Leslie is a principal in the health care practice team of Riddell Williams P.S. She has experience working with hospitals and health systems, physicians and physician groups, public hospital districts, and other health care- related entities in business transactions and regulatory compliance matters. Leslie’s regulatory compliance practice focuses on fraud and abuse, HIPAA compliance and patient privacy, IRS rules applicable to exempt organizations, physician compensation, and Medicare participation and reimbursement.
Q: Documentation seems to be the backbone of compliance, proof that you are acting in accordance with HIPAA regulations. What are some examples of required documentation?
A: HIPAA Privacy, Security, and Breach Notification Rules all require extensive written or electronic documentation and retention of that documentation, generally for six years. A Covered Entity (CE), such as a medical practice or hospital, must document its policies and procedures that demonstrate operational compliance with the Privacy and Security Rules. All compliance-related activities required by the Security Rule must also be documented—for example, risk analysis and risk management programs must document the CE’s analysis and management of risks that electronic Protected Health Information (ePHI) could be inappropriately accessed or disclosed. Another example is the technical and physical safeguards a CE establishes to protect the security and integrity of ePHI. All of this documentation must be made available to those responsible for implementing the procedures as well as to the U.S. Department of Health and Human Services (HHS), if and when HHS requests it.
CEs must also document their activities and communications with patients, such as Notice of Privacy Practices, records of complaints and resolution, and records related to a patient’s right to access and amend the patient’s records and to receive an accounting of all disclosures of the patient’s PHI. The CE must also document a patient’s authorization for use and disclosure of the patient’s PHI.
Q: What is one of the biggest challenges CEs face regarding documentation?
A: One of the more difficult challenges for entities is to actually carry out their day-to-day operations consistently with their policies and procedures. The most significant way of knowing you are in compliance is to conduct an internal audit, which will not only verify sufficient documentation, but also help you identify any gaps between actual practices and the corresponding policies and procedures that need further alignment. Keep in mind, HHS can do an audit of your compliance program and documentation at any time, without much notice.
Q: These new mandates make documentation even more important. Do health care entities generally have protocols to comply with required documentation?
A: Yes. Most health care providers have documented HIPAA compliance programs that incorporate the administrative, technical, and physical safeguards required by HIPAA. They also include the documents and forms needed to document the CE’s communications with patients. The OCR Web site contains some sample forms and educational guidance. You will also find helpful FAQs and a variety of tips and tools. One example is a December 2012 initiative on methods and tools health care providers can use to protect and secure ePHI when using mobile devices.
Q: Are documentation challenges harder or easier, less or more complicated, in clinics and small practices than in larger organizations, e.g., hospitals and HMOs?
A: Smaller organizations often have fewer human and financial resources, such as a minimal IT budget, which can make HIPAA compliance a challenge. On the flip side, large organizations have a larger workforce that needs to be communicated with, trained, and monitored, and a greater universe of data (due to high patient volume and a greater range of services) and physical assets that need to be secured, e.g., computers, work stations, and filing cabinets.
Q: How would a CE approach documenting its compliance with HIPAA regulations and who would take the lead?
A: The CE’s Privacy Officer or Security Officer (can be one and the same) is responsible for this. They would also be the focal point in the event of an investigation or audit. Key components might include privacy and security policies and procedures, forms, having business associate agreements in place, and documentation of workforce training.
Q: Any final advice to our members?
A: Although HIPAA audit and enforcement activities are on the increase, most practices and facilities have already established strong compliance programs. And even though the March 2013 Final Rule implemented some major changes to HIPAA, the core requirements are largely unchanged. This means that practices and facilities will need to update their programs to implement those changes, but doing so is not a daunting task—approach it by identifying the needed changes and updating only those affected portions of your compliance programs using your already established structure. Physicians Insurance has identified these changes and provided guidance on updating your programs—see the Web site HIPAA page at www.phyins.com/hipaa.