To clarify the HIPAA policy updates and help practices benchmark against peers, we surveyed over 1,000 providers, administrators, and medical office staff. These results:

Shed light on key parts of compliance

Shed light on key parts of compliance Compare the perspectives of different roles in practices, and

Compare the perspectives of different roles in practices, and Provide educational resources to keep you informed and compliant.

First, we asked about general HIPAA knowledge and awareness of some recent key events.

Awareness of the Omnibus Updates

The 2013 updates increased penalties for privacy/security violations, expanded HIPAA's reach to business associates, and set out new rules for notifying patients and the public of security breaches. We asked if respondents knew of the updates before taking the survey. 64% (659/1026) from medical practices said they were aware of the “Omnibus” updates before taking this survey. While a majority of medical practices said they were aware of the updates to the final Omnibus Rule prior to taking the survey, 36 percent were unaware of the updates, which now include: New patient's rights (like requesting health records in electronic form)

New patient's rights (like requesting health records in electronic form) If fees are paid out-of-pocket, patients can request treatment info be witheld from health plans under certain circumstances

If fees are paid out-of-pocket, patients can request treatment info be witheld from health plans under certain circumstances Sliding scale penalties, including a maximum penalty of $50,000 per violation with a maximum annual cap of $1.5 million for violation of an identical HIPAA requirement

Sliding scale penalties, including a maximum penalty of $50,000 per violation with a maximum annual cap of $1.5 million for violation of an identical HIPAA requirement Breach notifications now gauge "risk of compromise" instead of "risk of harm"

Breach notifications now gauge "risk of compromise" instead of "risk of harm" New limits on information use or disclosure for marketing or fundraising purposes Omnibus Background: For more information on the HIPAA Final Omnibus Rule, read this legal alert from McGuireWoods or review the rule in its entirety on the Federal Register



Awareness of OCR's HIPAA Audits

The Office for Civil Rights (OCR) of HHS will be conducting HIPAA audits of physician practices, health care facilities and business associates. These random audits examine adoption and implementation of HIPAA safeguards, such as privacy and security risk assessments, breach notifications, notice of privacy practices, and training to policies and procedures. Only 32% said they were aware of the audits before taking the survey. This may be due to the lack of information available about the audits including an official timeline for when audits will begin. The first phase of the audit program was conducted in 2011 and 2012. For Phase 2, the OCR plans to send pre-audit surveys to 800 covered entities and 400 business associates; they'll select their audit targets based on the results of those surveys. This article gives a nice overview of Phase 2 of the audit program, and explains how the OCR's plans have evolved over the last few years. Audits Delayed: The OCR planned to begin audits in October 2014, but decided to delay the start of audits in order to update their technology. An official timeline has not been released. The OCR's advice to covered entities is to use this time to "get your house in order."

This section focused on general compliance measures in practices, including compliance plans, training, security/privacy officers, breach notifications, and risk analyses.

Adoption of a HIPAA Compliance Plan

The first step in becoming HIPAA compliant is creating a plan. In fact, HIPAA requires it. A compliance plan is a set of policies and procedures that covers all aspects of compliance within your practice, including: How information is sent, stored, and secured

How information is sent, stored, and secured Responsibilities of security and privacy officers

Responsibilities of security and privacy officers Staff training programs

Staff training programs Responding to security breaches

Responding to security breaches Cataloging and securing electronic devices and communication 58% of respondents said they had a HIPAA compliance plan. While that might seem like a good sign, it's troubling that 19% weren't sure, and 23% said that they didn't have a plan. Taking a closer look, we found there was also a disconnect between office managers and staff: 68% of OMs said their businesses had a plan, compared to only 43% of office staff. The important point here is staff needs to be familiar with the plan. Auditors will look to make sure everybody is on the same page. If you don't have a plan, you aren't HIPAA compliant. Communicate Your Plan: Wondering about best practices for communicating your plan to staff? Check out Dan Brown's video for tips now.

Annual HIPAA Training

A crucial component of your HIPAA compliance plan is your staff training policy. Training should be conducted at least once a year to make sure everybody at your practice is on the same page. Everyone should know how HIPAA affects their day-to-day work, and how to respond quickly and appropriately to security breaches.

62% of owners, managers, and administrators said their business provided annual HIPAA training; of those, only 65% said they have proof.

When we asked office staff and (non-owner) care providers if they received HIPAA training in the last year, only 56% said yes. Of those, 70% had proof. If you've offered/received training, obtaining proof is an easy win. Written documentation that backs up the training will come in handy in the case of an audit. Audit Red Flag: One of the biggest red flags during an audit is a staff confusion or ignorance. Check out the video for tips on how to institute a HIPAA training program.

Appointing Security and Privacy Officers

HIPAA Security and Privacy Officers are those in your practice responsible for responding to questions and complaints. They also make sure problems and breaches are dealt with appropriately. Appointing these officers is a critical part of developing a strong compliance plan.

When we aked owners, managers, and administrators if their business has formally appointed these officers:

56% said they had a Security Officer

56% said they had a Security Officer 55% said they had appointed a Privacy Officer When we asked office staff and (non-owner) care providers if they knew the name and contact information of their practice's HIPAA Officers: 54% said they had their Security Officer's contact info

54% said they had their Security Officer's contact info 58% said they had their Privacy Officer's contact info Unfortunately, this means that almost half of those surveyed are falling short on a major HIPAA requirement. Unsure about your officers? In the following video, Dan Brown explains why appointing these officers is so important and provides some tips on how to do it.

Breach Notification Policies

A "security breach" occurs under HIPAA if there is an unauthorized disclosure of electronic PHI (protected health information), such as a computer hacking or loss or theft of a laptop containing unencrypted PHI. HIPAA requires that covered entities adopt a formal policy that specifies how they'll deal with a breach. Only 45% said their business/practice has a formal policy for PHI breach notifications. Breach notifications have strong legal and business implications, and HIPAA requires some pretty specific action if a breach does occur. Breach Notifications are serious. Let Dan Brown explain why, and provide some insight into the type of action you need to take in a worse case scenario.

Risk Analyses

The best way to prepare for an audit, and to make sure you have a bulletproof HIPAA compliance plan, is to conduct periodic risk analyses at your practice. To conduct an analysis, you'll need to consider how PHI flows through your practice (whether on paper or via electronic devices); and identify ways that this information could be leaked or compromised.

Only 33% said their practice has performed a PHI risk analysis to assess how and where inappropriate disclosures are likely to occur.

Shining a little more light on the potential communication disconnect present in practices, 14% of owners, managers, and administrators said they weren't sure if their practice conducted an analysis, while 43% of office staff and non-owner care providers said they weren't sure. With potential audits just around the corner, these numbers don't bode well for practices. Of those that said their practice did conduct a risk analysis, 70% said they conducted the analysis internally (only with their staff), and 20% said they conducted it with the help of an outside lawyer or consultant. It's perfectly fine to conduct the analysis yourself (internally), but hiring an outside expert will often yield a more thorough review. The trade-off, of course, is the price to get it done. Risk Assessment Resources: check out the Risk Assessment Tool from healthIT.gov, then listen to Dan Brown as he shares why risk analyses are so important and gives tips for conducting one.

Business Associate Agreements (BAAs)

One major change introduced by the Omnibus updates is that Covered Entities are now required to establish Business Associate Agreements with third-party vendors that access their PHI. These third-party vendors could include medical billing companies, software vendors, and outside consultants.

60% of owners, managers, and administrators from medical practices were aware that the new "Omnibus" HIPAA rules require healthcare providers to establish Business Associate Agreements with third-party vendors that access PHI. While that's the majority, the issue here is that 40% weren't informed. When we asked owners, managers, and administrators about their progress in evaluating all of their BAAs, responses were as follows: In the following video, Dan Brown gives a great explanation of business associates and business associate agreements (BAAs).

When we took a closer look at practices by size, we found that larger practices (particularly those with 10 or more providers) tended to do better when it came to compliance measures within the office - things like having a plan, training staff, appointing officers, and conducting risk analyses. This wasn't surprising, as larger organization usually have more resources to devote to regulatory compliance.

After covering some general compliance measures, we shifted our focus to electronic devices and communication. The healthcare technology space is moving fast - new devices and apps are popping up everyday. These advancements have extremely positive impacts on our ability to provide great care, but they also introduce a new set of risks. This is no reason to be afraid of the technology, but great reason to make sure you're doing things in a way that keeps your patients' data safe.

Cataloging Electronic Devices

HIPAA requires covered entities to keep track of all of their electronic devices that contain PHI. Having an overarching understanding of which devices you have, and where they are at all times, will help you identify potential risks, and discover breaches. When we asked owners, managers, and administrators about their progress in cataloging all of their electronic devices, only 27% said they've cataloged 76-100% of their devices. Another 27% reported that they haven't cataloged any; 21% said they didn't know. Sarah Browning offers some insight on cataloging electronic devices at your practice.

Confidence That Electronic Devices Are HIPAA Compliant

When we asked owners, managers, and administrators how confident they were that their electronic devices were HIPAA compliant, only 31% said they were "very confident." 18% said they were "not confident at all."

When we asked office staff and (non-owner) care providers how confident they were that their practice's electronic devices were HIPAA compliant, a slightly higher percentage reported they were "very confident" (42%).

Even though the majority in both cases said they were "somewhat confident," we don't think that's good enough. If a practice conducts periodic risk analyses and properly catalogs all of their devices, there should be a lot less uncertainty.

Diving further into the idea of electronics in practices, we asked a few questions about mobile devices (phones and tablets). While many practices use mobile devices today, it will only become more commonplace over the next few years.

Mobile Device Usage

When we asked practice owners, managers, and administrators about mobile device usage in their businesses, we found that staff communication was the primary use, followed by patient communication, then charge capture.

For office staff and non-owner providers, we asked about their individual mobile device usage (instead of that of their business) -- their responses correlated well with those of owners, managers, and administrators.

Mobile Device Ownership