While large healthcare systems have come to grips with HIPAA Rules and have implemented controls to safeguard ePHI from external and internal threats, small practices are still struggling with their compliance efforts, according to a recent survey conducted by NueMD.
NueMD surveyed 900 healthcare professionals last month to gain an insight into how small healthcare organizations are faring with their compliance efforts ahead of the next round of OCR compliance audits which are due to recommence this year.
588 respondents worked in practices employing 1-3 physicians, 131 were from practices employing 4-10 providers. 80 larger practices that employ over 10 healthcare providers also took part in the survey. 86% of respondents were from medical practices and 6% working in from billing companies.
The survey produced some surprising and worrying results.
- 60% of respondents were unaware of the upcoming HIPAA compliance audits
- Only 69% of respondents were aware of the 2013 Omnibus Rule
- 30% didn’t have a HIPAA compliance plan in place
- Only 58% conducted annual staff training on HIPAA Rules
- Only 68% were aware they needed Business Associate Agreements to work with vendors
NueMD previously conducted the survey in 2014 when the second round of OCR HIPAA compliance audits were scheduled to start. The audits were delayed which has given small practices a further two years to raise data privacy and security standards up to those demanded by HIPAA. During that time, some small practices have made improvements but many have not made much progress toward HIPAA compliance.
In 2014, 58% of respondents said they had a compliance plan in place. Two years on and that figure has risen to 70%. However, 3 out of ten small practices still do not have a compliance plan at all.
The HIPAA failures uncovered by NueMD are extensive. Portable storage devices are being used to store ePHI, yet only a third of small practices were cataloging their devices. Technology was being used to communicate with patients (45% used mobiles, 58% used emails, 35% sent text messages, and 15% used social media channels), yet only 37% of respondents were very confident that these communication channels were HIPAA-compliant.
Some small improvements appear to have been made over the past two years, but there is still a long way to go and small practices may have almost run out time. If selected for audit, many could find their lack of attention to HIPAA Privacy and Security Rules could result in a financial penalty being issued.
Since conducting the survey, NueMD has partnered with Total HIPAA Compliance and healthcare attorney Daniel Brown, Esq. and will be conducting a series of webinars specifically aimed at small healthcare providers in an attempt to improve understanding of their obligations under HIPAA.