In the past week, there has been a bit of a discussion on our User Group about really complying with HIPAA in a mid-sized to large behavioral health practice. It also applies to small organizations. This is Part I of that discussion.
The fact that the HIPAA privacy requirements were implemented in 2003 does not mean that most mental health organizations—or most medical practices, for that matter—actually do a good job with their compliance. Since the HiTech Act added security requirements including a Risk Assessment almost six years ago, many organizations are not compliant. Somehow, people in both the private and public sectors seem to forget that HIPAA compliance is an ongoing discipline, not a one time act.
The discussion participant who is co-owner of a mid-sized practice is interested in doing the compliance plan himself (Mr.Z), but he has concerns about having time to monitor ongoing implementation of the plan. His colleague (Dr. K), who is owner of a quite large practice, has decided that their situation is becoming too complex to handle on their own. They will be hiring an organization who is expert in doing Risk Assessments and developing HIPAA Compliance Plans, and who will help them stay on track in their implementation of the plan over time. Seth and Kathy are SOS owners.
Here is part of the exchange:
Mr. Z: I have found time to dig into the HIPAA challenge aggressively. I am aware there is a difference between a HIPAA Security Evaluation and a Risk Analysis. I am also using the Security Risk Assessment Tool found at HealthIT.gov for my security evaluation. I need to be re-pointed to a good format for a risk analysis tool. Can someone point me to a risk analysis tool they have been using?
Seth: The HealthIT.gov Security Risk Assessment Tool is the risk analysis tool. As you work through each item, the relevant ones will display two items for you to rate likelihood and impact, which together indicate the “risk”. For example, the likelihood of a stolen unencrypted laptop may be low, but the impact would be huge, so it demands attention and correction. The public mention of a patient name might have a much lower impact, but a much higher likelihood, so it too should be addressed through policies and staff education. In working through the tool, the two ratings taken together provide a ranking that helps you decide which threats are highest priority.
Bottom line is that this tool should provide sufficient structure to get the job done, I think. Is there some ground that is not covered by the Security Risk Assessment Tool?
For those who are not aware of this resource, please visit:
and watch the associated video:
Kathy: I am going to express an opinion, Mr. Z. It is aimed at helping you and other user group members evaluate some of what you read about HIPAA compliance.
The article that you mentioned [in another part of his message] is written by a company that specializes in providing risk analyses for a price. They are specialists in this arena, understanding the differences between privacy and security as defined by HIPAA and the HiTech Act. The other articles and elucidations available on their web site are aimed at helping you understand how much they know and that they are truly expert in their field. It is highly likely that they are.
The question is, do you need their level of expertise? Do you have the time and are you able to sort through the many articles and checklists out there? Do you understand enough about technical security to assure that your computer systems meet standards? When you start reading about this stuff, do you get curious and interested or just want to run and hide?
The HHS tool for risk assessment is aimed at small to mid-sized organizations whose situation is not so complicated that outside expertise is required. If that describes your organization, then do use the HHS tool as a starting place for your own assessment. Just be careful about considering it exhaustive; it is not likely to be that.
It is never going to remind you that you provide group psychotherapy and that groups present inherent security and privacy risks that you should address in your plan. For example, you probably have a written agreement that each group member signs about maintaining the privacy of other group participants. That should be included in your assessment as a source of risk and you should include your agreement in your plan. If you limit name use in group to first names, you need procedures to guarantee that. Your staff need written policies and procedures that they follow to maintain the privacy of those group members. If your staff utilize paper files and have a stack of those records in the group session (or on their desks), how do they protect the privacy of the members? What security methods are used to protect those records? Is there at least a lock on their office doors, and do those locks get used? How easy is it for a group member heading to the restroom to stick their head into that office?
This is the kind of thing that a well-qualified HIPAA security/privacy professional would ask you as they interview you about your practice. They would look at as many possible sources of risk as they can find and then help you address them in your plan. This is what you pay someone to do. Are you comfortable doing this yourself? Even if outside expertise is not required to get you to a plan, you might decide that you want to purchase it anyway. It may be that using an outside source to do your risk assessment and point you toward the policies you need to develop would be a wonderful help to you. Or, it may not.
I think a helpful attitude to take when beginning a risk assessment is to be as open as possible to information and observations…and don’t expect to find everything yourself. Each of your staff members and employees has certain sets of responsibilities and interactions with PHI. Once you have done an overview for the organization, you need to sit with different employees (all if possible) in small groups and get their input about how they handle PHI. They will have perspectives you cannot even imagine! Their observations will be invaluable to you in developing your plan.
As you read and research, just remember the source of the material. It is not essential for everyone to hire professionals to do their risk assessment and security plan for them. Don’t be too heavily swayed by such professionals who disparage the home-grown assessment and plan. If the HHS.gov materials are too simplistic for your organization, you may need consultation. On the other hand, if the materials HHS.gov provides seem complicated beyond what you can decipher and you are in danger of using that as an excuse not to develop a plan, it is time for you to get assistance on HIPAA compliance.
Dr. K wrote in part: …But if you run almost any size group, the more I find out about the complexities of remaining compliant (Geez, I had not even thought about the specialized group therapy HIPAA issues), the more I know I need specialized assistance and cannot possibly create what is needed on my own, and more importantly, continue to monitor compliance in all offices and with all staff as we grow…..
Seth: At a certain point, larger practices will have to do some outsourcing, hire a compliance officer, or designate a staff member to put a significant portion of their time into getting trained and implementing the systems needed to get closer and closer to compliance.
I want to point out, however, that no matter how much you try to outsource, there still will be much more internal work and training than you imagine to achieve compliance. It is like psychotherapy, in a way. You can counsel a patient about how s/he can make meaningful changes, but then it is up to the patient to put in the work when they leave your office. If no work is done outside the office, no substantial change will occur. Just as this patient can end up dropping many thousands of dollars on therapy and end up with no benefit, so can you if you think for one second that you can hire someone to take HIPAA compliance off your hands. That is not the way it works. You will be “prescribed” policies and procedures, and you and your staff must learn them, follow them, and document your compliance.
Auditors say that having policies and procedures that you don’t follow, is little better than not having them at all. You are going to end up with compliance logs of various types. If there are not regular entries in those logs (made by YOU and/or YOUR STAFF, not by some hired gun) then you are not making a good faith effort toward compliance. These experts can create a list of stuff that you should be doing, and make suggestions about how to get the tasks done, but most cannot be done for you.
The larger you are, of course, the more risk and the more potential points of failure you have. I don’t envy either of you, but I offer this advice: get references and follow up on them before signing a contract. It is one thing to know the HIPAA regulations; it is quite another to be the kind of person who can motivate a group of psych folks to change their attitudes and behavior!
Another analogy occurs to me — weight loss. You all know how easy it is to write up a plan to change eating and exercise behavior, how hard it is to motivate yourself or your patients to follow through, and how much harder still it is to keep the changed behavior going month after month, and year after year.
Reading this exchange reminded me that it might be time to re-share some of the links to important information about HIPAA and HiTech.
You can go to the HHS website and search for HIPAA. The Office for Civil Rights is the official enforcer for HIPAA. Many professional organizations have materials available to their members. A quick Google search for ‘hipaa risk assessment tools apa’ produced a good deal of information. Over the course of the past several years we have posted on this topic regularly. Take a look at our articles from October 17, 2008 through December 10, 2014.
Please share your thoughts and experiences below…and be sure to read Part II next week.