Going by the Book

Ring in the New Year With an Office Policies and Procedures Manual Makeover as Feds Plan a New Round of HIPAA Audits

 Texas Medicine Logo(1)

Practice Management Feature — January 2016

Tex Med. 2016;112(1):59-63.

By Joey Berlin

As good as tort reform was for Texas physicians, says Filiberto Rodriguez, MD, new threats have replaced medical liability lawsuits, and it's time doctors took notice.

"We tend not to get sued by patients anymore," said Dr. Rodriguez, a surgeon for RGV Cosmetic Surgery & Vein Care, located in Edinburg and Brownsville. "But the sad thing is, now, in the modern era of practicing medicine, you're more worried about getting audited by the federal government if you participate in Medicare than you are of getting sued."

Along with government audits, physician practices face threats such as a lawsuit from a disgruntled former employee intent on exploiting holes in a practice's policies and procedures (P&P) manual.

"You see billboards all over now: 'Are you working more than 40 hours? Are you not getting paid for it? Talk to us.' Now these attorneys have figured out there's no more money in suing doctors, but [there's] low-hanging fruit when it comes to coming after doctors for disgruntled employees, wrongful termination, [and] overtime work violations," Dr. Rodriguez said.

"That's the reality that I don't think a lot of physicians are aware of, and frankly, they just don't pay a lot of attention to their policies and procedures manual because they don't think it's important, and they're too busy with clinical medicine," he said.

If your policies and procedures manual is a generic handbook collecting dust on a bookshelf — a "plug-and-play solution," one U.S. Department of Health and Human Services (HHS) official calls it — a good New Year's resolution might be to give your manual a makeover. That's especially true because the HHS Office for Civil Rights (OCR) is kicking off 2016 with a new round of audits to measure medical practices' compliance with HIPAA security standards. For more information on the HIPAA Security Rule, visit HHS’ Security Rule Frequently Asked Questions page.

HIPAA Audits on the Way

In response to a September 2015 report by the HHS Office of Inspector General, OCR Director Jocelyn Samuels revealed the office would move forward with Phase 2 of its permanent HIPAA audit program early this year.

In Phase 2, Ms. Samuels wrote, the program would test the effectiveness of "the combination of desk reviews of policies as well as on-site reviews; it will target specific common areas of noncompliance; and it will include HIPAA business associates."

Deven McGraw, OCR's deputy director for health information privacy, said "desk audits" would be the focus of this phase of the program. OCR will ask the entities it audits, including medical practices, to send the office responses to questions about its policies and procedures. After evaluating the responses, Ms. McGraw said, only "a cross-section of entities" will receive an on-site audit. That's different from Phase 1, when OCR focused on in-person auditing. Also, Ms. McGraw says Phase 2's focus "on particular aspects" of the HIPAA rules will differ from Phase 1, when OCR focused on compliance with the act as a whole.

"We want to see what we learn from the evaluation of policies vs. going on site," Ms. McGraw said. "It is certainly much cheaper, but if it doesn't really yield much, we'll take that into consideration in terms of putting in place what the more permanent audit program looks like." 

Practices need to show OCR they have more than a "plug-and-play solution," or a set of paperwork policies created just to remove the P&P manual from the office to-do list, Ms. McGraw says.  She says practices need to engage in "mindful policymaking."

"What I think happens is that people purchase a set of policies or have some consultants develop them for them, and there's often not a whole lot of interaction between the people developing the policies and what's actually going on on the ground," she said. "And so the policies are often a mismatch to the way the office actually operates, and that's usually an indication that it was a check-the-box exercise. What we're looking for is something where thought's been put into it."

If you don't put thought into it, she cautions, you won't be well-prepared for an on-site audit.

"I think sometimes the lure of the easy way out leads you to the check-the-box solution," Ms. McGraw said. "And that's not going to serve you in good stead if I come knocking on your door." 

Common Mistakes

A failure to safeguard either hard-copy or electronic patient health information (ePHI) can bring a devastating price tag from the federal government.

Last August, for instance, OCR reached a $750,000 settlement with Cancer Care Group, a privately owned radiation oncology group with more than 20 facilities in central Indiana. A 2012 theft of a laptop bag from a Cancer Care employee's car resulted in compromised ePHI for more than 55,000 current and former patients, according to an OCR release. OCR's subsequent investigation found Cancer Care was in "widespread noncompliance" with the HIPAA Security Rule and didn't have specific written policies addressing the removal of ePHI from its facilities. Along with the $750,000 settlement, the group agreed to adopt a corrective action plan.

Houston attorney Lynn Sessions says while large hospital systems maintain huge compliance programs, many physician groups don't.

"You have perhaps a lack of an appreciation for how significant a HIPAA violation can be and what the physician's responsibilities are in reporting a data breach," said Ms. Sessions, who focuses her practice on health care privacy and compliance.

"Are you encrypting your data? Is encryption of your iPhone or your laptops important? Have you identified that as a potential risk? What are you doing to address that? Those are the types of things that OCR wants to see," Ms. Sessions said. "In my talking with physicians, there's not a real appreciation for how broad HIPAA is. That's handled by IT or their IT vendor, without [the doctors] necessarily understanding that they've got responsibilities around HIPAA on that."

Ms. McGraw says a common mistake practices make is failing to perform a HIPAA risk assessment on all ePHI the practice collects. 

"They might be doing their [electronic medical records] … for example, so they can attest to completing a risk assessment for meaningful use," Ms. McGraw said. "But they don't look at the medical devices that are not connected into their networks, or they don't look at other areas where PHI is collected but it's not part of the EMR. We need you to take a look at and evaluate all of the ePHI in your environment and have a risk management plan to address all of that."

TMA is offering HIPAA Risk Management's Online HIPAA Security Manager at a discounted rate for members. The security manager, which simplifies HIPAA security compliance, includes a comprehensive HIPAA risk analysis. 

Practices often fail to enact business associate agreements, Ms. McGraw said. If a practice contracts with any outside vendors who will handle PHI, they're required to use a business associate agreement. Ms. Sessions becomes a business associate when she signs on to help practices with regulatory issues. She says it's incumbent on the practice to request the business associate agreement, not the other way around.

Also, Ms. McGraw says doctors often don't pay enough attention to what the HIPAA Security Rule calls “addressable specifications.” The word "addressable" gives practitioners flexibility to determine whether a certain part of the HIPAA rule applies to their practice, but "addressable" doesn't mean optional, she says. One such addressable specification, Ms. McGraw says, is encryption of patient data.

"Our expectation is that you're implementing it, but we've given you the opportunity to consider whether it works in your environment and for the particular instances of ePHI," she said. "And if you're not going to implement it, you're going to document why, and you're going to document the alternative safeguards that you have put into place instead.

"Maybe you're beefing up your physical safeguards if you can't do encryption. But again, you would document the reasons why you'd made those choices, not … just leave it unaddressed."

Dr. Rodriguez says physicians can liken having a thorough P&P manual to taking a systems-based approach to problems: When a problem comes up, the manual shows the practice has a system in place to handle that particular problem.

"A Policy for Everything"

Dr. Rodriguez got a wake-up call a few years ago when he attended a local seminar by Tucson, Ariz.-based CEDR HR Solutions, a company that develops customized employee handbooks. At that seminar, he says he realized his policies and procedures were "woefully inadequate."

"You have to literally have a formal written policy for everything you do on a daily basis in the running of your practice," Dr. Rodriguez said. "And it's extremely overwhelming."

After CEDR helped him develop his employee manual, Dr. Rodriguez used the Texas Medical Association's Policies and Procedures: A Guide to Medical Practices as a template to customize the rest of its practice manual, including proper job descriptions for staff and surgical procedure policies. Policies and Procedures is available to TMA members for a discounted rate. (See "Save 20% on TMA's P&P Guide.") Once that work was complete, TMA Practice Consulting reviewed RGV's documentation to make sure it was complete.

In performing the overhaul of his manual, Dr. Rodriguez found out his P&P guide lacked a description of the practice's vision and definitions of ideal job performance and at-will employment.

"They're [new employees] getting this upfront, when you're hiring them: 'This is what it means to work in this office. You're choosing to work here at will,'" he said. "I didn't even think about all this. But it helps you create a culture in your office."

A P&P manual with properly documented protocols can potentially prove violations found during an audit aren't a matter of bad practice. RGV's P&P manual now shows that the practice's director of compliance performs random chart audits to ensure proper coding, a safeguard in case the Texas Medical Board comes calling.

"Then if you ever do get audited, you say, 'I'm sorry, we do have a policy in place where we randomly audit. This one must've slipped through.' That looks a lot better if you have that in place than if you go, 'I don't even look at my charts once I'm finished with them.' That's how the policies and procedures can protect you," Dr. Rodriguez said.

Good P&P documentation leaves a practice prepared for human resources problems. At RGV, for example, an office manager approached Dr. Rodriguez and told him a patient kept calling her, asking for her personal phone number, and requesting she send pictures of herself.

"Now clearly, he was acting inappropriately toward her, and she wasn't comfortable," Dr. Rodriguez said. "[She asked me], 'What do I do?' … We talked to our director of operations, and she said, 'Oh, on [this page] our policies and procedures manual has something about that, specifically regarding the interaction of staff with patients.'"

RGV's policies handbook says an employee should report patient harassment for appropriate responsive action, which can include but isn't limited to "asking the patient to refrain from the offensive behavior, removing the employee from areas where interaction with said patient can be reasonably anticipated, and ultimately asking the patient not to return to the Company."

Dr. Rodriguez recommends practices put a nurse-level assistant in charge of updating the P&P manual or hiring a medical assistant specifically to handle the job. 

"If physicians think this is something that's not important, they really need to think again," he said. "It's hard to run a successful business without having thorough employment policies and then policies and procedures that specifically address medical requirements, such as HIPAA."

Joey Berlin can be reached by phone at (800) 880-1300, ext. 1393, or (512) 370-1393; by fax at (512) 370-1629; or by email.


Save 20% on TMA's P&P Guide

TMA's Policies and Procedures: A Guide for Medical Practices is a practical, easy-to-use guide containing more than 200 sample policies and procedures, tools, sample letters, and forms you can customize to fit your practice's needs. The guide is specific to Texas medicine and Texas law and comes with a customizable CD containing policies and procedures on:  

  • Human resources,
  • Front desk operations,
  • Business office operations,
  • Management,
  • Clinical operations,
  • Medical records,
  • Safety,
  • Regulations compliance, and
  • HIPAA. 

Policies and Procedures and all TMA Education Center offerings are available for a 20-percent discount during the month of January. An additional discount is available to TMA members as a benefit of membership. For more information and to order the guide, visit the TMA website. To obtain the 20-percent discount, use promo code NEWYEAR20.

Back to article

January 2016 Texas Medicine Contents
Texas Medicine Main Page