Don't have a TCI SuperCoder account yet? Become a Member >>

Dermatology Coding Alert


Report: Many Practices Are Unprepared for Coming HIPAA Audits

No privacy officer? Then you aren’t HIPAA compliant.

As Part B practices nationwide prepare for upcoming HIPAA audits, it might seem like everyone has a HIPAA plan locked into place—but that’s not the reality for many small groups across the country, a recent survey reveals.

Some 30 percent of small practices have yet to create a compliance plan, while 54 percent haven’t appointed security or privacy officers, according to a recent survey by practice management software provider NueMD. The majority of the 927 practices that NueMD polled had fewer than four providers on staff, offering a unique glimpse into how small offices handle their privacy compliance.

NueMD’s Caleb Clarke discussed the findings and what they mean for health care offices everywhere.

Practices Don’t Appear Motivated

Although the NueMD survey highlighted the fact that many practices still have holes in their compliance plans, that wasn’t the most surprising finding from the results. “What we found the most interesting was that when comparing this year’s results with findings from our 2014 HIPAA Survey, awareness is outpacing the actual steps toward compliance,” Clarke said. “In other words, a lot more practices are aware of HIPAA, but not so many are doing anything about it. So our recent efforts have shifted from simply introducing HIPAA to them in a broad sense toward really exploring the active steps required in becoming compliant.”

If the practice managers at your practice don’t seem particularly interested in implementing a HIPAA plan, remind them that compliance is required—before it’s too late. “The fastest way to become interested in HIPAA audits is probably to be audited, but no one wants to learn that way,” Clarke said.

Because the Department of Health and Human Services has been slow in enforcing the HIPAA policy, many practices have taken extra time to solidify their HIPAA plans, Clarke says—but that isn’t the only issue that’s delaying them. “Overall, it seems like the practices that aren’t making as much progress have legitimate questions as to how to proceed. They need help. And the best way we’ve found to provide that is by spreading the word. Our hope is that by publishing pieces like our survey findings, we can draw attention to the areas that need the most improvement, and ultimately lead those practices to compliance.”

Lacking Privacy Officer Can Have Terrible Implications

The NueMD survey highlighted the fact that more than half of small practices haven’t yet appointed a security or privacy officer, which can create huge risks for practices down the road. “An obvious risk is that without officers, no one is responsible for maintaining compliance. But it’s actually even simpler than that. A practice that hasn’t designated officers can’t be HIPAA compliant. Appointing them is a basic requirement of HIPAA. So all security risks aside, there are very real financial risks at stake when government audits come into the picture. Officers are completely fundamental to the compliance process.”

If your practice is behind on your HIPAA compliance, the first step you should take in moving toward readiness is to get informed, Clarke says. “Our published survey results include a supplementary resource section loaded with information on compliance,” he says. “The findings also inspired us to create a series of free webinars on HIPAA compliance that we’ll be hosting throughout March and April.”

Resource: To read the entire NueMD survey results, visit