Every day, we are deluged with e-mails and other communications telling us how someone has exactly what we need to cure every ill our companies face, attempting to lure us in with the promise that if we would just buy their products or services, everything would be OK. You have seen these solicitations, I’m sure.
Perhaps some of these offers really could help us, yet we hesitate for our own reasons. When it comes to such solicitations, I disregard them, knowing I will eventually get to these offers if and when I’m interested. I know these services could be valuable to my business, but evaluating the cost of not doing something or determining the cost of the associated risk is not easy.
I see similarities in regard to training employees concerning the HIPAA and HITECH (Health Insurance Portability and Accountability and Health Information Technology for Economic and Clinical Health) acts. The regulations related to HIPAA are something we know we need to address in light of the new implications for our industry as a result of the HITECH Act’s passage.
Many business owners and management professionals in the records and information management industry are likely wondering if training their employees on HIPAA and HITECH is something they need to worry about now and whether such training offers value.
I propose that HIPAA and HITECH training is something we really should be proactive about rather than assuming a breach or a similar event won’t happen to us. Understanding how these acts affect our industry is critical.
A CLOSER LOOK
It is difficult, if not impossible, to attach value to training. It can be hard to justify the expense because risk training is commonly viewed as unnecessary or as something that “can wait.” However, if an “event” were to happen, how much value would that training suddenly have?
Has your company taken the steps necessary to educate employees in these areas or do you have a false sense of security, believing that because nothing has happened your business must be OK.
In regard to HITECH and HIPAA, are you aware that your clients who are considered covered entities are required to audit your policies and procedures? If your policies and procedures are outdated and do not reflect the recent changes initiated by HITECH, what do you do?
Do you have vendor agreements with the organizations that come into your facility to perform services? Do you have subcontractor agreements with the firms that perform services for you outside of your facility, such as a third-party shredding company?
Here at Kent Record Management (KRM), we have taken steps to further educate each of our employees regarding the changes in HIPAA. KRM was proactive concerning the seriousness of the changes that took effect this past February. In July of 2009, I became a Certified HIPAA Professional to assist KRM in complying with HIPAA regulations. In July of 2009 and for the next four months, we drilled down into the monster that is HIPAA/HITECH, creating what we call a “record center version.” We took only the relevant laws that applied to our company as a business associate of a covered entity and focused the training on those things that our employees need to know.
AREAS OF CONCERN
We believe that training employees on HIPAA/HITECH not only instilled in our current clients but in our prospects, as well, the confidence that we are on top of the game, securely protecting the information they trust us with and pay us to protect.
"In regard to HIPAA, are you aware that your clients who are considered covered entities under the act are required to audit your policies and procedures?”
Most of HIPAA doesn’t severely impact our industry, but the parts that do apply could present significant fines and penalties for violations or breaches that we are found to be responsible for.
The changes under HITECH can greatly affect records centers and the storage industry as a whole, unlike previous regulations. If electronic PHI (patient health information) is stored at your facility, HITECH applies to you. We are just as responsible, liable and accountable as a hospital or other covered entity for safeguarding PHI. Record centers are now responsible if a breach of PHI occurs while that information is under our care.
Our employees are our greatest risk because of the volume of PHI they handle inside our facilities (defined as “use”) as well as outside of the records center (defined as “disclosure”). Senior management with the greatest access to PHI represents a risk that should not be overlooked.
We formed a compliance team that developed or examined our privacy impact analysis, risk analysis, risk management reports, business impact analysis, disaster recovery plan, business continuity plan, emergency-mode operation plan, data backup plan and testing and revision procedures. That compliance team also revised our policy and procedure manual to include the HIPAA/HITECH changes. We had to take a closer look at everything that we do, correctly identifying our greatest breach risks and making the necessary adjustments to policies, procedures or practices.
Records centers should no longer assume that because we’ve never had a major breach event that we are in the clear. The potential fines and penalties associated with a breach are great enough to prompt KRM’s compliance team to regularly meet to analyze how we do what we do on an ongoing basis.
The process of evaluating the impact of the HITECH Act was expensive and time consuming and it didn’t generate any revenue. However, the process was well worth the time. We noticed an immediate impact in record center quality control and employee concern. Our employees were amazed when they learned what could happen if they made mistakes regarding the handling of PHI and were grateful to be aware of the risks to the organization and themselves.
THE RISKS
Our program helped our employees get a better understanding of the expectations placed on business associates and explained the consequences of failing to comply. Our desire is to share this experience and help as many records centers as we can by offering an affordable training option. As an actively involved member of PRISM International, KRM decided to market our HIPAA/HITECH training program at its conference in Reno, Nev.
KRM has grown its professional services to include consulting on building business cases for electronic records management systems, managing electronic records and developing disaster recovery plans.
Failure to revise your business practice to reflect the changes to HIPAA as a result of HITECH may eventually lead to long-term problems. Regardless of a records center’s size, the risks remain the same.
In my training, I compare the new HIPAA/HITECH requirements to a speed limit sign. No matter what the posted speed limit is, there are always going to be people who can justify speeding. They believe they can go as fast as they want, regardless of the law. Then, when they are caught and large fines are incurred, they blame the police officer for enforcing the law.
The average cost of a HIPAA breach in 2009 was $750,000. We as record centers are no longer going to get a proverbial speeding ticket but may lose our cars because of a seemingly light offense.
We chose to protect ourselves from this risk, and I hope you will too.
The author is the director of human resources for Kent Record Management, Grand Rapids, Mich., and a certified HIPAA professional. He can be contacted at training@kent records.com.