Dr. Oikawa specializes in HIPAA security, privacy, and Health IT safety coaching. He graduated from the University of Michigan, received his MD and MPH from Johns Hopkins University, trained as a biomedical engineer, and has practiced as an interventional cardiologist. For the past 15 years, he has focused on information security risk management at Microsoft and MSNBC, and currently as an independent consultant. He may be reached at firstname.lastname@example.org.
September usually means back-to-school, football, and glorious dry, sunny weather in the Pacific Northwest. It’s the vision that sustains us through the gloom of our long rainy season. But for many practices, this September will be different. September 23, 2013, is the deadline when all hospitals, clinics, and practices must meet all requirements of the HIPAA Final Rule announced in January. Shortly thereafter, the Department of Health and Human Services (HHS) will begin audits to ensure that everyone meets their HIPAA obligations.
The new tiered penalties for HIPAA mean that, depending on the number and severity of deficiencies found by auditors, or uncovered by OCR during a complaint or breach investigation, your practice could face stiff fines, potentially tens of thousands or even millions of dollars.
Breaches are extremely expensive. Surveys show that data breach costs average $200 per individual including the costs of notification, credit check services, technical investigation, correcting problems, legal fees, lost opportunities, and reputational harm. The average U.S. primary care provider has about 2,300 patients, so a breach involving all records could easily cost nearly half a million dollars.
Nearly one in four data breach victims suffer identity theft involving credit or financial fraud.* Medical identity theft is more serious because it can result in a patient’s loss of coverage and errors in medical records. Other related problems include fraudulent use of stolen provider credentials, theft from practice bank accounts, and even targeting of patients for theft of prescription medications.
We rely on trust-building activities everywhere in our lives. Examples include getting a driver’s license, graduating from medical school or nursing school, receiving our professional licenses, gaining hospital privileges, and achieving board certifications. A HIPAA audit measures how well you are meeting your obligations against an objective standard. Passing an audit raises the level of confidence that you, your patients, and HHS have that you are meeting your HIPAA responsibilities. It means that you and your patients can have peace of mind knowing that you have taken all reasonable precautions to prevent breaches. Conversely, failing an audit or having a data breach reduces the confidence others have in you.
HIPAA compliance is a journey, not a destination. I think of sound security, safety, and privacy practices as the essential “HIPAA-healthy lifestyle.” Healthy lifestyles focus on prevention and not remediation. The OCR’s audit program shows that most practices are currently out of shape and overweight, with a “HIPAA-unhealthy” lifestyle. Many have never weighed themselves, checked their blood pressure, or asked themselves if they smoke cigarettes. If you’re like the majority of practices, you have a lot of work to do between now and September.
Fortunately, clinicians have been advising patients on becoming healthier for a long time. If you think of your practice as the “patient,” and the goal as “achieving a HIPAA-healthy lifestyle,” you have all you need to get started.
- You must first learn what’s required for a HIPAA-healthy lifestyle, just as a patient must first understand what makes their lifestyle healthy or unhealthy. Remember, the most common root cause discovered by the OCR was “unaware of the requirements.”
- Next, assess your unique practice situation and identify your risk factors. In some cases the problems will be obvious, but in others you may need help from an expert, peer, or outside observer. Some practices may have underlying high-risk diagnoses requiring specific interventions or therapies.
- Decide and commit. If you opt for a healthy lifestyle and decide to lose weight or quit smoking, you must take personal responsibility to change. Pursuit of HIPAA compliance requires dedication and self-accountability.
- Have a treatment plan and schedule. Once you understand your situation, you’ll need to create a treatment plan to meet the September 23rd deadline.
Like many parts of medicine, there’s no single best way to achieve a HIPAA-healthy lifestyle.
- Watchful waiting is contraindicated because the HITECH Act requires OCR audits. You’ll have only 10 days to prepare if you receive a notification letter from the OCR. And, if you have a breach, the damage will have already been done.
- Transfer care – Sometimes you can transfer responsibility to a specialist, especially with legal or technology matters. However, many activities covered by HIPAA are essential to patient care and are not easily separated. Under the Final Rule, you are ultimately responsible for the personal health information of your patients, even if you entrust it to others. Make sure that your technology or legal specialists have a HIPAA-healthy lifestyle. One area that you can’t transfer is risk analysis.
- Make a referral – In some situations, you can hire a consultant. Consultants provide advice on how to achieve a HIPAA-healthy lifestyle and may help with special skills (diagnostic testing, facilities, or therapies). Consultants work best when they have a specific diagnosis or problem to address. Aside from cost, the biggest downside is that knowledge, understanding, and skills walk out of your clinic when the contract ends. Beware of consultants selling technology silver bullets that are the HIPAA security version of magic diet pills. To work with consultants, you’ll need to be adept at evaluating qualifications (to avoid creating new problems), prognosis (risk analysis), and diagnosing the specific problems they should address.
- Get education – Self-study and classroom instruction are time-honored methods for continuing education and subject-matter mastery. Books, papers, online training, and class offerings abound. One thing to consider about self-study is the huge abundance and variable quality of content. You’ll want to identify who at your clinic should get what training, plus where to start and what to focus upon. Classroom training is an investment of time and money, and you’ll want to use the new knowledge promptly to make it stick. Education and self-study materials can sometimes be generic in order to reach a wide audience, so you’ll still need to apply your learning to your own situation.
- Use a coach – Coaching improves motivation, knowledge, skills, abilities, and decision-making with confidence in sports, executive leadership, clinical practice, and professional development. Top executives and world-class athletes often retain coaches to improve performance. Health coaching can change long-term healthy lifestyle behaviors including levels of physical activity, diet, tobacco use, and medication compliance. Coaching excels when setting goals, motivation, sticking to schedules, and developing problem-solving and decision-making skills are needed, and when sustained results are important. Coaching develops expertise within your practice, and is an investment, not a cost. Coaching is less expensive than consultants but more expensive than self-study. The key is to find a coach with the right combination of knowledge, experience, skills, and coaching style. Coaching may be combined with consultants, classroom training, self-study, do-it-yourself, or even outsource arrangements for better, more sustained results.
September is coming quickly. HIPAA audits are on the horizon. You know what you need to do and the options. Commit and get started now!
*Javelin Strategy and Research, 2013 Data Breach Fraud Impact Report: Mitigating a Rapidly Emerging Driver of Fraud, accessed July 8, 2013, www.javelinstrategy.com/brochure/287#DownloadReport.
© 2013 Robert Y. Oikawa. Printed with permission.