Boston’s Healthcare Attorney Explains HIPAA

Ezra

The Reinstein Law Firm has many clients in health care. Internists, psychologists, hospitalists, surgeons. Solo practitioners. Heads of group practices. Department chiefs and directors. Smart, conscientious, well-meaning professionals, every one. I respect them. I enjoy working with them.

So I say with all due respect: There are a lot of misconceptions out there about HIPAA. A lot.

This is not surprising! HIPAA is a huge and complicated statute that’s gone through a number of permutations through the years. While perhaps not as conceptually challenging as physician self-referral law (aka the Stark Law), it is incredibly detailed, with an enormous set of requirements, and severe penalties for non-compliance. It applies to the biggest hospital groups and the smallest solo practices.

I want to address one of the biggest and most serious misconceptions. I’ve heard different versions of this many times: “We use a secure, HIPAA-compliant EMR system, so we’re compliant with HIPAA. Right?”

No. Wrong.

HIPAA’s Security Rule, it’s true, does require that electronic health records be secure.

But that’s only one step in a laundry list of requirements. The Security Rule has many other requirements. And then there’s the Privacy Rule, and the Breach Notification Rule…

Here is a very incomplete list of HIPAA requirements, aside from using a secure EMR system:

  • You must conduct and document a formal HIPAA risk analysis. This is an absolutely key step!
  • You must draft (and implement) a full set of HIPAA Privacy Rule policies and procedures. For instance, you must have a form that a patient can fill out to request access to his/her own medical records; you must have a written policy to address how to respond to such requests; and you must maintain a database of all such requests, including how you responded to the request.
  • You must draft (and implement) a full set of HIPAA Breach Notification Rule policies and procedures.
  • You must post a Notice of Privacy Practices in your office and on your website, and give a copy to all patients.
  • You must conduct comprehensive workforce HIPAA training, and document the participation of all members of your staff.
  • You must develop a disaster recovery plan policy.
  • You must develop a formal set of sanctions for staff non-compliance.

Have you done all these things? As I mention in another post, the deadline for compliance was quite some time ago.

For those of you who already have a secure EMR system, good news – you’ve already completed one of the single most expensive elements of HIPAA compliance. Drafting a set of privacy policies is just as much a requirement as having a secure EMR system. But there are no license fees, no hardware expenses – just the cost of the time it takes to draft and implement them.

No one said HIPAA compliance would be easy. If your practice is not in compliance, I urge you to contact a health-care attorney to help you. Compliance should be a top priority.

 

Typewriter image via Wikimedia Commons