We are often asked to advise clients regarding the scope and content of Health Insurance Portability and Accountability (HIPAA) policies and procedures that are required to be maintained. HIPAA clearly requires health care providers, as “covered entities,” to maintain policies and procedures covering HIPAA issues that apply to their operations. There is a core of policies that will generally be required to be in place for most health care providers. The real issues regarding policy scope exist on the fringes; outside of the usual core of policies that all health care providers need to have in place.
Initially, let me make a bold, general statement. A health care provider that has no, or very abbreviated policies and procedures addressing confidentiality and privacy of patient information is certainly out of compliance with HIPAA. Likewise, a health care provider that has no, or very abbreviated policies regarding security of protected health information, is likewise out of compliance with HIPAA. HIPAA requires all health care providers to have both privacy and security policies and procedures in place appropriate for their specific operations. Failure to maintain appropriate policies exposes a health care provider to penalties, which can be quite excessive, under penalty provisions contained in HIPAA regulations. All you need to do is review recent settlements on the website of the Office of Civil Rights (OCR) to know that health care providers who do not have appropriate policy coverage, or who otherwise fail to comply with HIPAA, are being investigated and assessed with penalties under HIPAA. In fact, OCR has become much more proactive in pursuing providers for HIPAA infractions in recent years and there is every indication that OCR activity is likely to accelerate in the future.
Back to the actual focus of this article, we advise health care providers to go through a very systematic approach to determine the scope of policy coverage required. One approach is to look at the general topics covered by existing policies comparing the topic list to a compliant policy or topical listing. We have reviewed many policy sets created using this method and very frequently find material deficiencies in policy coverage. The reason gaps often occur using this method is that HIPAA is not based on policy names or general topics. Rather HIPAA involves hundreds of individual regulatory requirements. The only way to properly assess whether policies meet HIPAA requirements is to compare policy coverage to specific regulatory requirements. This involves a tedious and time consuming process, but is really necessary if you want to be certain there are no material gaps in coverage. We recommend this process to all health care providers and routinely require it when we handle OCR investigation response or potential privacy or security infractions for clients.
This is good place to point out that HIPAA does not require compliance by all health care providers with each and every individual regulatory requirement. Not all HIPAA privacy requirements will apply to all providers. For example, requirements specific to health plans will obviously not apply to a medical practice. Coverage should be appropriate to assure the organization complies with HIPAA. All providers must comply with HIPAA security rules that contain certain regulatory provisions. Other specific requirements are “addressable” rather than “required.” Addressable standards must be considered by providers and must be addressed unless there is sufficient justification for not addressing the requirement.
A proper HIPAA analysis will create a record that each HIPAA requirement was properly considered. A record should be created that tracks the regulatory areas included in a policy. Justification for not addressing a specific regulatory requirement in policy should be described and documented. Any resulting gaps in policy coverage are made the subject of corrective action and identified gaps should be promptly filled. Ideally this should be done no later than thirty days after the gap is identified. Addressing identified gaps within thirty days can help mitigate penalties if past non-compliance would ever become of issue in the future. Although correction within thirty days does not afford absolute protection, it does preserve regulatory-based arguments of supporting mitigation of penalties.
The end result of a proper HIPAA compliance analysis is to identify gaps in coverage based on regulatory requirements. Topical analysis will not, by its very nature, provide assurance that policies are in compliance with HIPAA. If a topical approach or a “policy title” approach was used when creating original policies, chances are you will find policy coverage gaps if you use a proper method of analysis. It is safe to say that we normally find significant deficiencies when we subject policies to proper analysis.
Let’s face it. Doing things correctly is time consuming. Corners get cut in this area all the time. Providers might try to create policies internally or they might contract policy creation out to a consultant or attorney. Policies enacted years ago were likely not subject to proper analysis. Policies obtained from reputable consultants or professional organizations are not immune from these deficiencies. In fact, policies from these sources can have deficiencies that are perpetuated over a wide range of clients and or members of the organization. We have seen and have had to address the consequences when complaints are made and investigations are started.
Health care providers should not be lulled into a sense of security their inadequate HIPAA coverage will go unnoticed. We can tell you from experience that HIPAA issues can arise unexpectedly, at any time, and often in strange and unforeseeable ways. Often, a patient inquiry or complaint will trigger OCR scrutiny. The complaint may be over a very minor issue or may not even involve an actual HIPAA violation. That initial complaint can very quickly expand into areas not directly involved in the complaint. Usually, OCR will send an initial inquiry letter to a health care provider as a result of an initial complaint. The provider may be asked to provide certain information or to respond to the complaint in some way. Once a response is provided, OCR will often ask for additional information. Through this process, gaps and deficiencies in policy coverage and/or process can be identified. The end result can be citations and penalties for deficiencies not directly related to the initial complaint. Even with HIPAA violations that do not occur with actual knowledge, penalties can be assessed $0 to $50,000 per violation, with multiple violations possible based on insufficient policy coverage.
Although systematic HIPAA compliance may seem a daunting task, it is nonetheless necessary in order to mitigate potential penalty exposure. As time has passed since HIPAA was enacted, enforcement agencies now expect providers to be compliant and are increasingly less forgiving when deficiencies are discovered.