Clinical News

HIPAA Compliance Officers - Does your practice need one?

HIPAA Compliance Officers - Does your practice need one?

Does your medical practice need an HIPAA compliance officer? The Health Insurance Portability and Accountability Act, also known as HIPAA, was passed in 1996 to uphold the standards of security, privacy, and transfer-ability of personal health information. This act states that healthcare professionals, such as you, are required by law to protect the privacy of patients’ personal medical information. HIPAA is an important consideration for medical practices, large or small; however, an often overlooked aspect of HIPAA compliance is choosing a HIPAA compliance officer.

In smaller medical practices, the positions of privacy officer and security officer are often filled by default, that is, by whichever individuals have the closest understanding and expertise to the roles. The role of the privacy officer typically goes to the individual responsible for managing medical records, while the role of the security officer tends to be passed down to the IT manager. Both officers are connected to every aspect of the medical practice, yet the security officer is more focused on the side of operations dealing with IT. These officers do not have to have all of the answers but they do need to be able to identify issues that require security control and they need to be able to prioritize risks.

For small to medium-sized medical practices, the thought of hiring a full-time compliance officer might not be financially possible. While it may seem that existing staff members are able to fulfill the role of HIPAA compliance officer with privacy and security officers within the practice, it is worth investing in an individual who will properly ensure HIPAA regulations are met. This will help you and your medical practice to avoid potential violations that can result in significant fines. Failure to adhere by HIPAA rules and regulations can cost your practice a large amount of money that could be otherwise put to better use.

  • Unknowing violation

- Minimum fine: $100 per violation and $25,000 for repeat violation
- Maximum fine: $50,000 per violation with $1.5 million annual maximum

  • Reasonable cause

- Minimum fine: $1,000 per violation and $100,000 for repeat violation
- Maximum fine: $50,000 per violation with $1.5 million annual maximum

  • Willful neglect but violation can be righted within the required time period

- Minimum fine: $10,000 per violation and $250,000 for repeat violation
- Maximum fine: $50,000 per violation with $1.5 million annual maximum

  • Willful neglect but violation cannot be righted within the required time period

- Minimum fine: $50,000 per violation with $1, 5 million annual maximum
- Maximum fine: $50,000 per violation with $1, 5 million annual maximum

A HIPAA compliance officer is in charge of applying and managing a HIPAA compliance program within your medical practice. The ideal candidate should have a solid understanding of HIPAA and how your practice operates. Moreover, they should have strong organizational skills to deal with the HIPAA Security Rule. You will want someone who pays attention to detail, is able to identify potential violations and take necessary preventative measures. They should set the tone for the entire organization when it comes to implementing HIPAA security rules and regulations. They should also have the ability to get along with / sanction fellow colleagues within the practice. Hiring an individual with a professional certification is optional but it is a bonus. They can provide further assurance by training and making sure staff members focus on the crucial elements of compliance, all the while developing and implementing a successful compliance program. Organizations, such as the American Academy of Professional Coders (AAPC) and the Health Care Compliance Association (HCCA), offer certifications for individuals who have completed rigorous training and proven proficiency.

While it may sound like a part-time role, a HIPAA compliance officer does in fact have a lot of responsibilities. The list below can help your medical practice develop a job description for possible compliance office candidates. The lists of responsibilities of a compliance officer include the following:

  • Keeping your practice up-to-date with the latest local, state, and federal privacy laws;
  • Educating other staff members on the latest local, state, and federal privacy laws;
  • Creating an HIPAA compliance program and periodically reviewing / updating the program;
  • Conducting periodic security audits on all software and hardware;
  • Developing and carrying out necessary training programs on HIPAA security for all staff members within the practice;
  • Improving communication relating to security best practices among staff members;
  • Creating Notice of Privacy Practices (NPP) and distributing such documentation within the practice;
  • Delegating tasks to security personnel;
  • Developing job descriptions for new security personnel;
  • Screening staff members to make sure they are abiding by compliance program rules and regulations;
  • Following and reporting staff members’ access to confidential data;
  • Coordinating an organization-wide audit and reviewing possible noncompliance areas within the practice;
  • Adopting appropriate policies and programs for dealing with noncompliance issues;
  • Managing and overseeing all information relating to a patient’s confidential health information;
  • Providing all information requested by staff members and patients about HIPAA;
  • Answering any questions relating to the privacy and security of protected health information (PHI);
  • Developing plans to ensure security of PHI during transit, rest, and storage;
  • Identifying and dealing with suspected breaches / threats to the confidentiality of PHI;
  • Handling complaints from staff members and patients relating to reported HIPAA violations;
  • Developing a budget necessary for performing all compliance duties;
  • Communicating with the HHS Officer of Civil Rights during compliance investigations;
  • Ensuring proper preventative measures in the event of a disaster;
  • Reporting to the appropriate party, such as managing physician, on a regular basis;
  • Making recommendations to the appropriate party for operational and technical guidelines;
  • Staying up-to-date on the latest tools and technologies;
  • Working alongside law enforcement agencies in cases of security breach, threats or cyber-crime

When implementing a compliance program within your practice, you need to make sure that it encompasses all the aspects relating to HIPPA rules and regulations, as well as your practice’s policies. Protecting the privacy of your patients is just as important as providing quality care. It is vital that you take the necessary steps in creating the best security practices for your practice. Safety approaches such as training your medical staff, improving communication, protecting digital health information, reviewing noncompliance issues, and identifying threats to patient confidentiality, are mere examples of how you can ensure that your policies are up-to-date with those that appeal to the local, state, and federal laws.

A fundamental factor within a compliance program is choosing an effective compliance officer. The compliance officer holds two main responsibilities: to create and to implement the practice’s compliance program. He or she should have knowledge in several areas, including risk management, business administration, coding, billing, clinical activities, and reimbursement. What’s more, they should have the capability of prioritizing tasks and a common knowledge of the rules and regulations that apply to the clinical environment. Most important, they should be respected and considered approachable by other staff members within the practice.

As to whether staff members can fulfill the roles of both privacy and security officers, most often it is not exercised in larger healthcare settings. However, it does tend to work well in smaller / medium-sized practices. The general rule states that one individual can be considered a suitable fit if they have the time and adequacy to complete the duties and responsibilities that come with the role. Yet, it is often best to have privacy and security officers on staff, backed up by an outsourced HIPPA compliance officer who can provide them with assistance whenever necessary. You have the ability to decide what is best for your practice. Despite who serves in the role of a HIPAA compliance officer, understanding and accepting the importance of the role is what matters most. After all, a qualified and effective compliance officer and good security practices can lead to much needed positive changes within a medical practice.