Share this article on:
While large healthcare systems have mostly got to grips with HIPAA Rules and implemented controls to safeguard ePHI from external and internal threats, HIPAA compliance for small medical practices remains a problem according to a recent survey conducted by NueMD.
NueMD surveyed 900 healthcare professionals last month to gain an insight into how small medical practices are faring with their compliance efforts ahead of the next round of OCR compliance audits due later this year.
588 respondents worked in practices employing 1-3 physicians, 131 were from practices employing 4-10 providers. 80 larger practices that employ over 10 healthcare providers also took part in the survey. 86% of respondents were from medical practices and 6% worked in billing companies.
The survey produced some surprising and worrying results.
- 60% of respondents were unaware of the upcoming HIPAA compliance audits
- Only 69% of respondents were aware of the 2013 Omnibus Rule
- 30% did not have a HIPAA compliance plan in place
- Only 58% conducted annual staff training on HIPAA Rules
- Only 68% were aware they needed Business Associate Agreements to work with vendors
Survey Shows Only a Slight Improvement from 2014
NueMD previously conducted the survey in 2014 when the second round of OCR HIPAA compliance audits were scheduled to start. The audits were delayed, giving small practices a further two years to raise data privacy and security standards up to those demanded by HIPAA.
During that time, some small practices have made improvements, but HIPAA compliance for small medical practices is only marginally less of a problem now than it was then. In 2014, 58% of respondents said they had a compliance plan in place. Two years on and that figure has risen to 69%. However, more than three out of ten small practices still do not have a compliance plan at all.
Extensive Failures in HIPAA Compliance for Small Medical Practices
The HIPAA failures uncovered by NueMD are extensive. Portable storage devices are being used to store ePHI, yet only a third of small practices were cataloging their devices. Technology was being used to communicate with patients (45% used mobiles, 58% used emails, 35% sent text messages, and 15% used social media channels), yet only 37% of respondents were very confident that these communication channels were HIPAA-compliant.
Possibly more concerning was that relatively few respondents to the survey were “very confident” that somebody within their business was actively ensuring the business´s operations were compliant with HIPAA. Only 40% of those questioned responded that they were “very confident”, 43% were unsure, and 17% answered that there was nobody ensuring HIPAA compliance for small medical practices within their organization.
Some small improvements appear to have been made over the past two years, but there is still a long way to go and small practices may have almost run out time. If selected for audit, many could find their lack of attention to HIPAA Privacy and Security Rules could result in a financial penalty being issued.