Skip to main content
Free Billing Consultation
Back to Blog

How to Assess Practice Risk to HIPAA and the HITECH Act

August 19, 2013
by Simon Hughes
Dot grid in the shape of the USA with many highlighted dots.

Assess Practice Risk to HIPAA and the HITECH ActSince President Obama signed the HITECH Act (Health Information Technology for Economic and Clinical Health Act) in February 2009, the relationship between and influence of the Act on HIPAA (Health Information Portability and Accountability) has drawn physician and practice manager attention to effective risk assessment.

American Health Lawyers Association Recommendation

This group recommends that practice professionals approach risk assessment regarding HIPAA and HITEC as a component of an Enterprise Risk Management (ERM) program. ERM, used by public and private corporations around the globe, is an ongoing decision-making program. In the healthcare industry, the board of directors or executive administrators typically design, install and use their plan to assess and reduce risk of all areas of patient care, compliance and to maximize the return on investment.

The Association reminds executives and administrators that Section 6401 of the Affordable Care Act requires that medical providers establish a compliance program as a condition of enrollment in the coming affordable healthcare legislation.

Risk Assessment Parameters

The core fundamentals of risk assessment programs, common to most businesses, regardless of industry, are familiar to many veteran executives. Components include the following items.

  • Written policy and procedure manuals.
  • Designating a Compliance Officer and/or Compliance Committee.
  • Providing staff with thorough training and education.
  • Disciplinary standards that are clearly defined.
  • A workable monitoring and auditing program.
  • Written response plan to mitigate losses.

Your risk assessment and compliance program should be as specific as you can make it. While it is impossible to address every possible eventuality, noting every potential risk you can identify in your policy and procedure manuals helps your staff manage their daily responsibilities more efficiently—with less risk.

Have the Compliance Officer or Committee monitor staff to be sure they follow the procedures your program mandates. Spend the time to write a plan to respond to increased risks your Compliance Officer discovers. This encourages fast action by your Compliance Officer or Committee to lower losses and quickly solve perceived risk issues.

The CMS (Centers for Medicare & Medicaid Services) Manual outlines the risk assessment compliance program guidelines, which emphasize the following issues.

  • Prevention, detection and correction of non-compliance conditions.
  • Identifying and reducing fraud, abuse and waste.

Evaluating Risk Involving HIPAA and the HITECH Act

Compliance program guidelines specify three assessments providers should conduct. These actions also fit ERM parameters and guidelines, along with being specified by the Code of Federal Regulations (C.F.R.).

  • Security Evaluation. This is required under the Security Rule section and applies to providers, business associates or partners and subcontractors alike. All must “perform periodic technical and nontechnical evaluations . . .” when responding to environmental or operational changes affecting the security of electronic health information protected by law.
  • Risk Assessment of Specific Items. This is required under Security Rule stated at 45 C.F.R. (Code of Federal Regulations), section 164.308(a)(a)(ii)(A). Highly technical, this requirement should be performed per NIST SP800-30, Revision 1 Guide for Conducting Risk Assessments.
  • Risk of Harm Assessment. A requirement of the Breach Notification Rules, the practice must address “the implications and notification requirements” that are part of its ERM program.

The bottom line is that physicians must complete these three assessments and design an overall ERM plan that addresses as many risk issues as they can identify for their specific practices. It is vital that all medical providers create an organizational risk assessment program that encourages long-term compliance with HIPAA, the HITECH Act and all other regulations that apply.

Designing an ERM plan, as described, makes assessing potential practice risk of and avoiding HIPAA, HITECH Act and other regulation violations become normal operating procedure instead of compliance or loss practice crises.

{{cta(’39a5381b-9ccb-43fb-a2eb-ddef8c57a968′)}}

Image courtesy of www.nysscpa.org

More Insights & Posts

April 22, 2024

The Value of Chronic Pain to an Anesthesia Practice: What Is It and How Is It Best Realized?

Anesthesia providers distinguish themselves by virtue of their ability to manage all types of pain. While most of their time and energy is focused on the acute pain related to surgical procedures and deliveries, many providers also consider themselves qualified to manage chronic intractable pain. The result can be two very distinct types of practice. […]

Read More
April 19, 2024

BCBS To Discontinue Physical Status Payments

Last week, we sent out a special alert advising our readers of a change in Aetna’s payment policy in connection with physical status (PS) modifiers on anesthesia claims. The payer announced it would no longer provide additional payment for PS 3-5, effective July 15 of this year. Not to be outdone, several of the “Blues” […]

Read More
April 17, 2024

2025 IPPS Proposed Rule: Highlights for Hospitals

On April 10, 2024, the Centers for Medicare and Medicaid Services (CMS) issued the fiscal year (FY) 2025 Medicare hospital inpatient prospective payment system (IPPS) proposed rule. While these provisions are not final, they do give current insight into the agency’s thinking in terms of a host of issues concerning the inpatient hospital setting, including […]

Read More

Get the Latest RCM News Delivered

Receive practical tips on medical billing and breaking news on RCM in your inbox.

Get in Touch