After completing my last exam, I began a nostalgic walk through campus (Go Buckeyes!) to pick up my cap and gown from the bookstore. I was starting the final week of my internship at Itentive Healthcare Solutions before immersing myself in the professional healthcare world. As I was about to cross to High Street, I watched a fellow Ohio State student walk across the street in between the gap of cars; I was about to follow her lead, tired of staring at the red hand in the crosswalk across the street, when I saw a police car turn on their flashers and pull up beside her. I watched her get a jaywalking ticket, and firmly kept my feet planted on the sidewalk as a result. When it was finally time to cross I couldn’t shake the parallel of the jaywalking ticket to a HIPAA audit. What can I say, as a health information management graduate HIPAA is on my mind all the time!
The number of jaywalking tickets issued to pedestrians has skyrocketed over the past year, and even the thought of it can make most OSU students cringe. Similarly the phrase “HIPAA audits” could make almost any healthcare professional blanch.
While it’s true a jaywalking ticket is something most of us would look back on in a few years and laugh about, the Office of Civil Rights (OCR) has proved that it is certainly not joking around when it comes to HIPAA compliance. Earlier this year, Raleigh Orthopaedic Clinic in North Carolina was forced to make a $750,000 monetary settlement because they failed to execute a business associate agreement before handing over their patients’ PHI to a potential business partner. New York Presbyterian Hospital also agreed to pay the OCR $2.2 million after allowing unauthorized filming of patients, and the Feinstein Institute for Medical Research in New York made a $3.9 million settlement for the improper disclosure of PHI. Clearly, there is a high cost for non-compliance with HIPAA.
So the question I pose to you all is, as stakeholders in the healthcare industry who are well aware of the penalty associated with these HIPAA audits: do we see the advantage?
When I saw my fellow classmate getting a jaywalking ticket, I wondered if handing out jaywalking tickets to poor college students is just a revenue opportunity for the campus police force or if it is actually supporting the safety of pedestrians on campus. Likewise, I find myself questioning if these audits are just another bureaucratic government requirement or if they are actually benefitting physicians and more importantly patients.
After all, this year alone has had more patient breeches than any before it, so why would anyone believe HIPAA audits are a worthwhile enforcement technique upon which many government dollars will be spent?
Well as a result of the increased number of breaches, the OCR has started Phase 2 of HIPAA audits and released a new audit protocol. Phase 2 covers a larger and more diverse pool of organizations. The OCR has also added business associates to the pool of possible auditees so that everyone in compliance with HIPAA has an equal chance of being audited.
While healthcare facilities will most likely not be jumping for joy upon hearing news that their facility will be audited, it is important to consider the benefit to the patient. Protecting patient health information is a top priority in the healthcare industry today. Patients can feel safer knowing that these audits are occurring and measures are being taken to ensure the safety of their personal information. In the end, patient safety always comes first and these new HIPAA audits are on the right track to ensuring this.
Just as the end goal of a HIPAA audit is to prevent a breach where a patient’s information could be compromised, the purpose of these jaywalking tickets truly is to keep the student population safe. While I realize no student is going to hug the police officer that just handed them a ticket for their efforts to keep them safe, it will cause the student to think twice before stepping off the sidewalk again. Most likely that undergraduate, and myself as a witness, will walk to the corner and use the crosswalk. The same can be said after an audit, that facility and those who heard about it will avoid cutting corners when it comes to patient security.
So, while in the minds of many it may not be crystal clear how this tactic of negative reinforcement in the form of severe financial penalties for non-compliance are protecting patient information, one thing is very clear – if you are subject to HIPAA, you should be preparing to get audited.
- Carly Hogan, Spring Intern at Itentive Healthcare Solutions