One of my favorite of the recent spate of Marvel superhero movies is “Captain America: The First Avenger”. In that movie, Captain America fights Red Skull to protect earth from utter destruction. One scene near the end of the movie actually makes me think of HIPAA. Captain America awakens in a 1940s-style hospital room. Deducing from an outdated radio broadcast that something is wrong, he flees outside and finds himself in present-day Times Square, where S.H.I.E.L.D. Director Nick Fury informs him that he has been “asleep” for nearly 70 years.
When we discuss HIPAA with healthcare providers, we find that many simply do not take it very seriously. The “teeth” of HIPAA regulations seem not to have been vigorously enforced in the past, leading many providers to believe there is little reason to worry about the details, thinking it was all bark, but no bite. As time has gone by, while some physicians and groups have tried to stay updated and compliant, many have taken no steps whatsoever, actually creating more chaos. For example, when we first moved back to Missouri a few years ago, my wife took our kids to the doctor for the first time, and she was asked to fill out one form and put all the kids’ names on it, so that the practice could request their records from Michigan. When the Michigan office got the form they then informed my wife that she had to fill out a form for each child to request records. However, our new Missouri doctor said that the Michigan office was just being “overly cautious,” and that the one form should have been all that they needed. We finally got the kids records, but it was rather difficult when one practice took HIPAA seriously and the next office did not.
Within the last few years or so, the Department of Health and Human Services seems to be putting much more emphasis on the “bite” of HIPAA, and essentially to try to wake up those ignoring the HIPAA legislation from their Captain America “sleep”. In 2014, HHS started conducting audits to find out whether covered entities were complying with the law. The audits found that only 2-5% of those audited were actually in full compliance with HIPAA. After this report, the Office of Inspector General (OIG) recommended that HHS begin implementing a permanent audit program to ensure compliance with HIPAA. The enforcement efforts of these two agencies are effectively waking up many who are covered by HIPAA from their Captain America “sleep”, but just like in the movie, that awaking is not a relaxed, easing out of bed, but a cold slap-in-the-face type of awaking.
As the enforcement efforts expand, HHS began another round of audits this year, and will actually be increasing the number of audits that will be conducted. Several covered entities have received notification that they are among the first round to be audited. As random audits take place, every doctor, group, hospital, clinic, and other covered entities required to comply with HIPAA must awaken from their Captain America “sleep” as well, or they could face massive fines being imposed upon them for non-compliance.
When we speak with doctors about HIPAA, most tell us that the law is simply an annoyance with which they would prefer not to hassle. When we explain our detailed system for providing complete HIPAA compliance protection, many simply rely upon the fact that they “have never been audited before”, so they assume that they’re safe and won’t ever be audited. We point out that, just as it is too late to buy malpractice insurance after one has been sued, it likewise makes no sense to take chances on HIPAA compliance by waiting to see what happens. The “sleep” from which they may awaken the day an auditor shows up in their office will be a harsh and sudden, and far too late to prepare for what might come from the audit being conducted. Likewise, many also seem to believe that if they are audited, they are either already compliant enough, or that any fine assessed against them will not be significant. That belief tends to ignore the very statistics (noted above) regarding how few providers have actually been found to be in compliance through the audits already conducted.
While the details of HIPAA law are rather complex, it is pretty straight-forward about some of the basics — what it is you need to have and need to do — to comply with HIPAA. You must have a HIPAA policy and procedure manual specific to your practice (so those who buy generic “manuals” on the internet are still asleep, as those simply do not constitute full compliance). You must fully train every person on your staff on those policies and procedures at least twice a year (and you can’t “sleep” through this process with a short pamphlet for the staff to read). Likewise, you must conduct a thorough risk analysis at least twice a year to look for vulnerabilities and make sure you’re staying in compliance. Given that this is the hardest part of HIPAA compliance generally, one can see why physicians haven’t “awaken” to this part of the process.
Those who are subject to HIPAA laws need to continually monitor the ever-changing regulations to stay aware of any updates or revisions that need to be made to their manual, training materials, and the type of risk analysis to be conducted. There is a lot to do to stay in full compliance and it is clearly time for physicians and healthcare entities to wake from their sleep in order to be ready. Otherwise, that awakening will seem much like it did for Captain America, with a shock-to-the-system type of reaction the day the auditors appear.
#confidential #dentist #doctors #HIPAA #liability #medical practice #medical records #patient’s privacy
Nothing posted on Evidentiary Matters is to be considered legal advice or advertising.
The choice of a lawyer is an important decision and should not be based solely upon advertisements.