Provider Strategy

Knowing Your HIPAA Risk

Do you meet government HIPAA expectations?

As we round out the first half of 2018, there is no better time to ensure your business is compliant, especially where HIPAA rules and regulations are concerned. With more than 3,500 paragraphs, the HIPAA and HITECH regulations can get pretty complicated. To help, let me provide some information on what the government expects your HME provider business to be doing when it comes to HIPAA compliance.

Often, when you hear about HIPAA, the discussion is associated with a hospital or a medical group that had a breach or HIPAA violation. However, as a supplier storing Protected Health Information (PHI) and electronic PHI (ePHI), the laws apply to your business, as well. The U.S. Department of Human Health Services describes those who must be compliant as “covered entities.” Let’s dig a little deeper and understand what types of organizations are considered to be a covered entity.

Covered Entities

Health Plans fall under the covered entity title, which includes anyone who deals with insurance or medical information for patients. Examples of these are HMOs, Medicare, and Medicaid, as well as private insurance. Human resource employees, employers and schools who handle PHI when the employees are hired and students are enrolled are also covered entities.

Health Care Clearinghouses, organizations that collect any PHI from healthcare entities, are also in the covered entity description. Examples include billing/collection services and health management information systems.

Healthcare providers are also covered entities and must be compliant with HIPAA. Some examples of these are physicians, surgeons, dentists, optometrists, hospitals, clinics, nursing homes/care facilities, home health agencies, medical equipment suppliers and pharmacies.

One area in which issues are often found during a HIPAA audit is with Business Associates Agreements (BAAs). If you are involved with or fall under any of the following examples, you need to ensure that you are in compliance. Some examples of business associates would include data processors, subcontractors, consultants, medical transcription services, external accountants and auditors, or any third-party organization dealing with PHI. Further, consider anyone that could come into contact with PHI at your business. This includes a cleaning crew that comes onsite after hours and also a shredding company that handles the disposal of your documentation containing PHI. As a covered entity, you should have BAA’s in place with these entities. Your BAAs should also address who is liable in the event of a data breach by an associates.

Very simply, anyone who accesses or deals with PHI should be complying with HIPAA regulations. PHI includes any conversation with medical professionals about a patient’s care or treatments, any patient billing information, and any medical insurance information.

HIPAA Risk Assessment

Now that you have a better understanding of who and what is a covered entity, it is important for you to determine your risk. In 2003, the original HIPAA Privacy Rule was issued, and the requirement to have a HIPAA Risk Assessment was put in place. However, many entities have yet to comply with this requirement. In fact, the Office of Civil Rights (OCR) has spent the last two years conducting HIPAA audits, and a copy of your security and risk assessments from the past three years is the first item requested. Would you be able to comply with this request if the OCR audited you today? If that doesn’t frighten you, let’s consider the fines. In 2016, the OCR fined covered entities over $23 million. And in 2017, fines totaled over $19 million for HIPAA violations.

This Security and Risk Assessment (SRA) should take into consideration three main areas. The first is Administrative Safeguards. Do you have things in place, such as HIPAA related policies and procedures? Do you have a comprehensive HIPAA training and education program for all your employees and can you prove their participation in it? The second area is Physical Safeguards. This includes your buildings and warehouses. Do you have an inventory of all your computers that access PHI? Is your building secure? Lastly, and perhaps most challenging or daunting, are the Technical Safeguards. If you are storing ePHI, then do you have appropriate security protocols and firewalls to protect that information? This is an overly simplistic explanation, but everything you should assess can be broken down into one of these three categories.

A risk assessment intends to identify potential risks, vulnerabilities, availability and integrity of PHI that an organization creates, maintains, receives and transmits. Consider the following when conducting your risk assessment:

1. Identify where your PHI is stored, transmitted and received.
2. Identify and document threats and vulnerabilities.
3. Assess your current security measures.
4. Determine the likelihood of a threat occurrence.
5. Determine the potential impact of a threat occurring.
6. Determine the level of risk.
7. Identify your security measures and finalize documentation.

By identifying these potential risks, you can mitigate the potential for PHI breaches and prevent fines for your organization. This assessment will help determine how secure your organization is, and points of improvement. A security and risk assessments should be conducted on an annual basis.

Training Your Team

Most HIPAA breaches are a result of an employee error, therefore, it is important that everyone on staff receive regular and adequate HIPAA training. This training should include the proper handling of PHI, seeing and reporting suspicious activity, or any possible violations, what constitutes a violation and how to protect yourself and company from breaches, etc. Be sure to document what was covered and which employees participated, and stress the importance of the steps that everyone needs to take. There are many risks involved with not being compliant. If you’re a small entity, a breach can potentially wipe you out after paying the associated penalties and fines. HIPAA compliance and HIPAA training should be an all-hands-on-deck effort and staff must be on the same page when it comes to ensuring compliance is met.

HIPAA compliance is a requirement for all individuals that work with patients’ protected health information. No matter the size of your organization, it is your responsibility to handle PHI in a secure manner. HIPAA compliance should be a shared responsibility of your organization’s compliance officer and Security and Privacy officers. There are several products on the market that can assist you with enhancing your current HIPAA compliance program. These products most often include policies and procedures, security and risk assessments, and training capabilities and are a great way to implement into your organization’s processes. With a little research, you can find an affordable solution that will ensure your organization is compliant with HIPAA regulations and can easily pass an OCR audit.

This article originally appeared in the June 2018 issue of HME Business.

About the Author

Wayne van Halem is the founder and President of audit consulting firm The van Halem Group ( Established in in 2006, the Atlanta-based firm merged with VGM Group in 2014. The van Halem Group helps providers navigate complex issues related to audits, appeals, enrollment, coding, education and compliance. Since its foundation, van Halem's company has saved clients over $100 million in over-payments and denial recoveries.

HME Business Podcast