EyeWorld is the official news magazine of the American Society of Cataract & Refractive Surgery.
Issue link: https://digital.eyeworld.org/i/947241
10 Ophthalmology Business • March 2018 Conclusion The time for initial HIPAA compli- ance adjustment has passed. As OCR actively seeks to shore up holes in healthcare organizations of all sizes, complacency is no longer an option for ophthalmic businesses, especially considering the increasingly harsh and more frequent consequences of noncompliance. It is time to become proactive versus reactive. It is time for ophthalmic businesses to do their research, or to consult those who already have to find out how the combined benefits of HIPAA software and a compliance specialist could prevent crippling penalties and redi- rect time and energy back to caring for patients. For those looking for addition- al resources, the Complete HIPAA Compliance Plan and Guide 2013 is available for members to purchase in the American Society of Ophthalmic Administrators (ASOA) Bookstore. Visit members.asoa.org/core/store for more information. OB The total HIPAA solution With compliance, there is no such thing as minimum effort, no "HIPAA lite." Current market solutions often only address pieces of compliance, such as Security Risk Assessments, policies and procedures, and training. These alone are not enough. To be fully compliant ophthalmic business- es must address all requirements: • Security, privacy, and administra- tive audits • Gap identification • Policies and procedures • Employee training and attestation • Business associate management (BA agreements and audit) • Incident management A dual approach to compliance, utilizing both HIPAA software tools and an outsourced compliance specialist, can simplify this laundry list and provide justifiable HIPAA confidence. How? The most effective com- pliance software options serve as a convenient comprehensive reposito- ry for regulatory checklists (address- ing the full scope of HIPAA, HITECH, and Omnibus requirements) and templates for BA agreements, confi- dentiality agreements, security and privacy policies, etc. An outsourced compliance specialist then steps in to ensure that the monumental legwork required to utilize these tools takes up as little of the ophthalmic business' time as possible. He or she routinely performs compliance support missions, including lead- ing users step-by-step through the software checklist, building a custom remediation plan, managing employ- ee training, and more. Overall, the specialist may serve as a more cost-ef- fective solution than training staff to perform compliance maintenance. that record-breaking 2,000 took only 3 years. In addition to increasing its scrutiny of covered entities and BAs, the OCR is more aggressively impos- ing penalties for HIPAA violations. In 2015, OCR-issued fines totaled $6,193,000. In 2017, they reached as high as $19,393,200. Ophthalmic business looking to avoid adding to these costly violation totals must mimic the OCR and ramp up compli- ance programs. Rising technological threat If rising enforcement penalties are not enough incentive for ophthal- mic businesses to implement HIPAA compliance plans, the added threat of rising technological data breaches may be. As technology improves, it is incorporated more and more into all aspects of the ophthalmic practice and ASC. The rising use of laptops and portable devices that house electronic health records and oth- er patient information offer many conveniences, but they also present more vulnerabilities for attacks and accidental data breaches. The 2017 Cost of Data Breach Study conduct- ed by Ponemon Institute revealed that the cost of a data breach in the U.S. has hit an all-time high at $7.35 million. "Compliance failures" were among the most common reasons for this 5% increase over last year, and according to a 2017 Carbon Black report, 68% of consumers stated they would leave their provider if a data breach occurred. Following best security practices can help mitigate the risks of data breaches and put medical businesses on the path to compliance. Unfortu- nately, many are unsure exactly what those best security practices are or how to implement them. continued from page 8 Mr. Gallagher is director of information technology services at Medical Consulting Group. He can be con- tacted at bgallagher@ medcgroup.com. Mr. Fick is complian- cy implementation specialist at Medical Consulting Group. He can be contacted at bfick@medcgroup. com. Mr. Rabourn is client development specialist at Medical Consulting Group. He can be contacted at trabourn@medc- group.com. About the authors