Ambulatory surgery center owners and operators have always focused on HIPAA compliance, but there are new rules and more challenges ahead, according to panelists at the Becker’s 21st Annual Ambulatory Surgery Center Conference in Chicago on Oct. 23.
The panel, titled “Ensuring HIPAA Compliance in ASCs: New Rules, More Challenges, Higher Penalties,” featured Nelson Gomes, president and CEO of PriorityOne Group; Wiks Moffat, principal and founder of MedSafe; Cheryl Ezerskis, MLT, CPA, CASC, executive director of West Parkway Ambulatory Surgery Center; and Holly Carnell, an attorney at McGuireWoods. Meggan Michelle Bushee, JD, partner at McGuireWoods, moderated the panel.
The panel identified several HIPAA compliance challenges for ASCs and offered thoughts on how to make sure centers are compliant:
“It’s really about training your employees and documentation,” said Mr. Moffat. “If a center identifies an employee responsible for a breach, they should be able to show documentation that that person was trained in what they were supposed to do, document the problem and how it was fixed. The common business issue I see a lot is getting executive management to commit resources and time.”
One of the most common breaches today occurs on social media. Patients, staff and physicians are posting on social media and ASCs need social media policies to make sure patient information isn’t breached.
“This is something a lot of folks don’t train on or don’t train on enough,” said Ms. Carnell. “Even when people know they aren’t supposed to post PHI, they don’t really think about it as PHI. You want to have a social media policy and train, train, train. You don’t have to train on everything all the time, but every training should have a focus.”
Ms. Ezerskis tries to give practical experience once per month; sometimes in formal meetings, but other times in the lunch room. She strives to make sure the physicians and staff can relate the training to their everyday routine to identify potential issues before they happen.
“Make sure everyone understands to measure, implement and talk about that,” she said. “You want them to think about the things you don’t know about now. Make the training fun and realistic. Not everyone understands these issues from just reading guidelines on paper.”
Mr. Gomes suggests focusing on people, process and technology. “It’s important for people to understand where they are with the security and privacy efforts,” he said. “Give them a report to show your findings, identify gaps and provide them with a timeline for fixing it and what the costs will be. Know what you’ve done to be proactive. Planning and understanding what needs to be done is important.”
The panel, titled “Ensuring HIPAA Compliance in ASCs: New Rules, More Challenges, Higher Penalties,” featured Nelson Gomes, president and CEO of PriorityOne Group; Wiks Moffat, principal and founder of MedSafe; Cheryl Ezerskis, MLT, CPA, CASC, executive director of West Parkway Ambulatory Surgery Center; and Holly Carnell, an attorney at McGuireWoods. Meggan Michelle Bushee, JD, partner at McGuireWoods, moderated the panel.
The panel identified several HIPAA compliance challenges for ASCs and offered thoughts on how to make sure centers are compliant:
- Make sure staff know security measures for patient data
- Engage business associates to make sure they are HIPAA compliant
- Train employees continuously on breach protocol
- Individualize paperwork for your center, paying attention to federal and state regulations
- Track and document HIPAA compliance training
“It’s really about training your employees and documentation,” said Mr. Moffat. “If a center identifies an employee responsible for a breach, they should be able to show documentation that that person was trained in what they were supposed to do, document the problem and how it was fixed. The common business issue I see a lot is getting executive management to commit resources and time.”
One of the most common breaches today occurs on social media. Patients, staff and physicians are posting on social media and ASCs need social media policies to make sure patient information isn’t breached.
“This is something a lot of folks don’t train on or don’t train on enough,” said Ms. Carnell. “Even when people know they aren’t supposed to post PHI, they don’t really think about it as PHI. You want to have a social media policy and train, train, train. You don’t have to train on everything all the time, but every training should have a focus.”
Ms. Ezerskis tries to give practical experience once per month; sometimes in formal meetings, but other times in the lunch room. She strives to make sure the physicians and staff can relate the training to their everyday routine to identify potential issues before they happen.
“Make sure everyone understands to measure, implement and talk about that,” she said. “You want them to think about the things you don’t know about now. Make the training fun and realistic. Not everyone understands these issues from just reading guidelines on paper.”
Mr. Gomes suggests focusing on people, process and technology. “It’s important for people to understand where they are with the security and privacy efforts,” he said. “Give them a report to show your findings, identify gaps and provide them with a timeline for fixing it and what the costs will be. Know what you’ve done to be proactive. Planning and understanding what needs to be done is important.”