BMI. CPR. NICU. PCP. RN.
The health care industry is chock-full of acronyms.
Take any one to 10-letter concoction and it likely carries meaning in the medical world. Amid the countless abbreviations that imply different things to different practitioners, there is one five-letter acronym that is critically important to anyone and everyone coming in contact with the health care industry.
That acronym is HIPAA.
HIPAA (the Health Insurance Portability and Accountability Act) has been around since 1996 and has evolved in scope and complexity over the past 16-plus years. HIPAA started out as an initiative that protected the health insurance coverage of workers as they changed employment, and has morphed into a multifaceted federal guideline designed to safeguard electronic health care records, enhance data security and ensure patient privacy.
HIPAA guidelines emphasize the protection of patients’ personal information and establish limitations to disclosing identifying information. In today’s modern, information-driven world, one wrong data transfer, human error or lost laptop could spell absolute disaster for any health care organization, big or small.
Companies must learn from the mistakes of others, educate their employees, make HIPAA a regular discussion point and start taking privacy policies seriously in order to stay in business.
Paying the Price
In 2009, CVS Caremark paid nearly $2.25 million dollars for a HIPAA violation because some CVS locations were throwing patients’ personal information away in unsecured trash bins. Since, federal authorities have taken a strict stance on enforcing privacy regulations.
Just last year, the UCLA Health System was forced to pay an $865,000 fine due to improperly disclosing the records of Tom Cruise, Britney Spears and Maria Shriver, among others. In this case, employees of the UCLA Health System allegedly snooped into the celebrities’ records and simply viewed information that wasn’t meant for their eyes.
“People are under the general misconception that because someone is an employee of a facility or a provider, that they can look at any type information,” said Patricia Sanchez, an attorney at Fenton Nelson in Los Angeles, specializing in the development of corporate HIPAA compliance plans and policy manuals. “Employees should only be handling the minimum information necessary to complete given tasks, otherwise they are going outside of their permitted disclosure.”
Educating the Workforce
Sanchez has seen her share of HIPAA-related mistakes, having represented a number of California’s most reputable health care organizations. From faxed papers and computer screens being publicly visible to company Facebook posts disclosing patients’ identities, Sanchez has pinpointed that a lack of education and attention are the primary reasons for violations.
“The biggest problem is that companies are not educating the workforce on what true access to health information is,” said Sanchez. “We like to help our clients through the process of being HIPAA compliant. They need help developing policies and procedures, training their staff, conducting walk-through assessments and pinpointing any red flags.”
To prevent a HIPAA violation, Sanchez recommends that companies create their own, custom-tailored HIPAA policy and make sure to keep a detailed paper trail of any HIPAA-related training.
“Companies are going out there and buying products and services from lawyers and consultants that aren’t tailored to their needs and they’re not getting help with implementation,” said Sanchez. “Documentation is so important. In an audit, they ask for all of the acknowledgements, all of the signed personnel sheets… you must have a paper trail of everything you do. Everything needs to be documented.”
Keeping it Fresh
In addition to providing quality care, adhering to HIPAA guidelines has become a top priority for many health care organizations across the United States. One of those organizations is HealthCare Partners Nevada, a leading Las Vegas-based coordinated care network consisting of more than 270 physicians and over 1,000 employees.
“We are constantly educating our employees,” said Denise Warren, Clinical Compliance Specialist for HealthCare Partners Nevada. “Every employee of [HealthCare Partners] is required to take a yearly online course and participate in continual training.”
HealthCare Partners Nevada has six full-time employees devoted to HIPAA, plus a HIPAA privacy officer and a 20-member “privacy committee.” The privacy committee meets quarterly, along with the company’s IT department, to review the company’s compliance with HIPAA regulations and patient privacy guidelines.
“It really is a team effort,” said Warren. “We all work together to assure our patients’ privacy and general wellbeing.”
Taking it Seriously
HIPAA is no laughing matter to the companies who take a proactive approach to their patients’ privacy. With potential fines, government audits and patient lawsuits looming with a simple mistake, it certainly helps to be organized.
“Companies need to start looking at HIPAA very seriously,” said Warren. “The federal government just started doing audits… before they had never done privacy audits and recently hired a firm to come out and make sure everything is okay. They’re not starting with the big companies and hospitals, but with the private practices.”
While HIPAA may seem daunting, scary and downright tedious at times, Sanchez said that it is only enforced to keep patients safe and make health care organizations stronger.
“It really forces people to be organized and to know where everything is,” said Sanchez. “When you really, really become HIPAA compliant, you become paperwork and data compliant and know how information is relayed back and forth.”