Past compliance efforts may not be enough

The substantial penalties possible with HITECH are good reason for risk managers to take a fresh look at their HIPAA compliance programs, says Alisa L. Chestler, JD, an attorney with Baker Donelson in Washington, DC. It has been many years since most HIPAA compliance programs were initiated, and the outlook on HIPAA compliance and enforcement has changed since then, she says.

"Risk managers need to take a step back, take a deep breath, and look at the direction of their plans and whether they are fully integrated into all facets of their operations," Chestler says. "For example, you may not have had a particular line of operations when HIPAA went into effect, and when you adopted that line, did you integrate that fully into your HIPAA compliance plan? You may have given it a close inspection regarding HIPAA at the time you took on that line of operation, but did you fully incorporate it into all aspects of your compliance effort?"

Chestler generally advises focusing more on compliance than the details of the HITECH enforcement options, because, after all, the goal is not to get to the point of penalties. But at the same time, she says, risk managers must be able to defend against a claim of willful neglect, which would bring the harshest penalties.

"You must be able to show good evidence that you've been doing your due diligence all along, and that isn't just writing a policy and putting it on a shelf," she says. "Your work is never done. If you wrote a solution for a situation a few years ago, you need to go back and see if that solution is actually working."

Lisa L. Dahm, JD, LLM, health director of continuing legal education and adjunct professor at the South Texas College of Law in Houston, advises risk managers to continuously monitor compliance. Formal audits are necessary, but spot checks of billing, medical records, policies, and procedures also are vital to ensure compliance, she says.

"Audits don't have to be a big deal with statistically significant sample sizes and a complex analysis," she says. "It can be as simple as the risk manager spending some time in the ER and watching what happens to see if people are disclosing health information when they shouldn't be. It can be walking into the medical records department to see how they handle records requests. An audit can be going up and down in the same elevator for an hour to see how people are talking about patient information."


For more information on reviewing HIPAA compliance, contact:

• Alisa L. Chestler, JD, Of Counsel, Baker Donelson, Washington, DC. Telephone: (202) 508-3475. E-mail: