It’s not something anyone wants to admit. Being unprepared, that is.
Especially when it could put patient information at risk, incur enormous fines, and perhaps result in legal fallout and loss of credibility in the community. But many clinics and hospitals are in the same situation—and perhaps could use some help.
For obvious reasons, one such physician-owned family-medicine clinic in the Northwest didn’t want to be named. Like many organizations these days, this clinic’s busy staff had many roles and responsibilities. And like all healthcare providers and their business partners, it had to follow the vast, complicated security and privacy rules of HIPAA (the Health Insurance Portability and Accountability Act), the federal law that protects patient information in any form, but especially medical and financial information. But the clinic’s staff, already stretched thin, didn’t have the time or resources to develop deep expertise in HIPAA rules, or to create documentation from scratch. (After all, some large health organizations employ full-time HIPAA compliance officers to tackle that gargantuan task.
Nonetheless, the clinic’s physician owners knew they had to do a HIPAA Security Risk Analysis. (This is expected to be done annually, in case an organization is audited by Health and Human Services’ Office for Civil Rights (OCR), which enforces HIPAA.) The owners knew all too well that “medical clinics may never truly appreciate the risk of a devastating HIPAA security audit until it is too late,” as one of the physicians said to his colleagues. They were determined to ensure that wouldn’t happen to them.
A healthcare consulting firm advised them to use Medcurity, a cloud-based HIPAA tools and resources platform (found at medcurity.com) that guides clinics and hospitals and their business associates through their annual HIPAA Security Risk Analysis. The platform provides recommended remedial actions and action-item tracking via dashboards, as well as customizable policies and procedures and Business Associate Agreement (BAA) management through electronic signature.
“We see stories like this nearly every day,” says Joe Gellatly, CEO and co-founder of Medcurity. “The privacy and security requirements can be overwhelming for a practice. At the same time, the risks are very significant for them.
“Our platform gives them a place to start,” says Amanda Hepper, Medcurity’s president and co-founder. “Customers tell us that our platform makes the compliance journey process less intimidating, and they are actually excited about having tools to help them improve and track their progress.”
When the clinic teamed up with Medcurity, many HIPAA-required policies had not been created or implemented yet. Some necessary security procedures were in place but not documented, leaving the clinic at risk of a failed audit. Other security procedures were not yet implemented, as the clinic did not have employees or contractors with expertise in these requirements.
Previous security-risk assessments had been limited to simple spreadsheets or tools that generated basic pass/fail answers. These assessments did not provide any clarity or recommendations for the practice. Despite the work they had done to complete previous Security Risk Analyses and draft initial policies, the clinic was still vulnerable.
Two weeks later, the clinic completed their Security Risk Analysis via Medcurity’s online software, with guidance from one of the company’s representatives.
The explanations and citations provided helped clarify the questions and related requirements for the clinic’s team. They were relieved to learn that Medcurity also included a policy builder that could help them quickly create customized policies and procedures.
As soon as the Security Risk Analysis was completed within the Medcurity tool, an audit-ready, comprehensive report was automatically generated for the clinic.
The clinic staff then created several of the required policies using the smart policy builder. They are now using the dashboard and action items to collaborate and track their continued progress.
As part of their subscription, they have access to a support team for any questions that may arise during the year after this Security Risk Analysis.
The clinic plans to use Medcurity again for their next annual analysis. They’ll be able to pull the previous analysis and update it with any changes they’ve made, and the practice is now better protected from breaches and associated penalties. Their staff has access to clear and appropriate policies for protecting patient information. What’s more, the physician owners can now attest with confidence that they meet the required measures in the Merit-based Incentive Payment System (MIPS), in order to maximize their Medicare payments.
“Medcurity was created by a tightly focused group of experts, and their reps can skillfully navigate the chaotic waters of information security,” one of the physician owners says. “We highly recommend Medcurity as a resource and partner. They can assist with security risk analyses to prevent investigation and limit damage, should the unthinkable occur.”
He adds, “Medcurity allows us to focus on what we really care about, which is providing outstanding medical care for our patients.”