HME: Not so hip on HIPAA?

‘The No. 1 focus of audits is the security and risk assessment, which is woefully missing in this industry’
Friday, October 13, 2017

ATLANTA – Industry consultants report a number of HIPAA-related audits making the rounds in the HME industry and the best they can tell, providers, for the most part, are not prepared for them.

The key elements of HIPAA compliance revolve around three safeguards, says Wayne van Halem: administrative (do you have policies and procedures in place, and do you perform training and education); physical (where are you storing your physical records, and are they secure?); and technical (where are you storing your electronic records, and are they secure?).

“We know of two companies now that have gotten letters from the Office for Civil Rights (within the Department of Health and Human Services) requesting information on their HIPAA compliance program, specifically a copy of their security and risk assessment, which is something that HIPAA requires all providers to do at least on an annual basis,” said van Halem, president of The van Halem Group.

While a large majority of respondents to a recent HME Newspoll (77%) report they have a documented HIPAA compliance program in place, only a slight majority (56%) report it includes a written security and risk assessment.

Providers may be dedicated to protecting patient data in practice, but if their efforts aren’t in writing, they might as well not exist, says Tom Meadows, owner of HIPAAwise, which offers HIPAA compliance software and which has an agreement with The van Halem Group to combine their services.

“It’s one thing for providers to say they think about the risks and they talk about them in meetings—they need to document the key elements of the requirements,” he said. “The No. 1 focus of audits is the security and risk assessment, which is woefully missing in this industry.”

Documenting compliance may be a mundane process, but it’s an important one, say van Halem and Meadows, who readily tick off other things providers should be putting in writing, including when employee training takes place and how their business associate agreements protect patient data.

“We know of a company that didn’t have a business associate agreement in place for a subcontractor and was fined $30,000,” van Halem said.

While the HME industry is lucky in that cyber criminals don’t see HME records as valuable as, say, EHR records, HME records still often contain Social Security numbers and banking information, which is attractive data.

“That’s one reason why breaches, and audits, are increasing,” Meadows said.

The OCR has made a significant investment into an online portal that lists breaches—some 20,000 in the past five years, Meadows also notes.

“The audits started last year and they’ve only done 150 HME-type companies so far,” he said. “But I believe there are more to come.”