4 Best Practices for Physician Compliance With HIPAA Omnibus Rule

In January, HHS released the HIPAA final omnibus rule, which strengthens the provisions for data privacy and security as established by the Health Insurance Portability and Accountability Act of 1996.

"Much has changed in healthcare since HIPAA was enacted over 15 years ago," said HHS Secretary Kathleen Sebelius in a news release. "The new rule will help protect patient privacy and safeguard patients' health information in an ever expanding digital age."

For hospitals and health systems, the omnibus rule necessitates action to ensure the new regulations are being met. The rule not only raises standards for patient data protection for both providers and their contractors as well as expands a patient's right to control his or her own medical information, but it also raises the maximum financial penalty for noncompliance to $1.5 million, based on the level of negligence.

"It's really going to put some teeth into HIPAA," says Jason Thomas, CIO of the Green Clinic, a physician-owned health system in Ruston, La. And the looming compliance deadline of Sept. 23 has added a sense of urgency among CIOs and other hospital administrators to make sure physicians are ready to follow new and tightened regulations to avoid federal action for noncompliance.

"No one wants to get caught with their pants down," he says.

To ensure the Green Clinic's physicians will be ready, "we're in the middle of implementing a lot of changes," says Mr. Thomas. He says the biggest compliance issue he's currently facing is developing rules and initiatives that ensure HIPAA guidelines are being met that don't overly disrupt physicians' workflow.

"You can't make policy that prevents them from doing their job," he says.

Below, he shares four best practices for increasing physician compliance with tightening HIPAA regulations.

1. Draw the line. Mr. Thomas prefers a straightforward approach when confronted with noncompliance among clinical staff. "The easiest thing to do is just pull sections out of HIPAA and show them where these rules are written," he says. "Just say, 'This is what the law says, and you can't change federal law. When you tell someone on the clinical staff they're about to violate federal law, they get it."

2. Find workflow solutions.
Part of the Green Clinic's HIPAA compliance efforts is having all computer screens lock after 15 minutes of inactivity and requiring users to log back in. "It was a hard sell to the staff," says Mr. Thomas. "Most of the time it doesn't affect them, but for those who go to lunch or are away from the computer for clinical procedures, it becomes frustrating for them to have to log back in seven or eight times per day."

Recognizing the issue, Mr. Thomas and his team worked to make logging in to the computer as time-efficient as possible. "We got around the frustrations by integrating more systems so the login is more powerful," he says. Now a clinical staff member can use his or her hospital ID badge to log onto all needed programs at once.

Another workflow solution implemented is use of trusted equipment known to comply with HIPAA standards. The Dell Software solutions used at the Green Clinic "shows us the connections are secure and makes it easy," says Mr. Thomas.

"Compliance comes first, but there are ways to make it easier," he says.

3. Make exceptions as necessary.
"We've had to make a few exceptions" to the compliance policies put into place, says Mr. Thomas. He says several physicians who leave their computers in their offices did not want to be logged out when they left to see patients, as patient data is secured just as well by a locked office door than by locked computer screen.

"We did make an exception for these doctors," says Mr. Thomas, "and increased the timeout on the machines that don't leave their offices." He stresses that these exceptions have been well-documented per federal regulations to ensure HIPAA compliance.

4. Collaborate with other organizations. "A lot of people try to do it on their own — read the law and put policies in place to follow it," says Mr. Thomas. "The problem with that is the law is so vague, it's hard to know if you're leaving something out."

Mr. Thomas recommends talking with other hospitals and providers and sharing policies and best practices to help ensure the highest level of compliance possible. "We have a HIPAA consultant on retainer, but we did reach out to other organizations to see how they're handling certain requirements and seeing specifically what they're doing" to keep compliant, he says.

"There's a culture of sharing" among CIOs, he adds, especially in the face of new challenges. "You'll find people who are willing to put the time in to help you."

More Articles on HIPAA:

Walgreens Pays $1.44M for Alleged HIPAA Violation
Protecting Personal Health Information: The Role of Third-Party Accreditation to Ensure Compliance
HIPAA Omnibus Rule Demands Attention by Hospital Compliance and Supply Chain Leaders

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months