Pulmonology Coding Alert

You aren't HIPAA compliant if you don't have a compliance officer.

As practices nationwide prepare for upcoming HIPAA audits, it might appear as if everyone has a HIPAA plan well in place-but that's not the reality for many small groups across the country, a recent survey reveals. "Practices, large or small, may not even be aware that they could be selected for review," reveals Carol Pohlig, BSN, RN, CPC, ACS, senior coding & education specialist at the Hospital of the University of Pennsylvania.

Fact: Some 30 percent of small practices have yet to create a compliance plan, while 54 percent haven't appointed security or privacy officers, according to a recent survey by practice management software provider NueMD. The majority of the 927 practices that NueMD polled had fewer than four providers on staff, offering a unique glimpse into how small offices handle their privacy compliance.

NueMD's Caleb Clark shares what the findings mean for health care offices everywhere.

Check the Motivation Levels of Your Team

Although the NueMD survey highlighted the fact that many practices still have holes in their compliance plans, that wasn't the most surprising finding from the results.

HIPAA Awareness does not match implementation: "What we found the most interesting was that when comparing this year's results with findings from our 2014 HIPAA Survey, awareness is outpacing the actual steps toward compliance," Clarke says. "In other words, a lot more practices are aware of HIPAA, but not so many are doing anything about it. So our recent efforts have shifted from simply introducing HIPAA to them in a broad sense toward really exploring the active steps required in becoming compliant."

If your practice managers don't seem particularly interested in implementing a HIPAA plan, remind them that compliance is required - before it's too late.

"The fastest way to become interested in HIPAA audits is probably to be audited, but no one wants to learn that way," Clarke says.

Because the Department of Health and Human Services (HHS) has been slow in enforcing the HIPAA policy, many practices have taken extra time to solidify their HIPAA plans, Clarke says-but that isn't the only issue that's delaying them.

"Overall, it seems like the practices that aren't making as much progress have legitimate questions as to how to proceed," says Clarke. "They need help. And the best way we've found to provide that is by spreading the word. Our hope is that by publishing pieces like our survey findings, we can draw attention to the areas that need the most improvement, and ultimately lead those practices to compliance."

Lacking Privacy Officer Can Have Terrible Implications

The NueMD survey highlighted the fact that majority of small practices haven't yet appointed a security or privacy officer, which can create huge risks for practices down the road.

Saving money on a privacy officer turns expensive: "An obvious risk is that without officers, no one is responsible for maintaining compliance," Clarke says. "But it's actually even simpler than that. A practice that hasn't designated officers can't be HIPAA compliant. Appointing them is a basic requirement of HIPAA. So all security risks aside, there are very real financial risks at stake when government audits come into the picture. Officers are completely fundamental to the compliance process."

Final takeaway: If your practice is behind on your HIPAA compliance, the first step you should take in moving toward readiness is to get informed. "Be informed of the necessary step, and be informed of the audit protocol as this may help your practice to identify its areas of weakness," advises Pohlig. For more information, please visit http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.

Resource: To read the entire NueMD survey results, visit www.nuemd.com/hipaa/survey/2016/.