Understanding and Managing the HIPAA Security Rule

Protecting the privacy of patients is of paramount concern to healthcare organizations today. Data breaches and/or hacking attempts are happening more frequently. Regulatory requirements are constantly changing. And the pace of technology innovations keeps increasing. The penalties, both financial and reputational, can be disastrous for any organization — and its compliance team — that is not prepared and in the know at all times

For example, recently a healthcare institution mailed hundreds of patient statements, containing names, account numbers and payments due, to wrong addresses. The organization believed that, for most of these statements, this was not a reportable breach, because there was no patient diagnosis, treatment information, or other medical information listed.

This was not correct. And the failure to understand the rule and its nuances resulted in a $2 million settlement.

The HIPAA Security Rule is the hedge against that kind of disaster  —  so grasping its complexity is crucial.

The regulations that comprise the Security Rule are often the most difficult to understand and implement, as every security compliance measure must be carefully monitored and reported. Not only are all healthcare organizations required to meet the standards and legal requirements in the Security Rule, there can also be implementation specifications which include provide detailed instructions and steps needed for compliance.

From an administrative perspective, HIPAA requires a documented framework of policies and procedures. These policies and procedures detail exactly what your organization does to protect key information. For example, policies can outline the requirements for training for all employees, including those who do and do not have direct access to vital patient information.

The documents that outline the policy and procedure framework must be retained for at least six years (although state requirements may mandate longer retention periods). As policies change, so must your accompanying documentation. And to further ensure your compliance, periodic reviews of policies and responses to changes in the electronic patient health information environment are also recommended.

From a security perspective, HIPAA requires a comprehensive evaluation of the security risks your organization faces, as well as the electronic health record technologies your organization uses.  This includes a combination of physical safeguards — such as IT infrastructure, computer systems and security monitoring systems — and technical safeguards — such as risk management software, healthcare management software or regulatory software. These safeguards are designed to both protect patient information and control access to it.

Fortunately, the Security Rule allows for scalability, flexibility and generalization. This means that smaller organizations are given greater latitude in comparison to larger organizations that have significantly more resources. HIPAA’s security requirements are also not linked to specific technologies or products, since both can change rapidly. Instead, requirements focus more on what needs to be done and when, and less on how it should be accomplished.

Managing the complexity of the HIPAA Security Rule can be easier. At youCompli, we help you identify, document and monitor your critical HIPAA information. We understand the time and resource constraints that compliance officers operate under — the need for quickly collecting and accessing quality data and reporting it. Our solutions enable you to remain up-to-date with healthcare regulations — what they mean and how to implement them with precision accuracy in cost-efficient and effective ways. Contact us for more information on how to approach and implement the Security Rule and remain in compliance.

The Role of Compliance Professionals During a Pandemic

COVID-19 has had a significant impact on every industry in almost every country. Healthcare is, obviously, one of the most affected sectors, as the number of  ill patients is always rising, and the stock of key medical supplies and equipment is depleting daily.

In these times, it can seem like compliance is not that important. After all, this is a crisis, and lives are being saved and lost. Is compliance with rules and proper procedure really what we should be focusing on?

The answer, of course, is “yes”. In times of crisis, compliance can get lost in the shuffle, but it does not undermine the value or necessity of compliance and compliance professionals both during and after the crisis.  And when the time of crisis subsides, the challenges which remain will require skilled compliance professionals who are able to identify non-compliance and move the organization towards positive change.

To help support you in this time, we’ve put together some important information on the role compliance has to play during a pandemic. Please fill in the form below to download.

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.


Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  


Michigan’s Massive Licensing Reg – Processed, Translated and Defined

We process a lot of regulatory changes in the course of business, across both the state and federal landscape. Usually, the more voluminous changes come from the federal level — but a recent new state regulation from Michigan really stood out.

At over 50 pages, titled “Licensing for Health Facilities or Agencies”, it is one of the longer state regulations that has come through our process. The average state document tends to be a couple of pages long and is often simply an amendment to existing rules. This Michigan reg bucks the norm — which just goes to show that, even in the face of a global pandemic, the regulatory world keeps turning.

Essentially, this new reg creates a whole new 10-part set of rules. While the overall regulation involves licensing for facilities, the parts involved touch a wide variety of areas and departments within a healthcare organization. Administrative and patient records, HR, facility maintenance and upkeep, patient rights, security, and outpatient surgical facilities — you name it, this regulation applies to it.

Our expert team broke the regulation down into 9 requirements, written in easy-to-understand terms, to clearly define how the regulation impacts hospitals and what needs to be done to comply. Breaking down a large regulation this way allows us to:

  1. Pinpoint the individual areas of an organization being affected,
  2. Tune in to specific issues involved with each functional area of an organization, and
  3. Ensure an easy-to-understand business requirement is the result.

From 50 pages to 9 clear business requirements, each directed at a particular area of the hospital. No need for any youCompli customer to read this monster regulation — once you log in to the system, we’ll take you through what you need to know, and what steps you need to take to comply.

Want us to do the same for your organization and the regulations you’re managing? Set up a quick meeting here and let’s get started.

Legal Challenges and the Benefit of a Comprehensive Compliance Program

The list of compliance and legal challenges facing providers, hospitals and healthcare systems over the next year is long:

  • Physician arrangements and fair market value;
  • Mergers and acquisitions;
  • Quality metrics and risk sharing;
  • Fraud, waste, and abuse;
  • Coding and billing transactions;
  • Reimbursement;
  • Medical staff issues and burnout;
  • Labor and employment issues;
  • HIPAA and HITECH; and
  • Technology and integrated medical devices.

A list like this can seem daunting. However, a comprehensive compliance program with appropriate resources can help avoid disastrous results related to healthcare compliance and legal challenges.

Labor and Employment Law

The Atlantic reported in January 2018, “Health Care Just Became the U.S.’s Largest Employer In the American labor market.”  The growth of the healthcare sector brings increased labor and employment challenges.  Although the terms are often used synonymously, labor law focuses on groups of workers (think unions and collective bargaining) while employment law focuses on individual workers, (think discrimination of an individual in a protected class).

A comprehensive compliance program will decrease labor and employment law challenges, by ensuring human resource policies and procedures comply with federal and state laws.  Moreover, personnel file audits will demonstrate compliance with those laws.

Transactional Law

Mergers, acquisitions, partnerships, joint ventures and U.S. antitrust law

The Agency for Healthcare Research and Quality (AHRQ) reported in its 2018 National Healthcare Quality & Disparities Report that almost 70% of U.S. hospitals and 43% of primary care physicians are part of consolidated health care systems. Consolidations require an astute compliance and legal team to ensure compliance with antitrust law. These transactions continue to draw scrutiny from the Federal Trade Commission due to monopoly concerns.

The challenge for healthcare organizations is even greater when business crosses state lines. The organization must then comply with multiple state laws simultaneously.  As part of a comprehensive compliance program, a compliance professional should work closely with in-house or outside counsel to ensure the business transactions and consolidations include a compliance due diligence perspective, for example reports to the board of directors.

Security Law

HIPAA

Compliance is mandatory; failure to comply is an opportunity to ruin an organization both financially and reputationally.  Ransomware attacks on healthcare providers through their computers and medical devices are on the rise. While most IT departments focus on HIPAA security for computers, few address security issues with interconnected medical devices.

A comprehensive compliance program will include recommendations to address the management of cybersecurity for medical devices like those outlined by the U.S. Food and Drug Administration (FDA).

Practice Tips

  1. Use of reports to support legal defense of employment or labor law violations, if needed.
  2. Use of notification and management system to prevent legal challenges by providing up-to-date guidance to support compliance activities.
  3. Conduct an evaluation of medical devices in accordance with the FDA FAQ. Disable the voice recognition feature of smart devices while conducting confidential discussions in a room with a smart TV or speaker.

A system such as youCompli is a strong addition to a comprehensive compliance program, providing up to date notifications of regulatory change, as well as full insight and audit of the compliance process.

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.


Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  


youCompli Team Heads to HCCA Compliance Institute 2020

Update: Unfortunately, the 2020 HCCA Compliance Institute has been cancelled by the HCCA. Read more on their website here: https://www.hcca-info.org/conferences/national/2020-compliance-institute/Coronavirus


It’s that time of year again – time for the HCCA’s Compliance Institute!

The youCompli team is heading to the heart of country music, Nashville. And nothing says country music like the star of our video. (Hint: Come by and say “Hello Dolly”)

Compliance “Dolly” will be at our booth on March 30th, from 11am to 7pm. Stop by, say “hi”, and get a picture!

You can find us at Booth #618. And, if you book (and attend) a demo of our solution, you’ll receive, absolutely free, one of these fine T-shirts. (We don’t want to spoil your fun – the demo can be done after the show!)

youCompli helps you and your team ensure compliance and increase efficiency, so patient care stays front and center. Stay on top of changes, keep your team organized, and always know what compliance activity is (and isn’t) going on.

See you in Nashville!

Privacy vs. Transparency: You’re in the Middle

Since 1996, HIPAA has required hospitals and other providers to strictly maintain the privacy and security of patient and clinical records.

In 2010, the Affordable Care Act (Obamacare) required them to digitize those records for greater transparency.

Today, some 96% of hospitals and 78% of doctors’ offices use electronic health records.

As a result, patients can instantly access the notes from their doctor visits, review their prescriptions, see their lab results, and email questions to the doctor(s) they’ve been seeing. And doctors, whether primary care providers or specialists, can have a patient’s personal information and medical history right at their fingertips.

Unfortunately, so can others.

In 2018, a total of 18 million patient records were hacked and phished. In just the first half of 2019, almost twice as many – 32 million – were.

Clearly, there’s a tug of war between privacy and transparency, and hospitals are the rope.

In 2018, the last year for which complete figures are available, hospitals paid out an average of more than $2.5 million in settlements and civil monetary penalties. That year, the HHS Office of Civil Rights conducted a total of 25,520 complaint and compliance review investigations. And even if the vast majority don’t lead to cash penalties, even the mildest OCR action – resolution after intake and review – can still cost you staff hours and money.

That’s one reason it pays to keep on top of all the latest HIPAA and ePHI changes.

Another is on the horizon for this year. Throughout 2019, OCR has been considering HIPAA regulation changes, and at least some of those should become final this year. Some of those could include easing “aspects of HIPAA Rules that are proving unnecessarily burdensome for HIPAA covered entities and provide little benefit to patients and health plan members.”

Others involve making it easier for hospitals and doctors to coordinate, and requiring instead of just allowing hospitals to share ePHI data with other providers.

That’s why alerts to changes practically as they occur, determining how they apply to you, then implementing and documenting compliance with no wasted time or money makes for good self-defense.

In the battle between privacy and transparency, see how we can keep you out of the crossfire.

Audit Expectations and Challenges

When it comes to hospitals providing best-in-class health care, stress comes with the territory. From stabilizing trauma victims, to accurately distributing medications, to physicians and nurses working long shifts, increased demands are everywhere — including operations not directly involved with patient care. One demand that can turn daily routines completely upside-down and compound stress is an audit. A GRC compliance audit can be conducted internally by various hospital committees or externally, often by government-approved contractors.

Internal Audits

An internal audit seeks to determine if a hospital’s financial and operational controls, and their related policies and procedures, meet compliance and risk management demands.

Based on a hospital’s risk assessment, management develops and reviews the scope and goals of an audit. Running the audit is then delegated to a committee, with the most common committees focusing on:

  • Patient safety
  • Nursing staffing
  • Clinical quality
  • Medical staff

An internal audit involves interviews and evaluating personnel or procedures. Upon the audit’s completion, a report of its findings is prepared by the appropriate committee and shared with management. Corrective recommendations of action to any areas of noncompliance are collaboratively developed, and a finalized report is presented to the hospital’s board of directors, chief compliance officer, and audit and compliance committee.

The ultimate goal of an internal audit is to improve patient care. Who in a hospital wouldn’t want to improve it, right? But the truth is that an audit can diminish quality of care while it’s in progress. That’s because committees are often comprised of physicians, nurses, and technologists who are pulled away from patient-care responsibilities to work on compliance administrative tasks.

External Audits

According to a 2017 AHA report, four federal agencies — the Centers for Medicare & Medicaid Services, the Office of Inspector General, the Office of Civil Rights, and the Office of the National Coordinator for Health Information Technology — are the primary drivers of regulations and compliance costs across eight domains for hospitals:

  • Hospital conditions of participation
  • Billing and coverage verification requirements
  • Meaningful use of electronic health records
  • Quality reporting
  • Privacy and security
  • Fraud and abuse
  • Program integrity
  • New models of care

The frequency and pace of regulatory changes implemented by multiple federal agencies are dizzying. Hospitals are often required to comply with regulations in very short timeframes, requiring a significant investment of staff time and finances. What’s more, responding to multiple external audits increases administrative costs, and funds could be tied up in lengthy appeals processes contesting an auditor’s inappropriate determination.

External audits are conservatively estimated at $100 per hour. For example, consider the total costs of a HIPAA audit:

  • HIPAA Gap Assessment — Identifies gaps and provides remediation plans for those gaps
    (40 hours average, $24,000–34,000)
  • Full HIPAA Audit — Assesses hospitals against all the requirements in the HIPAA Security Rule
    (100 hours average, $30,000–60,000)
  • Validated HITRUST Assessment — Provides the most complete, certifiable framework for HIPAA to mirror PCI compliance (400 hours average, $100,000–160,000 — with costs much higher for larger organizations)

Protect Your Hospital

If your hospital is like most others, it’s spending too much staff time and money dealing with a blizzard of regulations and an avalanche of red tape. Fortunately, there are solutions. youCompli GRC risk management software monitors, reads, and translates complicated regulations into plain English. Our solution enables you to fully understand which rules are pertinent to maintaining compliance, further simplifying the auditing process. And it tracks everything, from end to end, making audits much less painful.

Learn how youCompli regulatory compliance management software protects your hospital.

Who Needs an “Easy” Button? Regulatory Compliance for Teaching Hospitals and Academic Medical Centers

Nobody chooses to pursue a career in healthcare at a teaching hospital or academic medical center (AMC) so they could process regulatory compliance paperwork. Right?! Nevertheless, health systems spend $39 billion on admin duties to comply with no fewer than 600 regulatory requirements. Most of the time they are juggling these requirements (and a whole lot more) without an effective compliance management system. It’s anybody’s guess what is truly being done to comply.

The regulatory landscape continues to change. It’s even more complex for teaching hospitals and AMCs that have specialized facilities such as children’s hospitals and cancer centers. And it’s nearly impossible to know for sure what is being done to comply with the regs when students and researchers are added to the mix. Compliance oversight is already challenging enough when it includes only clinical and hospital staff, business associates and contractors.

Ever-increasing regulation ushers in more documentation requirements. Satisfying the reporting requirements steals time away from patient care and contributes to burnout. Plus, more regs and more people equals a big compliance headache.

These healthcare systems not only have the pressure to comply with regulations, improve care and cut costs as other hospitals do, but they have the critical mandate to educate future medical professionals and dedicate resources to research.

According to the Association of American Medical Colleges, academic medical centers in the United States contribute $562 billion in annual economic impact. But, what’s even more significant is the impact these facilities have on the health of our society. Medicine moves forward in teaching hospitals and academic medical centers. When people are faced with a health crisis and grasping for innovative treatment and cures, they flock to these systems. Oftentimes this is their last shot at a healthy future. Teaching hospitals and academic medical centers are the epicenter of first breakthroughs. They are also the last resort for patients who have tried everything else. As a result, teaching hospitals have more costly cases and often bear the brunt of safety-net and charity care.

Shouldn’t there be an “easy” button for them?

Academic medical centers and teaching hospitals have a great need for an effective compliance management system. These systems save valuable time and money. But they also make it easy to see what is being done by whom to comply with regs. No more ad-hoc spreadsheets. Thoughtfully applied technology can make regulatory oversight a piece of cake.

The more effective the compliance management system, the more time is freed up for medical professionals to do what they are passionate about—provide the best patient care and focus on their mission of treatment, research and education. And who couldn’t use an “easy” button for compliance regulation?

Are you ready to explore a compliance management system that is easy to use and effective? If you’re ready to transform your regulatory compliance process, schedule a call today!

Is Your Budget Keeping Pace With Your Workload?

Every admission to a hospital triggers $1,200 in regulatory compliance costs, according to an American Hospital Association (AHA) report.

That’s because each hospital with post-acute care beds has to comply with 629 different federal regulations – plus any and all new ones that come along.

Best practices call for you to be constantly scanning the Federal Register and other sources, not just for new regulations but also for changes to old ones. To translate them from “Regulish” to English, so you can analyze what they mean. To decide which parts of which regulations apply to your hospital. To define and assign compliance tasks. And to update your IT, if needed, to monitor and document compliance.

That doesn’t come cheap.

An average 161-bed community hospital spends more than $7.5 million a year on federal compliance – $9 million if it has PAC beds. Plus an average of $411,000 on IT upgrades each year to monitor and document compliance.

While your compliance department is doing this, compliance departments at another 6,145 US hospitals are doing the exact same thing, the exact same way, running up the same kinds of costs.

No wonder American hospitals and health systems spend more than $38 billion a year duplicating each other’s compliance work.

But what if there were one online expert source that could cut out all that needless duplication? That could tell you what you need to know and let you manage your own hospital’s compliance progress in real time, 24/7/365, with just a few mouse clicks?

There is. And it can cut compliance costs through economies of scale, the way Henry Ford did for cars.

With more regulatory changes in the pipeline every year, you’re going to need more budget, more staff and more other resources. Odds are three-to-one you won’t get them. A 2018 study reported that fully 75% of compliance officers surveyed predicted that their budgets would either stay the same or get cut.

Want to beat those odds? Then you’ll want to learn more about a system that lets your compliance department accomplish more for much less.