On Sept. 23, 2013, the new HIPAA omnibus final rule goes into effect. There are several updates ambulatory surgery centers need to address to become compliant with the new regulations. "As the September 23 deadline approaches, ASCs in general and their administrators need to start preparing for this rule because auditors are going to be out there to see if they are following it," says Nelson Gomes, president and CEO of PriorityOne Group. "While you should, of course attempt to have everything in place by the deadline, you will at the very least need to show that you're actively working on implementing changes and updating your processes to become compliant with the new HIPAA requirements included in the rule."
As the government begins implementing new programs under healthcare reform, auditors will be paying closer attention to healthcare facilities and are more likely to slap heavy fines on those that aren't compliant.
"HIPAA compliance has been required for many years but there hasn't been much enforcement or attention paid to it," says Wiks Moffat, president of MedSafe. "That's going to change. The main thing is you need to make sure your documentation, policies and procedures are pulled together in your facility. You can't just buy the AMA manual, put it on the shelf and call yourself compliant. You have to sit down, read it and figure out how it pertains to your organization."Here are nine steps to achieve and maintain compliance under the HIPAA omnibus final rule.
1. Update old policies and procedures. The changing rules require ASCs to update their HIPAA compliance policies and procedures, and auditors will be looking for these updates in an ASC's logs. "Nobody plans on being audited," says Michael Daly, senior systems engineer/HIPAA security officer for PriorityOne. "You might not be audited in the next five years, but you should plan for the worst. Have a plan ready if the auditor walks through the door; you should have all your information changed and employees educated on those changes."
The updated policies and procedures can be displayed in a secure location online so ASC employees and business associates can easily access them. "This is especially convenient for ASC management companies with multiple centers across the country," says Mr. Gomes. "They can review the different policies for each center."
2. Check for compliance with business partners. As surgery centers increasingly turn to electronic medical records, their technology companies are tasked with making sure patient information is stored in a HIPAA-compliant manner.
"As a covered entity, ASCs have the obligation to make sure their business associate agreements are in place," says Mr. Gomes. "When you bring in an outside company, like PriorityOne, the burden for HIPAA compliance comes off the ASC's administrator and sits on us."
Business associates will now come under the same regulations as the ASC. "While an ASC administrator should not have to worry about their business associates maintaining or managing their patient data, the administrator needs to make sure that the business associates they do business with are HIPAA compliant and have documented policies in place to prevent any breach issues," Mr. Daly says. "If a breach occurs due to a lack of security with the business associate, the business associate will get hit with the civil penalties. The ASC may also face penalties depending on what the Office for Civil Rights investigation reveals. Ultimately, the ASC will get hurt as well since its patient data has been breached; not only is this a potential financial issue but it's a patient trust issue as well."
This makes it imperative for ASCs to validate that their business associates are HIPAA compliant and prepared to properly respond to a breach, says Mr. Moffat. "Business associates need to have programs in place to notify the ASC if a breach occurs. The responsibility of ASCs has greatly expanded because they now have to track and manage their business associates to make sure they are compliant and maintain this compliance."
3. Identify a security officer. The updated rules specify that ASCs need a security officer. This could be an employee or physician who takes charge of the HIPAA compliance program, or the person in charge of calling a third-party vendor when needed.
"The security officer should understand what they are responsible for," says Mr. Gomes. "You have to have someone fill that position because if you don't, you're in trouble. If you show you are in the process of training and developing that person, it's safer than having nothing. That person might just be responsible for calling the vendor in the event of an audit or breach, but you have to have at least one person with that assigned responsibility."
4. Educate employees on keeping patient data safe. Part of becoming and maintaining compliance is employee education and staff training. "ASCs need to make sure all employees are educated on how to keep patient data safe," says Mr. Daly. "Employees should know how to keep patient data properly protected; this is extremely important for a busy ASC environment. When patients go from the operating room to the recovery area, know how many times their information is seen and make sure the right eyes are seeing it."
A compliance committee can coordinate these efforts. "The main thing is to make sure everyone knows about the changes and has been trained on them," says Mr. Moffat. "You can write up your compliance plan, record the training and make sure all new employees are trained when they come on board. You need a mechanism in place to stay atop of these regulations."
5. Track data from the point of capture to where it's stored. Mr. Gomes suggests putting an audit trail in place to follow data entered by patients and nurses to detect and eliminate any potential for a breach. "If someone from the outside is connected remotely to the ASC for billing, that person should be secure," he says. "We have to capture the logs that are recording when that person accesses patient information. When they connect to the ASC, there must be protection and security around the information."
A virtual private network can be encrypted to prevent unwanted and unwelcomed people from viewing that information. Extend this encryption to email interaction with patients so private emails with patient information aren't sent through the regular email. "If you send patient information over regular email, you are raising the risk of a breach," says Mr. Gomes. "We do preventative testing with our clients every quarter to identify what the staff and center is doing for security and compliance to make sure they are following the standards they've put in place to meet requirements."
6. Recognize a breach. A breach occurs any time protected health information falls into the wrong hands. Even if the data is encrypted and an outside party is unable to view the secure data, the breach should still be reported and the reason it occurred should be addressed.
"Address the breach by figuring out how it occurred and document the steps you took to resolve it," says Mr. Moffat. "You really need to have all your policies and procedures in place so people know what to do and can act in a compliant fashion."
Scan all IT equipment, from monitors to smart phones to servers and firewalls, to make sure there aren't any gaps. "The government isn't saying that putting together a compliance program means you won't have any breaches," says Mr. Moffat. "On the contrary, they are saying they know you will have a breach and they want to make sure you can identify it and resolve it. That's why having a compliance program is important."
7. Plan for what happens after a breach. There are certain aspects of a breach that HHS requires surgery centers to report after they occur, and others the surgery center can make public. "The first step any administrator should be doing right now if they don't have a plan in place for a breach is to have someone conduct a risk analysis for security compliance," says Mr. Gomes. "The analysis can identify security gaps, and your IT vendor can help your team figure out how to fill those gaps, how long it will take and what it will cost."
After combing through the findings in great detail, your staff will be better equipped to devise a plan to address problem areas. "This is typically a cookie-cutter plan, but specifics can vary from one ASC to another," says Mr. Gomes. "Make sure you partner with the right vendor that can help you through the process. There are already audits taking place and some centers don't know what to do."
In the event that your ASC still experiences a breach, you need to have a plan already in place that walks you through the steps you need to take to address it. "Having a documented plan in place to report a breach to your HIPAA security officer is a requirement of the HIPAA Security Rule," Daly says. "Notification should begin as soon as a breach is identified."
8. Consolidate information storage. As surgery centers upgrade technology and move to electronic medical records, they may have patient information stored in a variety of settings. "Many ASCs are finding themselves in an uncomfortable position right now because they have paper records, removable storage and dummy terminals all with patient information that must be secure," says Mr. Moffat. "It's very difficult to wrap your arms around all this information if some records are stored offsite and others are in the nurse's desk or in the physician's basement."
Locate all patient records and devise a plan to keep it secure. "Ten years from now everything will be on EMR, but right now ASCs have paper records all over the place and it's leading to a lot of breaches," Mr. Moffat says.
9. Stay compliant after you get there. It can be challenging to stay in compliance once you get there. "You can either do it yourself or hire a consulting firm to help you, or a combination of them both," says Mr. Moffat. "If you go with a consulting firm, make sure they have a thorough assessment program and are actually going to ensure their recommendations are implemented."
Reevaluate the program on a regular scheduled basis. "There is no regulation on this, but generally a compliance committee will meet on a quarterly basis and review compliance information," says Mr. Moffat. "If you are doing this and you get audited, you are going to be in pretty good shape."
More Articles on Surgery Centers:
Is ASC Litigation on the Rise?
5 Surgery Center Joint Venture Models
36 Statistics on Surgery Center Case Volume Mix by OR