Provided by:  Jennifer Kirschenbaum, Esq.
Question:
Hi Jennifer
I love receiving your emails and advice.  Here is a question for you.
I was approached the other day by a company (specifically PCIHIPAA) which purportedly helps physicians check their HIPAA compliance.
The gentleman began with lots of scare tactics about HIPAA audits, fines, etc and of course urged me to work with them to become "compliant."
My first reaction when confronted with this was to back off and do some research.  My question to you:  How does a HIPAA audit begin -- with a knock on the front door or with a letter from them?  And then, what are my rights to deal with any possible audit.
Many thanks
Dr. J
Answer: 
Happy and a healthy New Year to you! Thank you for the question, and warm feedback.  Yes, a whole new industry has popped up scaring the bejeezus out of any practitioner the vendors can get to listen - but is it scare tactics?  Partly yes, partly no.  HIPAA exposure is certainly a concern for all of us handling sensitive information - why?  Because enforcement is handled by an agency (Office for Civil Rights) tasked with investigating any complaint made, and now the agency has a mandate to fine for willful or neglectful offenses.  Typically HIPAA investigations or audits by OCR begin with a complaint from a patient or disgruntled employee.  You will be contacted by letter and at that stage should immediately have counsel engage.  Waiting until you are audited to deal with compliance is definitely the wrong move.  With HIPAA, an ounce of prevention is worth a pound of cure.  And, in my view, you have equal concern in putting your faith in a vendor not really experienced or competent in protecting you from exposure.  My advice - the best place to start is by educating yourself of where your areas of exposure may be, and then picking the right team to help you preventatively prepare your practice from exposure. 
Learning the basics for HIPAA protection is actually fairly easy - the government has created a checklist you can DIY - Do Yourself - located at https://www.healthit.gov/providers-professionals/security-risk-assessment-tool (Security Risk Assessment Tool). This is the same tool I would use to review your exposure areas with you - except mine may be cut down a bit - the government did not ween out duplicate questions. For most practices, getting HIPAA compliant requires their IT person and lawyer.  A lot of the vendors out there are not lawyers or IT people, so what are they pushing?  Many I've seen presenting monthly payment methods and not much to show for it.  
With HIPAA compliance, there is a spectrum that the government recognizes - a small practice is not expected to pay the same amount on prevention as a hospital system - but every covered entity (doctor included) is expected to take privacy seriously and make a good faith effort to stay educated and protect against breach.  
Bear in mind, with HIPAA, its not whether a patient's information was sent out erroneously, its whether you have HIPAA compliance in place, and properly responded to the disclosure that counts.  
To adopt proper HIPAA policies click here (not sure which you need, contact Jennifer at Jennifer@Kirschenbaumesq.com).  
Too busy to go through the Security Risk Assessment Tool with your staff and prefer we do it for you (yes, plenty of clients choose this option), contact Taryn at (516) 747-6700 x. 310 to discuss our availability for an in-office.  Please make sure you IT person or company is there for our in-office
January 12, 2017

Question:

Hi Jennifer

I love receiving your emails and advice.  Here is a question for you.

I was approached the other day by a company (specifically PCIHIPAA) which purportedly helps physicians check their HIPAA compliance.

The gentleman began with lots of scare tactics about HIPAA audits, fines, etc and of course urged me to work with them to become "compliant."

My first reaction when confronted with this was to back off and do some research.  My question to you:  How does a HIPAA audit begin -- with a knock on the front door or with a letter from them?  And then, what are my rights to deal with any possible audit.

Many thanks
Dr. J

Answer: 

Happy and a healthy New Year to you! Thank you for the question, and warm feedback.  Yes, a whole new industry has popped up scaring the bejeezus out of any practitioner the vendors can get to listen - but is it scare tactics?  Partly yes, partly no. HIPAA exposure is certainly a concern for all of us handling sensitive information - why?  Because enforcement is handled by an agency (Office for Civil Rights) tasked with investigating any complaint made, and now the agency has a mandate to fine for willful or neglectful offenses.  Typically HIPAA investigations or audits by OCR begin with a complaint from a patient or disgruntled employee.  You will be contacted by letter and at that stage should immediately have counsel engage.  Waiting until you are audited to deal with compliance is definitely the wrong move.  With HIPAA, an ounce of prevention is worth a pound of cure.  And, in my view, you have equal concern in putting your faith in a vendor not really experienced or competent in protecting you from exposure.  My advice - the best place to start is by educating yourself of where your areas of exposure may be, and then picking the right team to help you preventatively prepare your practice from exposure. 

Learning the basics for HIPAA protection is actually fairly easy - the government has created a checklist you can DIY - Do Yourself - located at:
https://www.healthit.gov/providers-professionals/security-risk-assessment-tool (Security Risk Assessment Tool). This is the same tool I would use to review your exposure areas with you - except mine may be cut down a bit - the government did not ween out duplicate questions. For most practices, getting HIPAA compliant requires their IT person and lawyer.  A lot of the vendors out there are not lawyers or IT people, so what are they pushing?  Many I've seen presenting monthly payment methods and not much to show for it.  

With HIPAA compliance, there is a spectrum that the government recognizes - a small practice is not expected to pay the same amount on prevention as a hospital system - but every covered entity (doctor included) is expected to take privacy seriously and make a good faith effort to stay educated and protect against breach.  

Bear in mind, with HIPAA, its not whether a patient's information was sent out erroneously, its whether you have HIPAA compliance in place, and properly responded to the disclosure that counts.  

To adopt proper HIPAA policies click here (not sure which you need, contact Jennifer at Jennifer@Kirschenbaumesq.com).  

Too busy to go through the Security Risk Assessment Tool with your staff and prefer we do it for you (yes, plenty of clients choose this option), contact Taryn at (516) 747-6700 x. 310 to discuss our availability for an in-office.  Please make sure you IT person or company is there for our in-office.