Meaningful Use is a wonderful opportunity for small practices to receive crucial funding toward technology implementations.  It also became an opportunity for HIPAA auditors ('enumerators') to collect fines.  A dermatology practice in Massachusetts just paid a $150,000 fine for HIPAA violations.

Now many might ask - "what does HIPAA have to do with Meaningful Use?"  Answer - HIPAA compliance is a required "Core" component of Meaningful Use attestation. We decided to try out a theory:

We asked 25 yes/no questions at the front desks of randomly selected small practices.  Each question reflected a specific federal requirement for covered entities under HIPAA.

Many practices proudly displayed their “HIPAA forms.”  This satisfied two of the twenty-five questions, and thus counted for eight percent of the overall score.  Several practices had a total score of eight percent.  One doctor admitted to me that he’d Xeroxed a form (still bearing a Copyright notice) acquired from the practice across the hall!

HIPAA is not about forms.

Many practices assumed their Medical Society, local hospital, or software vendor made them "HIPAA Compliant."  Those practices are missing the point entirely.  

HIPAA compliance will vary from practice to practice; different layout, systems, software, staff training, chart access, etc..  That’s why HIPAA requires that every covered entity conduct a Risk Analysis.

Risk Analysis is critical . . . and a federal requirement.

What’s a Risk Analysis (also known as Gap Analysis or Risk Assessment)?  Think of it as a preliminary physical exam.  During a physical, the patient’s history and examination is absolutely crucial to form a diagnosis.  The AMA states:

. . . generally speaking a gap analysis compares the requirements of the law to the reality of what’s going on in your practice. . . all parts of HIPAA transactions, privacy, and security should be subject to a gap analysis.   

Implementing changes to your practice without a written Risk Analysis in-hand is tantamount to surgery without the preliminary exam.  A small practice Risk Analysis conducted by a competent health information security professional should involve less than two hours on-site.  Costs generally run $1000 – 3000 per provider, depending on the practice size and the scope of deliverable information.

Architect Louis Sullivan coined the phrase: “Form Ever Follows Function.”  With regard to HIPAA, we now see plenty of forms and precious-little function.  If your practice participated in our survey, how would you do?

ACCA can provide more information about Risk Analysis - Click HERE: