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. This site is commonly called “The Wall of Shame” has 13 pages and over 450 reported breaches affecting 500 or more individuals from 2014 to July 22, 2015. The state of Florida has 30 of the 450 of the “reported breaches” on the wall for that time period.

It isn’t “if” any longer, it is a matter of “when the breach will occur and how much it will cost”. Statistics show that half of all data breaches now occur in healthcare and the FBI has warned that health data is highly valued by criminals. Some experts believe health data can sell for 10 to 20 times more than credit card data. But why?

That is simple. Data that is classified as Protected Health Information (PHI) includes any identifiable data that can be tied to a patient in some way. Examples include but are not limited to: Name, phone number, address, email, birth date, etc…

So back to the question, “If I have security for my computers and use the required forms, aren’t I covered?”

If you can say you have the above foundation and follow the core privacy rule principal of HIPAA, which is only the minimum necessary information for a legitimate purpose should be shared, then the answer is – possibly. Compliance with HIPAA is complex and requires dedicated effort by seasoned professionals.

Shinn & Co has a specialized team that stays abreast of HIPAA regulations and can assist your practice with compliance. For more information, contact a Shinn & Co professional.