Posted In: Health Care
By Nicole M. Thorn on January 21, 2020
For most healthcare companies, compliance has been top of mind since HIPAA laws were enacted in the 1990’s. While some may still be struggling to develop a plan, most have had one in place for some time. However, 2020 is not the year to rest in the fact that your health care practice has a compliance plan. Last year, the Office of Inspector General (OIG) imposed a $2.14 million civil monetary penalty on a Florida-based hospital for an ineffective compliance plan, among other things, which it claimed led to a number of HIPAA breaches. Although the hospital had a compliance plan, the OIG investigators said the hospital’s HIPAA compliance plan was in “disarray for a number of years”.
OIG sited a number of deficiencies with the hospital’s HIPAA compliance plan. One of them was the erroneous identification of several HIPAA provisions which its analysis reported did not apply to the hospital. A previous security risk analysis failed to include all of the electronic protected health information (ePHI) the hospital creates, receives, maintains, and stores and then failed to fully explore and identify the threats and vulnerabilities of this ePHI. Furthermore, the OIG found that even after other risks were identified, the hospital failed to take “reasonable and appropriate” measures to mitigate these risks. In fact, despite being performed by a third-party, some sections of one year’s security risk analysis were left blank.
The fact that OIG is scrutinizing a covered entity’s security risk analysis should put us all on notice that a HIPAA compliance plan (1) must be fully executed and (2) must be a living document that is actively reviewing and mitigating risks. Here are seven elements of an effective compliance program according to the OIG and the Department of Justice (DOJ):
- Designate a compliance officer and compliance committee
- Implement written policies and standards of conduct
- Conduct effective training and education
- Develop effective lines of communication
- Conduct internal monitoring and auditing
- Publicize disciplinary guidelines
- Respond promptly to offenses/implement corrective action
The DOJ published updated guidance on effective compliance plans last year. The OIG also provided similar guidance in 2017. While there is a lot of information in these reports, one key factor the agencies instruct investigators to evaluate are the resources a company has dedicated to compliance. Compliance should be part of your health care business’s everyday culture, and not a binder collecting dust on a bookshelf. Make it your goal this year to do at least one compliance-related activity every month or every other month to ensure it stays top of mind.
“If you think compliance is expensive, try non-compliance.” – Former U.S. Deputy Attorney General Paul McNulty
Brouse McDowell’s Health Care Practice Group provides guidance to many types of health care companies related to HIPAA compliance. We realize this can be an overwhelming task and often the day-to-day of running a health care business does not leave much room for the necessary compliance duties. If you would like some assistance with policies and other compliance-related questions, please contact us.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2020 Brouse McDowell. All rights reserved.