Follow Through With Security Rule Requirements
Healthcare Partner Shannon Hartsfield was quoted in AAPC's September Health Information Compliance Alert about the federal government's Security Rule for healthcare providers and it's implications for smaller organizations.
According to the article, although many healthcare providers perform security risks analyses to comply with Promoting Interoperability requirements, they will also need to take things a step further and implement "recognized security practices" to remain HIPAA compliant with the Security Rule.
Last January, the federal government amended the HITECH Act giving providers leeway to determine the route they want to take with designing and implementing HIPAA compliance. Ms. Hartsfield weighed in with the pros and cons.
“The good news for small practices is that the government designed the Security Rule to be ‘scalable and flexible,’ meaning that a solo practitioner or a two-person office does not have to implement a HIPAA compliance program with the same level of detail and investment that would be required for a large multi-state hospital system or health insurer. These smaller practices have some room to maneuver when deciding exactly what they will do to comply with HIPAA’s requirements. They have to comply, but they may not be required to have a compliance program that is as detailed and involved as a larger practice."
However, recent settlements show the federal government does not factor in the size of an organization and can be tougher on smaller ones.
“Small organizations can be penalized for violations. The costs of responding to a data breach add up based, in large part, on how many patients are involved, rather than the size of the entity experiencing the breach,” warns Hartsfield.
Luckily, there are several things smaller practices can do to build their HIPAA compliance plans outlined in federal resources and available guidance. Ms. Hartsfield points out that compliance planning can be daunting and complicated and smaller organizations should consider hiring qualified consultants.
“Security Rule compliance still requires significant effort and IT-related expertise so, no matter the entity’s size, it may be necessary to hire qualified consultants to help with the risk analysis process. "And beyond the risk analysis, covered entities and business associates must also develop a written plan to manage and mitigate the risks identified. They must also update the risk analysis as needed,” she advises.