NueMD, a provider of cloud-based management software for small medical practices, finds that there are a lot of healthcare organizations up against it when it comes to complying with the beefed up regulations of the Health Insurance Portability and Accountability Act (HIPAA).

In an effort to determine how small practices and billing organizations are coping, NueMD partnered with Porter Research and the Daniel Brown Law Group to produce a report and the results are eye-opening and somewhat shocking.

NueMD surveyed practices and billing companies in all 50 states; most of the practices were small and made up of one to three providers. After collecting responses from some 1,200 healthcare professionals, the survey found that:

  • The majority (66 percent) of respondents were unaware of coming HIPAA audits
  • 35 percent of respondents said their business has conducted a HIPAA-required risk analysis
  • 34 percent of owners, managers and practice administrators reported that they were "very confident" that their electronic devices that contain PHI were HIPAA compliant
  • Less than one quarter (24 percent) of managers, owners and practice administrators reported that they've evaluated all of their business associate agreements — the very business partners processing private and protected patient data
  • 56 percent of office staff and (nonowner) care providers at practices said they've received HIPAA training in the last year

"Understanding HIPAA can be difficult for practices and billing companies, especially if they're already scrambling to keep up with changes like ICD-10 and meaningful use," Caleb Clarke, sales and marketing director at NueMD, said in a statement. "With audits looming, we wanted to get a sense of where the industry stands and provide resources to help those who may be struggling."

HIPAA is one of the primary government regulations affecting nearly every facet of every healthcare organization every day. Since 1996, the law has outlined policies to protect sensitive patient data and penalties for those who don't comply, essentially offering a measure of security to patients that their data would not freely be floated to the world.

Making matters possibly worse for practices unaware of recent HIPAA updates is that under the HITECH act, several changes now affect covered entities and business associates. With that flex, enforcement of breaches is, or will be, occurring more frequently. HITECH also incentivizes a more aggressive pursuit of HIPAA, which means audits are expected to be ongoing and quite regular.

Training staff about the importance of HIPAA is a high priority, the survey finds. Training should be conducted at least once a year to make sure everybody is on the same page, NueMD suggests. Everyone should know how HIPAA affects their day-to-day work and they should know how to respond quickly and appropriately to security breaches.

Only 62 percent of owners, managers and administrators said their business provided annual HIPAA training. Of those, only 65 percent said they have proof.

In regard to responding, HIPAA security and privacy officers in practices are responsible for responding to questions and complaints. They also make sure problems and breaches are dealt with appropriately. Appointing these officers is a critical part of developing a strong compliance plan. When owners, managers and administrators were asked if their business has formally appointed these officers:

  • 56 percent said they had a security officer
  • 55 percent said they had appointed a privacy officer

When asked if office staff and (nonowner) care providers knew the name and contact information of their practice's HIPAA officers:

  • 54 percent said they had their security officer's contact info
  • 58 percent said they had their privacy officer's contact info

Regarding the use of mobile devices, HIPAA requires covered entities to keep track of all electronic devices that contain PHI, which should help identify potential risks and discover breaches.

When asked, 27 percent said they've cataloged between 76 percent and 100 percent of their devices. Another 27 reported that they haven't cataloged any, and 21 percent said they didn't know. But there seems to be a disconnect as to whether there is any accountability about if they are HIPAA-compliant, even though patient information is being exchanged on them.

When asked how confident they were that their electronic devices were HIPAA-compliant, 31 percent said they were "very confident," while 18 percent said they were "not confident at all."

Finally, when asked, "How confident are you that someone at your business is actively ensuring your business's compliance with HIPAA?", 38 percent said they were "very confident;" 44 percent said they were "somewhat confident;" and 19 percent reported "not confident at all."

"It's troubling to see that so many practices aren't participating in training programs for their staff," said Daniel Brown, managing shareholder at The Daniel Brown Law Group. "If an audit were to occur at that particular practice, one of the biggest red flags is that the staff is unaware of the HIPAA compliance plan and what their role is in it."