Upcoming OCR Audits for HIPAA Compliance: How Prepared and Confident are Medical Practices and Billing Companies?

Transcription

1 Upcoming : How Prepared and Confident are Medical Practices and Billing Companies? - Presented by

2 NueMD a complete medical billing and practice management software solution company has partnered with Porter Research and The Daniel Brown Law Group to conduct a survey of physician practices and medical billing companies. The purpose of the survey is to gauge industry knowledge of HIPAA s Privacy and Security regulations, understanding of compliance measures, and how electronic devices are used for communication. This undertaking was initiated in order to get an overview of how providers perceive the upcoming Federal regulatory measures, what are the most common concerns, and how prepared are they for a possible audit from the Office for Civil Rights (OCR) of HHS. The results from this survey can be used to assist physician practices and medical billing companies in benchmarking their progress against peers, and learn what areas may require additional attention. Survey Respondents Nearly 1,200 healthcare professionals from across the nation took part in the survey, providing answers to questions related to their knowledge of HIPAA compliance as well as about their organization s electronic devices and related communication protocols. Survey respondents were asked about their job title at the beginning in order to identify individuals as management (owners, administrators and managers) or nonmanagerial staff members, as many of the survey questions were slightly altered based on their job function. Overall, survey participants can be characterized by Business Type (1,037 physician practices & 160 billing companies) as follows: Figure A 13% Business Type Breakdown 87% Physician Practices Billing Companies The largest Business Type segment Physician Practices can be more granularly observed by the Ownership Role of the survey respondent, as well as by the Physician-Member Practice Size for better clarity: Figure B Survey Participant also Business Owner. 53% 47% Owner Not Owner visit Page 2

3 Figure C Physician-Member Practice Size 17% 11% 72% 1-3 Physicians 4-10 Physicians Over 10 Physicians Knowledge of HIPAA All survey participants were initially asked about their knowledge of HIPAA s Privacy and Security Regulations with respect to Protected Health Information (PHI), as a baseline question to determine how the audience selfidentified their level of expertise on the overall subject. As shown below in Figure D, survey respondents were asked to rate their knowledge level on a scale of 1 to 5, with 1 as having "No Knowledge" and 5 being an "Expert." Figure D Knowledge of HIPAA, PHI 10% 1% 6% 55% selected top two tiers 38% 45% More than half (55%) of the respondents selected the top two tiers, with 10% selecting a 5 and 45% choosing a 4, in regards to their knowledge in dealing with HIPAA compliance rules as it relates to their organization. The next step in the survey was to delve deeper into specific areas of HIPAA s Privacy and Security Regulations, in order to better evaluate individual metrics. Survey participants were asked if they were aware of the current Omnibus updates related to HIPAA compliance, which broaden the parameters and increase non-compliance penalties of earlier Federal regulations. A majority of respondents (66%) were aware of these updates prior to taking this survey. Additionally, participants were asked if they were aware that the Omnibus updates also required for their organization to establish Business Associate Agreements with third-party vendors that access their PHI. Most visit Page 3

4 (60%) were aware of the BAA requirements. Members of management were asked to describe their progress with evaluating BAA s with business associates that use PHI: 26% have evaluated ALL agreements. 21% have evaluated SOME agreements. 27% have NOT evaluated any agreements. 26% were Not sure. Because the OCR audits of physician practices, healthcare facilities and business associates to ensure HIPAA compliance could begin at any time, the question was asked, Are you aware of the upcoming audits and timeline? A majority (66%) stated that they were NOT aware before this survey brought it to their attention: Figure E OCR Audit Awareness 34% 66% No Next, the survey asked respondents about the sources they USE most, and what sources they TRUST most in keeping up-to-date with healthcare policy and regulation. The graph below represents the two categories: Figure F Yes Sources USED Most, & Sources TRUSTED Most 41% 15% 10% 4% 2% 28% 13% 10% 4% 5% 23% 24% 12% 9% Used Most Trusted Most As shown above in Figure F, the Government as a source rated highest in both USE and TRUST, probably not surprising since the regulatory and compliance rules come directly from the government. However, it is interesting to note the significant difference between the amount of TRUST (41%) that the survey audience has in the available governmental sources, and its actual USE (28%). visit Page 4

5 HIPAA Compliance Survey participants were then asked a series of questions about their organization s HIPAA compliance plan and specific areas of compliance to gain an understanding of where the industry stands today. These questions can be used for benchmarking purposes for individual physician practices and billing companies and to help evaluate their own HIPAA compliance plans of action. Members of management (business owners, administrators and managers) were asked, Has your business adopted a HIPAA-required compliance plan within the last year? The majority (63%) stated Yes, as represented below: Figure G Adopted HIPAA compliance plan within last year 24% 13% 63% In order to find out more about the survey participants organizational HIPAA compliance plan, management respondents were asked if they have provided its workforce with annual training on HIPAA privacy and security policies and procedures. Conversely, non-managerial staff members were asked if they have received such training within the last year. Below are the responses from the two groups: Figure H Yes No I'm not sure HIPAA Annual Training Management 63% 31% 6% Staff Members 59% 33% 8% Yes No Not Sure Survey respondents who were identified as management were then asked if they have documented proof of HIPAA training for their staff that took place within the last year. Management: Yes (48%); No (42%); and Not sure (10%). Participants identified as staff members were given a slightly altered question asking if they have documented proof of HIPAA training they received within the last year. Staff Members: Yes (50%); No (36%); and Not sure (14%). visit Page 5

6 Continuing with the variation of questioning between management and staff members, respondents were asked about having a HIPAA security officer and a privacy officer. Business owners, administrators and managers were asked if their organization has formally appointed a HIPAA security officer and a privacy officer, and the response was identical for both positions: Management: Yes (55%); No (39%); and Not sure (6%). When staff members were asked if they knew the specific name and contact information of these particular officers, they also responded similarly: Staff Members: Security officer - Yes (60%) and No (40%). Staff Members: Privacy officer - Yes (61%) and No (39%). Survey participants were asked if their organization has a formal policy for PHI breach notifications, and they replied: Figure I Breach Notification Policy Management 48% 38% 14% Staff Members 43% 22% 35% And, in regards to PHI, participants were asked if their business has performed a HIPAA-required PHI risk analysis to assess how and where inappropriate disclosures are likely to occur, as represented below: Figure J Yes No Not Sure Performed PHI Risk Analysis Management 38% 49% 13% Staff Members 30% 30% 40% Yes No Not Sure For the previous question about performing a PHI risk analysis, as represented in Figure J, respondents who answered Yes were given a follow-up question, Which best describes your method of conducting the analysis? Of the 328 survey participants who described their company s methodology, the responses were: 79% were conducted using only internal staff members (no outside assistance) 21% were conducted using the assistance of an outside professional (lawyer, HIPAA expert, etc.) visit Page 6

7 PHI Electronic Devices & Communications HIPAA regulations require that all electronic devices (computers, laptops, mobile phones, electronic tablets and pads, etc.) that contain PHI must be cataloged. Management personnel were asked to select from a list of categories that best describes their progress in this endeavor. The breakdown of device cataloging among owners, administrators and managers is as follows: Figure K Electronic devices with PHI that are cataloged 76% to 100% of devices with PHI cataloged 29% 51% to 75% of devices with PHI cataloged 26% to 50% of devices with PHI cataloged 1% to 25% of devices with PHI cataloged 7% 9% 9% None of the devices with PHI cataloged 25% I'm not sure 21% At least 54% of survey respondents are somewhere in the cataloging process according to the above chart. Continuing with related questions, participants were asked, How confident are you that your organization s electronic devices that contain PHI are HIPAA compliant? The response was: Management: Very Confident (34%); Somewhat Confident (50%); and Not Confident at All (16%). Staff Members: Very Confident (45%); Somewhat Confident (44%); and Not Confident at All (11%). At physician practices, members of management were asked if their business uses mobile devices (mobile phones, tablets, etc.) for charge capture. The majority (78%) of responses were No, with 18% stating Yes and 4% were Not sure. Management personnel from both physician practices and billing companies were asked if their business uses mobile devices to communicate with patients, while staff members were asked if they personally use mobile devices for patient communication: Management: Yes (39%); No (59%); and Not sure (2%). Staff Members: Yes (26%) and No (74%). Management respondents were then asked if staff members at their organization use mobile devices to communicate with other staff members for business purposes. Staff members had an altered question, which asked if they personally use mobile devices to communicate with other staff members for business purposes. The two groups stated: Management: Yes (47%); No (52%); and Not sure (1%). Staff Members: Yes (48%) and No (52%). visit Page 7

8 Healthcare professionals who share clinical data or other patient information using their own personal electronic devices could expose their employers to HIPAA violations as OCR is expected to toughen violations that stem from the use of unsecure communication devices that store or transfer PHI. These outside devices, which are not protected by a HIPAA-compliant secure firewall, could send private patient information over a network that can typically make several stops, such as from cellular tower to tower, where the data could be cached on local servers operated by the networking provider. Since many of the following questions have to do with business as compared with personal use of electronic devices, the survey continued to have varied questions between management and staff members. Owners, administrators, and managers were asked about their overall confidence level as to whether or not their business mobile devices are HIPAA compliant. Staff members were asked about their HIPAA compliant confidence related to the mobile devices they personally used for business purposes. They stated: Management: Very Confident (28%); Somewhat Confident (43%); and Not Confident at All (29%). Staff Members: Very Confident (33%); Somewhat Confident (42%); and Not Confident at All (25%). The next series of questions cover the topic of electronic communications, specifically using , texting, and social media. Survey participants who were identified as management were asked if their business uses to communicate with patients, while those identified as staff members were asked if they personally use for patient communication. They stated: Management: Yes (56%); No (43%); and Not sure (1%). Staff Members: Yes (46%) and No (54%). Management and staff members were asked, respectively: If staff members at their business use to communicate with other staff members? If they personally use to communicate with other staff members for business purposes? Management: Yes (60%); No (39%); and Not sure (1%). Staff Members: Yes (79%) and No (21%). In reply to the question, Considering business use only, do staff members use their own personal accounts, accounts issued by your company, or both?, the business owners, administrators and managers stated: 67% -- Staff use only accounts issued by our company. 19% -- Staff use both their own personal accounts and accounts issued by our company. 11% -- Staff use only their own personal accounts. 3% -- I'm not sure. Staff members were also asked about their personal usage of s as it relates to business communication, and they said: 74% -- I use only accounts issued by company. 16% -- I use both my own personal accounts and accounts issued by company. 9% -- I use only my own personal accounts. 1% -- I'm not sure. Asked how confident the survey participant is that their business communication via is HIPAA compliant, they replied: Management: Very Confident (40%); Somewhat Confident (44%); and Not Confident at All (16%). Staff Members: Very Confident (53%); Somewhat Confident (35%); and Not Confident at All (12%). visit Page 8

9 Management personnel were asked if their business uses texting to communicate with patients, while staff members were asked if they personally use texting for patient communication. The two groups replied: Management: Yes (27%); No (71%); and Not sure (2%). Staff Members: Yes (16%) and No (84%). Management and staff members were asked, respectively: If staff members at their organization use texting to communicate with other staff members for business purposes? If they personally use texting to communicate with other staff members for business purposes? The responses were: Management: Yes (39%); No (58%); and Not sure (3%). Staff Members: Yes (41%) and No (59%). Next, survey respondents were asked about their confidence as to whether or not their business communication sent via texting was HIPAA compliant. The two groups stated: Management: Very Confident (29%); Somewhat Confident (40%); and Not Confident at All (31%). Staff Members: Very Confident (38%); Somewhat Confident (35%); and Not Confident at All (27%). Business owners, administrators and managers were asked if their organization uses social media to communicate with patients, while staff members were asked if they personally use social media for patient communication. Responses were: Management: Yes (12%); No (86%); and Not sure (2%). Staff Members: Yes (8%) and No (92%). Management personnel were asked if staff members at their organization use social media to communicate with other staff members for business purposes, while staff members were asked if they personally use social media to communicate with other staff members for business purposes. The two groups shared: Management: Yes (4%); No (93%); and Not sure (3%). Staff Members: Yes (3%) and No (97%). Asked how confident the survey participant is that their business communication via social media is HIPAA compliant, they replied: Management: Very Confident (53%); Somewhat Confident (27%); and Not Confident at All (20%). Staff Members: Very Confident (45%); Somewhat Confident (29%); and Not Confident at All (26%). In concluding the survey, all participants were asked, How confident are you that someone at your business is actively ensuring your business's compliance with HIPAA? The overall survey responses were: 40% stated Very Confident 43% stated Somewhat Confident 17% stated Not Confident at All For more information about the results of this survey, please send an to with your specific question(s). visit Page 9