Achieving Compliance: How to Prepare for a HIPAA Audit

Join Jason Karn of Total HIPAA Compliance and Dan Brown of Taylor English as they discuss the steps it takes to prepare for a HIPAA audit in this informative webinar. 

The upcoming webinars in this series will cover Updating Your Plan & Training Your Staff, Electronic Devices in Your Practice, tips for Preventing a Security Breach, and how to Respond to a Security Breach if one occurs. 



Download the Slide Deck


HIPAA Resources



Q: What is the difference (if any) for compliance between HIPAA and PHI?

A: PHI is not a regulation. It stands for Protected Health Information and is, most simply put, any personally identifying information about an individual’s health that can possibly be shared with others. This can be a piece of paper or an electronic file. It can be shared via a handwritten letter, email, or word of mouth. It is all considered PHI. HIPAA is the set of government rules to prevent outside access to PHI. In order for a business to be compliant with HIPAA, all PHI must be properly maintained.

Q: Doesn't HIPAA apply solely to electronic transactions? If we take paper charts to satellite locations, do we need to log those charts in and out?

A: HIPAA is not limited to electronic transactions, it is a much broader set of guidelines. HIPAA applies to ALL types of PHI and ALL methods of communicating that information. If the charts contain personally identifying heath information, they’re under the umbrella of HIPAA, and should be maintained accordingly.

Q: How often do you need to update a business agreement?

A: BAAs only need updating after a change in regulation. The last major changes came with the Omnibus Rule in 2013. As long as your BAAs have been updated since that time, and no terms have expired, you should be good to go.

Q: Would a landlord with keys be considered a Business Associate?

A: Not in most cases. It depends on whether the landlord has access to Protected Health Information within the building. 

Q: How frequently do we need to do a Risk Assessment?

A: There are no specific requirements regarding frequency. However, HHS offers the following advice: “The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed.”

Q: Are there minimum password requirements defined by regulation or statute?

No, there are no specific requirements.



1. Introduction

Kevin McCarthy: Afternoon everyone, my name is Kevin McCarthy, we're really happy to have you here today. I'm a marketing specialist here at NueMD and we're excited to have our second HIPAA audits webinar series, first one for 2016. Really excited to have Jason Karn and Dan Brown back with us. Jason?​

Jason Karn: Great, thank you so much. My name is Jason Karn, I'm, as you can see I'm the chief compliance officer over with Total HIPAA Compliance. We've been involved with creating and reviewing HIPAA compliance plans since 2003. We specialize in making the HIPAA compliance process easy and affordable for all of our clients. Personally, I've been involved in some really interesting plans, from both, you know we work with large companies and small companies in practices. Again, we try to make this as affordable and easy as possible. I'm going to pass over to Dan, he can introduce himself.​

Dan Brown: Welcome everyone, my name is Dan Brown. I'm an attorney in Atlanta, Georgia with Taylor, English, Duma LLP. I've been specializing in health care law for about 25-28 years and been heavily involved in helping our clients create their HIPAA compliance plans. Working with all the chief officers in going through their HIPAA compliance plans and representing those providers who have breach situations. Which, they really kind of come about in a much more significant way just in the last couple of years.​


2. Housekeeping

Dan Brown: You know and the housekeeping, Jason already did that, you know, we're not your lawyers. You know we're going to talk about some general legal principles, however, you can't rely on that as legal advice, but we're going to give you, I think, a pretty good overview of what you need to know about privacy plans and how to help protect yourself. I think there's some questions that come up later on and you can ask then. Jason, I'm going to go ahead and throw it to you and let you talk a bit about HIPAA audits and what's going on in that area.


3. HIPAA Audits

Jason Karn: Great. Thank you Dan. The HIPAA audits are starting up again. This is the Phase Two HIPAA audits. In this past year, FCI Federal, that's Frank, Charlie, and I Federal was awarded a one million dollar contract to start conducting these audits. These teams are going to be covering our hospitals, our covered entities, which is what you guys are, and business associates. Those would be any IT companies you work with, that could be contractors, that could be lawyers, accountants, billing companies. Those are people that are going to start being reviewed by these audits.​

The main focus with this, and this is different that what we saw last time. Last time it was mainly in person audits that were happening. We're going to see desk audits and these are basically you're going to have to send your plan in and you'll have somewhere between 10 to 14 days to respond to a request to see your HIPAA compliance plan. What are they going to be looking for?

Dan Brown: They're going to be looking for your current compliance plan and this is a new thing, this is actually a direct quote from Jocelyn Samuels, who's now the director of HHS and she states that audits will not only address current issues, but also will address historical compliance dates around HIPAA rules.

Meaning organizations that have only recently come up to HIPAA compliance could be held responsible for deficiencies in their past efforts and that's really interesting and a little bit scary for a lot of people, because if you don't have a history of having compliance, then you could be subject to fines even if you started today. Say if you've been in practice for a long period of time, so not saying that you should just throw up your hands and not do anything about it, but it is now time that you basically need to get in compliance and need to start being compliance going forward and keeping records of when you're updating your policies and procedures for providers.


4. 2016 HIPAA Survey

Jason Karn: Dan, I'm going to pass to you on the industry survey.

Dan Brown: Yeah. Thanks, Jason. It's pretty darn scary about the scope of the audits. If they're going to be looking at our past acts, we really can't take any steps to remediate that, to fix it, can we? It's just we're exposed. Let's talk a bit about why we're making this presentation today and just trying to be responsive to what's actually out there in the market. NueMD in 2014 performed a survey of several hundred covered entities, asking about how sensitive were the respondents to HIPAA. How much do they know about HIPAA? How far along to HIPAA compliance have they been? Back in 2014, it was hit or miss. I'll say that most of NueMDs polling data came from a smaller practice area. Not the big hospital systems, but more the smaller practices and ambulatory surgery centers and other healthcare facilities.

Back in 2014, it was surprising that a good portion, more than a majority, had not taken some basic HIPAA compliance steps. Just fast forward a couple years and NueMDs went ahead and did a second follow up survey. This one again is pretty much skewed towards physicians and other medical practices, and pretty much small providers, 1 to 10 providers. Looked around, 900 respondents. Pretty good polling size. 60 percent of those polled in this year were found not to be aware of the pending audit. The notation said that something that is going to hit not only big hospital systems, not only business associates, but physician practitioners. I suppose if you're a member of the audit, what's the first thing you do? You've got to show them your privacy and security plan.

If we go to the next slide, we'll see that 30 percent of the respondents have not even created a plan. Assuming you got audited tomorrow, the first thing that you would have to do is send off a copy of your compliance plan. Well, these 30 folks wouldn't be able to comply with that simple request. Next slide, we'll see that an important part of each compliance plan under HIPAA is to appoint a privacy and security offer. You don't have a privacy and security officer appointed, your compliance plan is deficient and you could be subject to some penalties.

We see that more than half had not even done that. Even though it looks like 70 percent have created plans, maybe more than half aren't being compliant because they haven't taken this initial basic step. On the next slide, we'll see that a full 58 percent, more than the majority, actually do provide training. But that still leaves a large amount of folks who do need to go ahead and train their workforce on HIPAA requirements. Failure to provide that type of annual training means that our compliance plan is deficient and you're subject to some types of penalties.


5. Tips to Prepare for an Audit

Dan Brown: On the basis of where we are we can see that there are a lot of folks, at least in this poll, who although they are certainly aware of HIPAA had not taken the basic step to come into compliance, and therefore exposed should there ever be an audit or if there should ever be a complaint. What do we do to prepare for an audit?​

When we prepare for an audit, the first thing we need to do is, and we have a couple of tips here, the first thing to do is obviously be prepared. Prepare and review your HIPAA compliance plan. Make sure you have on in place before you go. Two, obviously, train your staff each year. On the next slide we'll see that. That goes right to the kind of deficiencies that the poll described.


6. What's in a Privacy Plan?

Dan Brown: Let's stop and think a little bit about what's in that compliance plan. What's the purpose of the compliance plan? The purpose is to provide, adopt and enforce policies and procedures of your organization, to detect privacy and security errors with your protected health information, to resolve those errors. An initial source, an initial opportunity is for you to make an assessment of where those holes are, and then to provide in your plan remediation.​

In other words, if you find a plan, a hole in your compliance plan, with letting data and information leak out, what have you done to fix those leaks, and if you have personnel who are not being compliant, what have you done to discipline those individuals. That's kind of all the goal here. The goal here is to have a working, living set of policies and procedures that's applicable to your practice situation. It does not have to be necessarily expensive, but it just has to be in existence and effective.


7. Privacy Plan Checklist

Dan Brown: Let's look at what's in a privacy plan. The first thing you want to do is, in order to protect and train, assign a privacy officer. It's something that the board governing body of your entity should do, and keep a record of it in your corporate minute book. Make sure you have a privacy officer. Their job is to enforce and train on the privacy rules. Conduct a risk assessment. This is very important. Failure to conduct your risk assessment at the beginning of the adoption of your plan means that your plan is deficient.

All this means is you need to go around, basically with a flash light if necessary, and find all the holes where the data might leak out or where there's some problems. Do people take their data home at night? Or do you need some methodology to have a check-in and check-out policy? Find out where your data's going and how to address policies to track and monitor the type of data leak. Establish policies and procedures. Again, we'll look at your particular situation and adopt policies and procedures that are appropriate.

Now, business associate agreements. I'm sure all of you have business associate agreements with vendors who do services for you who share your data, a billing company for example. After 2013, certain new language needed to be in those business associate agreements. Take an analysis, have someone look at them and make sure that they're up to date. Provide notice of privacy practices obviously as you intake folks into your practice.  Make sure that you have notice of privacy practices to your patients. It can be on the web, that's okay. If you update it just, you don't need to re-print it, you just need to update on your website.

Record your training activities. In other words, every year what you do, you're going to learn with your staff on privacy rules, make sure that you note that you had that training. Make sure that your employees sign a certificate saying, "I attended training." The training can be web based or it could be in person but we need to have a record that that training was actually done. That's the privacy part of the HIPAA Compliance Plan. There's also the security obligations which deal with how do we lock down data and make sure it doesn't creep out the door. Jason's going to talk a bit about that.


8. What's in a Security Plan?

Jason Karn: Great. Thank you so much, Dan. Yeah, a security plan. That's the second half of this. This is relatively new because we are moving towards and we are in a digital age, I guess I should say. We really have to start looking and saying, "What are we doing with electronic health records? How are we protecting that information? Where are our weak links in this whole process?" It's very important that you have a very thorough and laid out security plans, so you know what does work and what doesn't work. We always say to people when we're creating these security plans that this will evolve. You might make a policy and say, "We start with one policy and we find it doesn't work," and then we have to evolve and find another policy that will fill that bill for us.

The important thing is that you document this activity. If you don't have documentation on what you've done, if somebody says, "Oh, yeah. We have an idea," that's not being compliant. We run into that a lot with people and they say, "Yeah, we have an idea," especially when it comes to passwords. We say, "Yeah." We ask for tough passwords, but people really don't follow that. It's important that you have a documented policy and then you train your staff on what that policy is, so they know that every quarter they're going to be changing passwords, that passwords have to be at least 8 characters long, they have to have upper and lower case letters and at least one special character and then a couple of numbers. Whatever works for your systems is what you need to make sure you're documenting.


9. Security Plan Checklist

Jason KarnWhat would you find in this security plan? Well, here's a little bit of idea the things, again, you need to have a security officer. Now, this doesn't need to be an expert on security. What this needs to be is somebody who is a good manager, who can understand what's happening with security, but really, if you have a lot of your smaller practices, you don't have an expert for IT who really understands security, but you need have somebody on staff who will be able to keep track of what's going on. You really need to make sure you have a security officer who's on staff.

This shouldn't be an assistant, this should be somebody who's higher up in the hierarchy, because they're going to need to have the ability to sanction and change things. Now, you need to conduct the risk assessment, we talked about that in the privacy plan. It's very important in the security plan, because you're going to be looking at things like saying, "Okay, this is how we encrypt the emails. This is how we're taking care of any kind of electronic data." It's very, very important that you conduct a very thorough risk assessment.

Then, you need to establish these policies and procedures. This is your written plan on how everything's going to work. As part of that, you need to have a back up plan. It's required by HIPAA, the HIPAA security rule, to have a back up plan. You have to have a disaster recovery plan. How are you going to function if there's a tornado, an earthquake, a flood? How are you going get that information and make sure that information is maintained? Is that stored in the cloud? Do you have it stored off site? How are you taking care of that information and how do you recover that?

Another important thing, and we run into a lot of times, is determining access levels. This is your receptionist doesn't need the same access that a doctor needs or that a nurse needs. You need to make sure that you've documented what those levels of access are, and that everybody knows, so that if there is something that looks weird, and you're saying, "Why was somebody in the front desk looking at somebody's health record when they weren't authorized to look at that?" Or beyond just simple registration. It really depends on how you delineate tasks within your practice.


10. What's in a Breach Plan?

Jason Karn: Moving on, another really important part is the breach plan, and this is required also. This is what you do in the case that there might actually be a breach of information. It happens to the best of us, somebody leaves a computer in a car and it get broken into, that computer's not encrypted. Somebody gets a virus on their computer and that information is compromised. I know we saw one recently, there was a hospital out in L.A. that had ransomware that was put onto their computers. They don't think any information was stolen on that, but they're not really sure, because they didn't have control on that computer. They actually had to pay to get access to that computer, to get their systems back.


11. Breach Plan Checklist

Jason Karn: What is in your breach plan? Well, it's important that you establish procedures for identifying the breach. You need to know if there's unusual traffic. This is more your IT person to say, "Wait a second. Is there unusual traffic on our network? Are there multiple log-ins trying to happen and failures to log in, that somebody may be trying to do a forced attack on your system?" You need to have a step, "Here's how we're going to identify. This is what we're looking for." You need to outline steps for reporting that breach.

A breach, you don't want to just go out and say, "Okay, we had a breach. We were hacked. We had 250 patients, this information. We need to contact these patients." You want to make sure you have a very consistent plan on how you're going to contact them. At this point, it's really a good idea to contact your legal counsel to make sure they understand what has happened. Then they can inform you on what you need to ... How best to notify your patients, how those letters need to be worded. If you're going to be sending letters, if you're going to be sending emails.

Depending on the state and what your notice of privacy practices states, you may need to send this by first class mail. It's understanding all those steps and how you're going to report that breach. Then you also have to understand, as we said, the notification requirements. We call it the rule of 500. If it's under 500, you hold that until the end of the calendar year and then you have to report that to HHS at that time. If it's 500 and above, you have to notify HHS at a time within 60 days of knowing that this happened.

There are notification requirements that vary state to state. California is a state if you have over 500 people that are breached you have to send that notice of the breach to the State Attorney General for them to review. Some states require notification be in writing, some are okay with electronic. Some legal counsel that we spoke with, they've been very clear about stating, and you need to make sure you pass this by your legal counsel. Is if you're a state that requires a letter notification, you might be able to do it by, if you have the patient sign off on it, to do an email notification instead of having to send a letter. Because letters, if you have a lot of people that you need to notify, it can get very expensive, very quickly.


12. Responding to an Audit

Jason Karn: Responding to an audit. What happens if HHS comes calling, they say, "We need ..." They send you a letter, it looks like an IRS audit. They say, "We want to see your compliance plan." How do you respond to that? Well, as we said, you're going to have 10-14 business days to respond. This is not the time to say, "Oh, we forgot to do a compliance plan," or, "We haven't updated anything recently," because you're not going to have time to go back and make all those updates that you need, and within the 10-14 days and/or create a plan from scratch, if you haven't created a plan.

It's very important that you're on top of this. It's also very important only to supply the requested documentation. You don't want to try to over submit information, you don't want your auditor to have to sort through information, and you also don't want to give them more information than they requested because if they start digging they might find more items that they want to remediate. Only supply the requested items. Here's some of the things they'll ask for. The first and foremost, they'll ask for that risk assessment. This is probably your most important document they'll look for. They'll look for when the last time it was run, what you found, and was it thorough.

Now, what constitutes a thorough risk assessment? Tat means you've got it really broken down and gone through everything as much as you can. This is probably a good time to look for a third party for a template and/or hire a third party to come in. Make sure, if you do hire a third party ... We've run into this a couple times and we've gone back and cleaned up compliance plans for clients, in that they've hired companies to do risk assessments for them and they've come back with half a page of notes after doing six months of work.

A risk assessment should be very thorough. Our risk assessment runs about 300 questions. We really delve into what you guys are doing and then you get suggestions on what to do after that. Having policies and procedures. This is both privacy and security policies and procedures. This lays out what administrative things you're going to be doing, how you're dealing with physical records, and how you're dealing with electronic records. This also will contain how you do your breach notification. Business associate agreements, that's very important. Those are, as Dan said earlier, they should have been updated after September 23, 2013. If you have not updated those since 2013, you need to update those agreements with your business associates.

This is a great opportunity to ask to see any summaries of information that they ... On their compliance plans to make sure that they're training their folks. Because they are not going to be subject to these audits too. What we're seeing is business associates sometimes are the weak links in the chain that they're having the breaches. As we stated earlier, they're going to be looking for a history of HIPAA compliance. You don't necessarily have to keep the entire compliance plan that you had before but notating when you updated that plan it's probably not a bad idea to keep that previous compliance plan filed away. Keep it in an electronic file on your computer as previous plans.

With that being said, I'm going to pass that to Dan here and he's going to talk to us a little bit more about penalties for non-compliance.


13. Penalties for Noncompliance

Dan Brown: Thanks Jason. I appreciate that. Let's talk a bit about penalties for non-compliance. What are your risks out there for failure to comply? I get asked all the time. Folks will call me up and a patient or a family member of a patient will call and say "Oh my gosh! There's been a HIPAA violation. I went to the hospital and they told my mamma that I was pregnant and I didn't want her to know so we are going to sue the hospital, right?" Quite honestly the answer is no. HIPAA does not give individuals a private right of action to sue the person who screwed up the HIPAA obligations. You can't necessarily go out and sue the hospital or the physician practice for messing up under HIPAA. What you have to do is you have to report either to your state attorney general or to the office of civil rights of the department of Health and Human Services in Washington. The OCR office of civil rights is charged with enforcing HIPAA. They are the ones who will actually do the investigations or someone they delegate that to. What penalties can a provider have, can the OCR stick onto a hospital or provider?

Basically, typically they are civil penalties, in other words it's just money. Just pay us a check. There's civil monetary penalties in not less than $100 per violation and that's at the lowest level. That's if you don't have any knowledge. $1000 for each violation due to reasonable cause. You probably knew what was going on and you let it happen. $10,000 for each violation for willful neglect that you correct within thirty days. In other words you actual find it because your compliance plan worked and someone brought it to your attention and you said "Oh, my gosh, we must correct." Then well, during the time we were in non-compliance and it was willfully we just ignored the compliance officers warnings about what was going on, well that's $10,000 for each violation and each day can be a violation. There's $50,000 due to willful neglect that's not timely corrected. Also, if you sell protected health information, that's almost criminal. There is a limit of $1.5 million in the agra in every year. There's some real dollars here.

Let me give you a couple of examples. First one we'll talk about it Lincare and these examples just happened, came down within the last thirty five, forty days. Lincare, for those of you who might now know is a national durable medical equipment supplier. They supply oxygen and C-pap masks and beds and all type of DME all over the country. I'm sure they are over a billion dollars in revenue I would expect. Their problem here arose out of basically a family spat. It cost them a lot. Fascinating instance. Lincare had a center in a small town in Arkansas. The wife of this couple worked for Lincare and it was her job to go out and deliver home medical equipment and set folks up on the equipment. Every day, looks like for a while she went to a person's home, she threw the information in the car and drove around and went home at night. Then according to the record, at least what the administrative law judge said, the marriage hit a rough spot. The wife ended up vacating the home which she shared with her husband and the husband was poking around one day and went inside the kitchen drawer and looked under the bed and sure enough, there's some notebooks there from his wife that had protected health information of 278 people.

What does he do? Does he call up his wife and say "Oh, it looks like you left these here, do you want them back?" No, he called the government and he said "Lookee here. My ex whom I'm not really fond of now clearly caused a HIPAA violation, so I want you to come and investigate. You know, the did. The office of Civil Rights went and investigated and they basically over a course of a couple years, slammed Lincare for two things. They did not implement policies and procedures to safeguard their patients records and they also failed to protect against disclosure to authorized persons. What does that mean? Basically, there should have been a policy that said every time you walk out of the building with some protected health information you need to check it out and you need to have it checked back in. Where is the policy at Lincare that has that in there. Oh, you don't have one? So sorry. You are in violation. $100 a day for every single day that you were not in compliance. What else did you do wrong? You permitted the wife to give access to our patient information in the car and under the mattress. You permitted her to give you that access to that non-authorized person. You know what we're going to do. It's going to be $100 a day that you messed up that policy and procedure.

They added it all up. It came out to be $239,000. Lincare appealed. The ministry of law judge said so sorry, your policies and procedures did not address these issues of having data going in and out of your office and it did not address keeping the information out of the hands of the husband. Please pay Lincare. Lincare kind of got dinged on that.

The next case is a much smaller company. We're not talking about a billion dollar company. This is a little physical therapy company over in Los Angeles. The fines aren't as big, but what they did was pretty dopey I think. In essence, on their website, as marketing tool, they put patient testimonials on their website and photographs of the patients and what a great place this physical therapy is. Unfortunately, they did not get a proper HIPAA authorized disclosure from the patients before posting the pictures and information and testimonials on the web. Again, the office of civil rights got notice of this. There it is. It's on the website, go to it. And they ended up fining the physical therapy practice $25,000 for failure to have policies and proper disclosure of information.

You can see, big or small, your wallet is at risk for not having a compliance plan, not following the rules and making sure that you have these plans and these practices in place. What's it going to cost you guys in time and effort to get compliance? Jason why don't you help us out there?


14. How Long Does It Take to Achieve Compliance?

Jason Karn: Okay, great, thank you so much Dan. Yeah, so what does it take? What does it roughly take? Well we've been doing compliance plans, as I said, since 2003, we've been training, we have online training and running people through this. We have two different ways of doing this. You can either do it yourself or you can hire a company to do it for you. When you do it yourself, we find that it takes roughly about 40 to 50 man hours to do it. This depends on what tools you have. This includes doing a thorough risk assessment, creating privacy and security policies and procedures, provided that you have a template to work with.

I wouldn't recommend doing this from scratch and I would not recommend necessarily hiring somebody to create something like this from scratch. There are some great templates out there, I think will give you a structure to work with. Also, this means reviewing compliance plans from your business associates and training, which is really important. Training, again, needs to not only be on the law in general but also needs to be on your specific practices, policies and procedures and you need to make sure you're maintaining those records of training.

Dan and I had a really interesting discussion yesterday about what the costs are if you don't go through with this compliance plan and creating this, going through this process, because when you think about the number of hours and what this can cost you as far as out of pocket, you can be prepared for this, vs what it costs you after the fact, after the horse is out of the barn and you're trying to get it back in. We did sort of an exercise yesterday thinking about what it would take if a small practice, say with 600 patients, had a laptop that was stolen.

They had no inscription on that laptop and they're looking to say, okay we need to contact all 600 patients who's data was on this laptop, what it would take to make sure we remediate that and we came up with a figure at about 15 to $20,000, to fix that problem. That includes getting a lawyer involved, doing those proper notifications and that doesn't take into account the loss of trust that comes with not having a policy that will protect those patients. There are many patients that have stated that they wouldn't come back to a health care provider that has had a breach of this and you look at that and you can understand, because a physician's job is not just to treat a patient, it's also a position of trust.

It's really something that, I think, something to think about is your job is to protect that information as well as protect the patients. That brings us to the end of our presentation here and I think we're going to open up the floor to some questions here. Before we get started, I just want to bring to everybody's attention that joining us here on this webinar today, we do, Total Hip here is offering a ten percent discount off of all of our products and services. This is what we do specialize in, Dan I don't know if you want to throw out a little plug there for your services?

Dan Brown: I'm a lawyer. Yeah, I mean, we help our clients big and small in all their health care needs, to the extent we're, I think we're a reasonably priced firm for the expertise that we bring and obviously each situation is different. We're here and we've enjoyed working with NueMD and Jason and Total HIPAA on these programs.


15. Q&A

Jason Karn: We're going to start with how do you choose a privacy or security officer? I spoke a little bit about this earlier, but I think it's really important that you have somebody who is a higher level, you want a management level person. If that's the office manager, that's great, but it has to be somebody who can sanction employees. You don't want to make it a front desk employee that has no power to say to a nurse or to even another physician, "Hey, you need to be quiet when you're speaking about patients in the hallway." They need to have that authority and that power. Dan, do you have anything you want to add to that?​

Dan Brown: It really depends on the size of the organization. If it's a smaller organization, maybe it's the HR person. You want someone, as you said, who's fairly up in the organization, someone who can get the ear of the CEO, COO, and to make sure that there's some disciplinary action taken, real action taken if, or folks who fail to follow the plan.


Jason Karn: Next question is along those same lines. Can the same person be both the privacy and security officer? The answer to that is yes. Especially in a small practice, you will find that the privacy and security officer is the same person. There's no need, there's nothing, no law that says that they have to be separate people. Again, as long as they are of a management level, higher up in the organization. Then yes they can be both. One person can fulfill both of those.​


Jason Karn: What is the estimated cost of completing a HIPAA compliance plan? Our standpoints, we have two different plans that, we have a do it yourself plan that the compliance documents run $495. That gives you both policies and procedures. It gives you a risk assessment tool to work with. There's also a business associate agreement in there and numerous logs for maintaining information. Releases of information forms show that when you're dealing with patients that ask for release of records, that they can request that.

We do have what we call turnkey solutions, where we can help take some of that 40 to 50 hour time off of your hands, that burden away from you and develop the plan for you. Those start at about $2,500, depending on the size of your practice. For a lot of people, they like to go that route because for a 10 to 20 person practice, they don't have a person that can dedicate to, they can give up 40 to 50 hours to put this plan in place.​

Dan Brown: That's a good overview from our side, from the legal side. We can do all those activities as well but because of our cost structure, we cost a little bit more and you don't need to have a lawyer do it. Many times as the compliance plan is being drafted, you may trip up on some kind of hairy legal issues and that's where, I think, the legal spends better, better spent, looking at some of those particular issues as they're, not just HIPAA but maybe a STARK or anti-kickback or some other type of issue coming into play. That's kind of where I see our role in that, but I certainly have done HIPAA compliance plans and training with clients in the past.


Jason Karn: Kevin, I think you had a couple more questions for us that had come through?

Kevin McCarthy: Yeah, we do. First one is, "We do outpatient physical, occupational and speech therapy in an office setting. Our director states that we are not required to have a compliance plan in force right now. Is there any truth to this?"

Jason Karn: Absolutely not. You have to have a compliance plan in place, because you're dealing with PHI, regardless of whether it's inpatient or outpatient, you have to have a compliance plan in place. Dan, you agree?

Dan Brown: Yeah. All persons who are covered entities, and now, business associates who use or disclose protected health information, in any form, are going to be covered by the privacy and security rules. We have to assume that any time that a health care provider is providing services, they're transmitting information under the HIPAA code sets, which is part of the definition of a covered entity.

If the health care provider is providing health care and transmitting information using the HIPAA codes, yeah, no matter how small you are, or how big you are, or if you're inpatient/outpatient, you're going to be a covered entity, and you're going to be covered by the HIPAA laws.


Kevin McCarthy: Okay, we've got another one. This one says, "As a privacy officer, once I leave my place of employment, how long does my personal liability last?"

Dan Brown: I'll take this. Well, first of all, let's talk about personal liability. As an employee, you may have some personal liability as a risk management function. I assume that your place of business has obtained some HIPAA insurance. It's out there, believe it or not. Some of these people who I've talked about are working through their insurers to make sure that they get covered by their HIPAA lapse coverage. When you leave, your obligation to maintain the confidentiality of your employer's protected health information and other confidential information very likely follows you, probably for a very long time.

I would suggest that, I don't know if there's a exact statute of limitations. My recommendation is that you maintain the confidentiality of all the information that you've got under your control when you leave. After you leave, and you don't do anything wrong, the screw up of your successor or the company under someone else should not follow you throughout your life.

Jason Karn: The only statute that I know of is the statute for releasing information posthumously. It's fifty years after somebody has dies, then that information becomes public record.


Kevin McCarthy: All right, I've got another question for you. Do billing companies need to have their own written notice of privacy practices that applies to the billing company itself?

Dan Brown: A billing company is a business associate. After 2013, business associates became primarily liable to comply with pretty much all of the HIPAA privacy and security regulations, but not all of them. One that a business associate does not have to comply with is having a notice of privacy practices for basically ... I guess the only notice that's really due at that point would be the physician practice or hospital that you're working for. You're going to just give it to the doctor.

Jason Karn: No, my understanding is that a business associate, if that's all they are, does not have to provide a notice of privacy practices under the HIPAA privacy reg. They do have to abide by everything else, though, or pretty much everything else, including having a compliance plan and doing a risk assessment and all that type of stuff.


Kevin McCarthy: Okay, we've got another one, Dan I think you mentioned or you spoke about this briefly earlier, doesn't HIPAA apply solely to electronic transactions? If we take paper charts to satellite locations, should we log those charts in and out?

Dan Brown: The answer is, HIPAA privacy and security rules, the HIPAA privacy rules apply to, if you're a covered entity and HIPAA applies then HIPAA applies to all communications oral, written, paper or electronic that contains protected health information. The fact that it might be in paper form does not excuse a covered entity from complying with the HIPAA privacy regulations. If part of the privacy regulation and policy is to check out the information in a paper file when it walks out the door, then, or a file as it walks out the door, then it does apply regardless if it's, whether or not it's electronic or paper.

Jason Karn: Right, I would go on to caution them, if they aren't logging those files right now, that they start logging those files when they leave the office. Who's got them, when they're returned, that would be a very important set of logs to maintain for a covered entity.


Kevin McCarthy: Is there a documentation that vendors such as a cleaning crew should sign off on before getting access to the office?

Jason Karn: Yes. Now, a cleaning crew actually is not considered a business associate according to the HIPAA laws. Cleaning crew, really, now you do need to be careful that a cleaning crew ... You are hiring a cleaning crew that you know, you trust, that is bonded, is insured, and whatnot, but by and large ... That you're actually filing records away. Now I know a lot of places have open record areas, so that's impossible to restrict that access, but if you can restrict that access, that would be an important security measure.

As far as other items that a business associate needs to sign off on, that would be your business associate agreement. That would be both parties need to read that and then you just sign off, so it needs to be countersigned, so you would both keep a record of that agreement. Dan?

Dan Brown: Yeah, I absolutely agree, but to be clear, a cleaning service in it of itself is not a business associate and does not need a business associate agreement. The obligation is on the covered entity of the practice to make sure that there's not plain sight records open all the time everywhere.


Kevin McCarthy: The final question is, I think probably for Jason. Can you suggest a firm that is best to help setting up HIPAA compliance plans and is there a website we can visit to view templates and a possible turnkey solution?

Jason Karn: Well sure, I would recommend our site, We have compliance plans as I said earlier. We have both do it yourself and turnkey solutions. We can help. We can help either do hybrid situations also. Where we can give you the templates and you can purchase blocks of time with us for consulting. But yes, we'll go through, do your risk assessment. We can create those policies and procedures for you, you can find this at, and make sure you're spelling it If you use the plan 10 with us we'll give you a 10% discount as a NueMD associate and customer.

Kevin McCarthy: I think that's going to do it, thank you so much everyone for attending today. Thank you to Dan and Jason for being here. We look forward to having you at the next one.

Jason Karn: Thank you.

Dan Brown: Thank you so much.



We appreciate your interest and know that maintaining compliance with HIPAA can be a big task. If you're still a bit behind schedule, our partners at Total HIPAA Compliance provide expert HIPAA compliance training and consultation.