Ophthalmology Business

MAR 2018

Ophthalmology Business is focused on business topics relevant to the entrepreneurial ophthalmologist. It offers editorial, opinion, and practical tips for physicians running an ophthalmic practice. It is a companion publication of EyeWorld.

Issue link: http://digital.ophthalmologybusiness.org/i/944568

Contents of this Issue


Page 7 of 27

8 Ophthalmology Business • March 2018 by Brendan Gallagher, Brock Fick, and William Rabourn III low risk for discovery, and those that were discovered rarely faced financial penalties. Attorney generals given the right to issue fines for HIPAA violations did not actively do so; the first fine was not dispensed until 2008, 12 years after HIPAA went into effect. Even the OCR's Phase 1 onsite HIPAA audits of 2011–2012 were more exploratory than disciplinary. Recent events, including OCR's 2016 commencement of Phase 2 desk au- dits on covered entities and business associates (BAs), reflect that the age of HIPAA enforcement leniency is ending, and many healthcare organi- zations are not prepared. The OCR's preliminary Phase 2 results showed that HIPAA noncom- pliance is still widespread, and the majority are slow to implement plans and security technology to protect patient data. Ninety-four percent of healthcare organizations followed inadequate risk management plans, 83% performed inadequate risk anal- yses, and 89% were rated inadequate on patients' right to access their PHI. The Health Information Technol- ogy for Economic and Clinical Health (HITECH) Act of 2009 also highlights the nationwide lack of compliance preparedness. In accordance with the HITECH breach notification regula- tions, breaches affecting 500 or more individuals must be reported to the HHS Secretary to be put on the HHS Breach Portal website. The Breach Portal broke a new record in 2017, reaching 2,000 reported breaches since the portal's creation in 2009. For some perspec- tive, it took almost 5 years for the portal to reach 1,000 breaches, but with OCR's ramped up enforcement efforts, reporting the other half of have been willful neglect. Additional- ly, if an entity attests to being HIPAA compliant and is contradicted by an audit, that entity may be required to return government incentive money earned for meaningful use. Finding a viable HIPAA assess- ment and maintenance solution for an ophthalmic business that addresses the full scope of regulatory requirements has never been more vital than right now as the healthcare community faces a significant rise in HIPAA enforcement, penalty severity, and technological threats. Increased HIPAA enforcement and penalties In the past, finding and implement- ing a total compliance solution was not especially urgent. The HHS Office for Civil Rights (OCR) was heavily focused on growing and refining new rules and processes. Entities com- mitting HIPAA violations were at a D esigned to nurture peace of mind in the age of elec- tronic protected healthcare information, the Health- care Information Portabil- ity and Accountability Act of 1996 (HIPAA) has become an intimidating, many-armed creature. Infamous for vague terminology and numer- ous regulations, HIPAA is a difficult sentinel to appease, especially for those official or unofficial compli- ance officers within an ophthalmic ambulatory surgery center or practice who have responsibilities beyond de- veloping, tracking, and maintaining their compliance program. Neverthe- less, HIPAA compliance cannot be ignored, or even half-way addressed. Ophthalmic businesses and any other covered entities that do not carefully monitor and follow HIPAA's regula- tory movements may experience a sharp financial and legal "bite." Pen- alties could reach as high as $50,000 per violation if it is determined to Software and specialist: A comprehensive approach to HIPAA compliance confidence continued on page 10 Take the preliminary compliance test Answering "no" to even one of the following questions could be enough to fail an audit. aHave you designated a compliance officer? aHave you performed a security risk assessment and self-audits? aHave you documented all deficiencies found in the audits? aHave you created remediation plans to address deficiencies? aDo you have policies and procedures relevant to the HIPAA Privacy, Security, and Breach Notification Rules? aHave all staff members undergone and attested to HIPAA training? aDo you have appropriate agreements with all business associates?

Articles in this issue

Archives of this issue

view archives of Ophthalmology Business - MAR 2018