Can a medical practice--any practice of any size--afford penalties up to $1.5 million? Affordability does not only mean those practices with large cash balances or insurance coverage.
The new HIPAA Omnibus Rule is so complex, the potential for violations is high. Until the rule is in place, medical service providers, practice managers and all staff will be uncomfortable with its provisions. While this is perfectly natural, violations will be very expensive.
The best--possibly the only--way to properly protect the practice is performing a HIPAA Omnibus Rule risk analysis. This will be challenging to complete internally, particularly during the early days of rule implementation.
All medical practices must assess and minimize the risk of violations of the Omnibus Rule. Because the rule provides severe monetary penalties for even honest mistakes, you must identify practice risks and create remedies before violations occur.
How to Assess the Risk
PHI (Patient Health Information) data breaches have been increasing in recent years. This reality has fueled the motivation to write and adopt the Omnibus Rule in the first place. Consider the following suggestions to create an effective risk analysis.
- Educate practice staff on the provisions and dangers posed by the Omnibus Rule. Thorough training and education is imperative to lowering the risk of PHI data breaches. Omnibus Rule penalties can be assessed for apparently small human error, mandating that practice personnel first understand the requirements.
- Test their knowledge after providing the necessary training. Simply dispensing proper information to staff is not enough. Test their knowledge retention, particularly as it pertains to tightened PHI privacy and security requirements.
- Prepare a report identifying staff strengths and weaknesses in understanding the rule. A carefully prepared written report, noting the apparent staff strengths and weaknesses with their level of understanding, will offer critical information to assess and analyze the risks faced by the practice. Those areas identified as weaknesses will require additional training or other remedial action to minimize risk.
- Maintain a "paper trail" that confirms the practice completed HIPAA risk assessment procedures. While this is neither breaking news nor a "secret" tip, preparing and maintaining a complete set of documentation as conclusive evidence the practice conducted a thorough risk assessment is vital. Outside auditors can only verify a risk analysis after the fact by examining documentation proving the practice conducted the assessment.
- Consider using outside consultants or installing self-assessment risk software. If providers or practice managers lack the experience to create internal risk assessment procedures, consider retaining external HIPAA risk consultants or evaluating one of the available self-assessment software options. Both options typically offer more than just risk analysis. Top third-party advisory firms, such as M-Scribe Technologies, and the best risk-assessment software also offer suggestions for effective remedies to minimize the risk of expensive HIPAA Omnibus Rule violations. Both will also provide the necessary documentation to allow the practice to prove conducted a HIPAA Omnibus Rule risk analysis and took appropriate remedial action to prevent violations.
The Omnibus Rule places additional strict requirements on medical service providers and their business associates. The former risk level has been ramped up to a level that creates potential dangerous--and highly expensive--violations.