The pressures on healthcare businesses to live up to and comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are sometimes viewed as technical and defensive in nature: follow simple rules in-house using physical documents and patient authorizations and hope for the best. The portability aspect of HIPAA and increasingly better-defined security standards create more challenges and potential for costly breaches. The enforcement focus of the Office of Civil Rights (OCR) is just as much on portability and security, or how forms and documents are stored and transferred, as their rote usage in-house. Below, we will discuss five benefits of using common electronic HIPAA compliance forms to help with simplifying security and portability, streamlining business, and limiting practice risk.
But first, let's step back and establish why the migration from paper-based to electronic HIPAA compliance forms has become increasingly important to achieving and maintaining HIPAA compliance.
As HHS summarizes, "Sections 261 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy, and security of health information. Collectively these are known as the Administrative Simplification provisions." The HHS thus recognizes that even as electronic health data was and is inevitable and potentially a great advantage to consumers' choices and power, it creates questions about how that data is used. (See our HIPAA Compliance Checklist & Guide for a refresher on HIPAA compliance for healthcare providers).
Still, many small or medium-sized healthcare practices continue to use paper health records and forms. What these businesses may consider the hallmark HIPAA compliance forms are still the paper notice of privacy practices (NPP) to be shared with all first-time patients and authorization forms for personal health information (PHI) to be shared with third parties in ways beyond the scope of providing basic care.
Complicating matters, though, is that HIPAA compliance for healthcare providers continues to become more complex. Consider the following:
- The HHS upped the ante on the Security Rule in the Health Information Technology for Economic and Clinical Health Act (HITECH) Act signed into law in 2009. According to Becker's Hospital Review, "The HITECH Act's Breach Notification Rule requires each contracting party to conduct a risk assessment and provide assurances that they are compliant with the expanded HIPAA Privacy and Security Rules. In 2010, the Office for Civil Rights, building upon on the standards set forth by the National Institute of Standards and Technology, released guidance on HIPAA's risk analysis requirements." HITECH also incentivized healthcare practices to use electronic health records to increase efficiency and portability. Finally, it permitted the OCR to audit and punish noncompliance more aggressively.
- The Omnibus rule passed in 2013 further specific a patient's right to electronic PHI, broadened the definition of business associates with whom healthcare organizations must maintain HIPAA agreements, and required updates to NPPs.
- On Dec. 10, 2020, HHS Secretary Azar announced proposed plans to pass another rule to affect ease of patient access to PHI and boost information-sharing and case management across the care continuum, among other purposes. Practices will also want to note the proposed provision calling for the "Shortening covered entities' required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days."
Here is an actionable translation of the above information: Be able to share your HIPAA compliance forms quickly (NPP, authorizations, intake records, BA agreements, etc.) and store them in a controlled way that can easily verify security risk assessment measures are being acted upon — electronically.
Now let's examine five of the benefits of electronic HIPAA compliance forms.
1. Consolidate Administrative Burden
Small-to-midsize practices cannot afford inefficiencies of having some records in paper, some on disc that need to be reviewed and destroyed, faxed and printed records, and hand-filled requests and intake documents. The HIPAA Security Rule has stringent standards for safeguarding information — technical, physical and administrative. Consolidating all forms and documents to an electronic system limits liability. A dermatology practice was once penalized $150,000 due to a lost flash drive that not only contained the PHI of their patients but was also unencrypted.
E-forms are permissible for notice of privacy practices receipt with e-signature, business associate agreements (BAAs), patient authorizations, intake and health insurance information from outside entities, and more. In addition, electronic forms can be more easily searched, reorganized, and deleted.
2. Reduce Potential for Form Loss
Did the new patient consent to sharing their PHI as detailed in the NPP? If they neglected to sign, was it recorded that they saw this notice? An e-form can account for this. Did a patient fill out all necessary information so that duplicates did not have to be created and re-filed? E-forms can make sure that patients complete required sections before submission. Was the new BAA mailed or faxed? Is someone now keeping up with its status? The benefits of going electronic with forms is not realized unless all forms are uniformly kept digitally so that routines and software can support and enforce accuracy.
3. Improve Portability
You may need to review information about your vendors to determine if they fall under covered entities as business associates in light of the Omnibus Rule. Can you easily find out which entities have signed a BAA and returned it to you? If not, expect a fine — potentially a rather substantial one.
Patient access is a major aim of HIPAA legislation. Healthcare providers can be punished for not processing releases and making PHI available upon request. In fact, the first monetary penalty issued by the OCR in 2011 was a $4.3 million fine to a Maryland entity for denying 43 patients timely access to their medical records and a lack of cooperation in the investigation.
With the December 2020 proposal that the 30-day limit for delivering PHI to patients be shortened to 15 days, speed for transfer is becoming even more imperative. Electronic forms are the solution for improving in this regard.
4. Prevent, Identify, Report Breaches
Maintaining electronic HIPAA compliance forms helps make breaches easier to prevent by controlling access to forms, requiring authentication, and producing login records and reports. Most of all, the use of electronic forms mitigates the human errors associated with physical forms.
Breaches can happen for a wide variety of reasons, some of which may be out of your control. After all, cybercriminals have sophisticated and ever-evolving attack methods. Nonetheless, the better your forms and PHI are monitored, the more likely you are to catch and report a breach to OCR before it does significant damage and raises potential consequences.
Note: When migrating forms online, your practice will need to identify and protect remote access points from cyberattacks. Read more on the issue here.
5. Third-Party Partner Can Better Support Compliance
The hundreds of pages of HIPAA and related laws can feel overwhelming. By partnering with a knowledgeable IT specialist knowledgeable in HIPAA compliance for healthcare providers and providing this partner with access to your electronic forms and other documentation, you can receive help with compliance checks, training staff in best electronic practices, and responding to weaknesses found in risk assessments, among other benefits. Such third-party support can help practices achieve and maintain HIPAA compliance and allow more focus on caregiving. Take advantage of this free HIPAA assessment to gain a better understanding of your potential risks and opportunities for improvement.
