A Little is Not Enough

The final HITECH rule became effective yesterday.  Many people in the healthcare industry are scrambling to get into compliance.

Yet, recently, I had a conversation with a small practice manager who wanted to execute a business associate agreement with a consultant.  While I commended him for getting that item into place, I asked about the practice's overall HIPAA/HITECH and state law compliance in general.  Needless to say, there was no privacy officer, a few (old) policies, an outdated Notice of Privacy, no training and no system of reviewing or auditing access to their newly installed electronic record system. There was absolutely no knowledge of the breach notification mandates. The manager nevertheless seemed satisfied with his efforts in this area.   

I often find that, in the midst of all the regulatory noise, there still remains a real lack of awareness of many basic requirements of HIPAA under the new HITECH updates, and of privacy and security compliance in general. Whether the lack of knowledge comes from sheer overwhelm or denial, it is hard to say.

But doing nothing will get you into far greater trouble than taking step-by-step action.  The Office of Civil Rights will now be acting both on complaints and on audit findings. Failure to be in compliance could cost a practice a 6-7 figure civil monetary penalty.  This is nothing to ignore.

Doing just a little is not enough. Both a culture and a system of compliance are required.

So, contact a knowledge expert, bring in a compliance educator, learn your requirements and put them into place. Your practice, regardless of size, needs someone dedicated to ensuring and efforcing these protections and safeguards, with internal sanctions for violations of your policy standards. 

Just as you focus on healthcare treatment and services, you also must care for and secure your patient’s, client’s or resident’s protected health information and be prepared to honor your patient’s information privacy rights.  Go on, get to it!