540 likes | 694 Views
Take Action to Avoid the Most Common HIPAA Violations. HIPAA Compliance Requires Teamwork. New Rule: New Responsibilities.
E N D
Take Action to Avoid the Most Common HIPAA Violations HIPAA Compliance Requires Teamwork
New Rule: New Responsibilities • Most chiropractors are familiar with the importance of safeguarding their patients’ protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) and the consequences that can occur from a violation of the privacy law. • Even if you are one of them, your practice could still be in danger of violating HIPAA if you are not up-to-date on the changes to the laws brought by the final HIPAA Omnibus rule.
HIPAA Omnibus • The changes brought to HIPAA by the Omnibus rule, mean that a violation could result in not only a damage to your reputation, but also significant criminal and civil fines. • The new enforcement features, strengthened by an active program of HIPAA audits, means your practice must be more vigilant of your privacy and security programs than ever before. • Let’s take some time to review the most frequently encountered violations and what your practice can do to avoid them.
Accidental Unauthorized Access • One of the most common HIPAA violations typically occurs by accident. • While accidental, the unauthorized access of PHI by a member of your practice team can be a serious offense. • This can occur by the inadvertent addition of the wrong recipient to an email containing protected health information or by picking the incorrect chart from the computer screen.
Cybercrime • On a much higher level of significance, Cybercrime, the unauthorized use of PHI with the intent of committing insurance fraud or identity theft, is on the rise and individuals trafficking in stolen personal information are often caught and prosecuted to the fullest extent of the law.
Action Steps • Your practice can avoid this offense by tightening the security to all of your patient records. • Set up administrative safeguards to prevent non-authorized personnel from accessing, viewing or receiving PHI.
Action Steps • An important step in this process is to set up a password protected, centralized system for accessing PHI and to place one trusted practice team member in control of who gets a password. • You should also change your passwords periodically, in case of any possible breach of privacy.
Action Steps • Inform your staff that you monitor access to patient records on an ongoing basis and be sure to train those with access on the proper methods for protecting privacy. • Make sure your staff knows that you will hold them accountable for any breach they cause—intentional or otherwise.
Create Secure Patient Access • When requested, your patients must be allowed to access their private health records. • Your Electronic Health Record (EHR) system should provide you with the ability to create a portal for patients that is protected by username and password.
Action Steps • Create a secure patient portal to your EHR system. • Provide your patients with this information upon intake. • Periodically follow up with patients to be sure that they are aware of their access.
Internet Office Policy • Your Office Policy (Form 207) should clearly outline what are and are not permissible uses of social media, email and the Internet in your practice. • When you institute a social-media policy, be cognizant of Section 7 of the National Labor Relations Act, which protects certain kinds of speech on social media.
National Labor Relations Board Social Media Regulation • Employees have the right to communicate with one another with the aim of improving wages, benefits or working conditions. • Employees still need to be careful about what they post. • Those releasing confidential information, or who are ranting and raving about their employers will receive a rude awakening if they believe their “free speech” will be defended.
Action steps • Be sure that your practice team members are aware that posting any protected health information on social media is a privacy violation and subject to review. • Even when the patient is not identified by name!
Action Steps • Your staff members should also know that they may not send any unencrypted emails that include PHI. • This policy should include their personal mobile devices.
Protect Paper Patient Records • When protected documents fall into the wrong hands, it can result in financial penalties to your practice and cause great personal and even employment upset for your patients. • You can prevent this from happening by not allowing patient records to leave your practice.
Action Steps • Patient records should be stored in a locked cabinet or room that can be accessed only by authorized personnel. • You should avoid placing any stickers or other method of identification of a patient’s diagnosis on the outside of the patient’s chart.
Action Steps • If patient records are to be stored offsite, be sure that they are in a secured setting. • When outsourcing the shredding of patient records, utilize a professional service that guarantees privacy.
Protected Conversations • You should train your practice team members to be aware of who else may be listening to their conversations. • This includes discussing a patient’s condition in earshot of the reception room or when leaving a message on a patient’s answering machine.
Action Steps • Inform your staff that they are not to leave any PHI in phone messages. • Staff is not to discuss PHI where they can be overheard by other patients or non-staff visitors. • You should provide private spaces where discussions of health information in person or via the telephone can be held.
More Omnibus Changes • HIPAA Omnibus changed the rules on providing patients with access to your Notice of Privacy Practices. • Prior to Omnibus, the rule required posting of the Privacy Notice where patients could view it.
Action Steps • The new rule requires you to make a significantly more extensive Notice—increased to nine pages in length up from the previous one page document—available to patients. • Form 708W
Acknowledgement Receipt • Most importantly, the new rule requires you to have an Acknowledgement of Receipt or Refusal of the Notice, signed by each patient and retained in their chart. • Form 709 • Make this part of your everyday routine practice procedure for all patients.
Case #1: Condition-Identifying PHI • A practice flagged its patient records with stickers that indicated when a patient was pregnant on the outside cover. • The records were handled so that other patients and staff without need to know could read the sticker.
What was the HIPAA Violation? What was the Resolution?
The HIPAA Violation • You may not display condition-specific PHI where patients or staff can view the information. • This includes stickers or other identifying information.
Resolution • When notified of the complaint filed with OCR, the practice immediately removed the stickers from patients’ files. • To resolve this matter, OCR also required the practice to revise its policies and operating procedures and to limit stickers to the inside cover of the records. • Further, the covered entity's Privacy Officer and other representatives met with the patient who filed the complaint and apologized and followed the meeting with a written apology.
Case #2: Faxing Procedures for PHI • An employee of a practices mistakenly faxed a patient’s medical records to the patient’s place of employment instead of to the patient’s new health care provider.
What was the HIPAA Violation? What was the Resolution?
HIPAA Violation • You must make sure you’re sending your faxes to the right place. • Double-check every fax number before hitting “Send”. • Put a confidentiality cover sheet on every fax.
Resolution • The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the doctor apologized to the patient. • To resolve this matter, OCR also required the practice to revise the office's fax cover page to underscore a confidential communication for the intended recipient. • The office informed all its employees of the incident and counseled staff on proper faxing procedures.
Case #3: Supervisor Accesses Employee’s Medical Record • A practice employee's supervisor accessed, examined and disclosed an employee’s medical record. • The disclosure of protected health information by the supervisor was not authorized by the employee.
What was the HIPAA Violation? What was the Resolution?
HIPAA Violation • An employee's medical record is protected by the HIPAA, even though employment records are not.
Resolution • A letter of reprimand was placed in the supervisor's personnel file and the supervisor received additional training about the Privacy Rule. • Further, the practice counseled the supervisor about appropriate use of the medical information of a subordinate.
Cases #4: Practice Limits Patient Access to Records • A practice denied a patient access to his records on the basis that a portion of the patient’s record was created by a physician not associated with the practice.
What was the HIPAA Violation? What was the Resolution?
HIPAA Violation • Your practice may deny a patient’s request to amend the medical record when your practice did not create that portion of the record. • No similar provision limits an individuals’ rights to access their protected health information.
Resolution • The OCR required the practice to revise its access policy and procedures. • It also had to affirm that patients have access to their record regardless of whether another entity created information contained within it.
HIPAA Prosecution • The Office of Civil Rights (OCR) is responsible for the investigation and prosecution of HIPAA violations. • The OCR provides practices with leeway when a violation is reported and will work with practices to address remediation plans when a breach of PHI occurs.
Privacy & Security Officer • HIPAA violations must not be taken lightly. • HIPAA compliance is an active and ongoing process that requires the attention of every member of your practice team. • You should have a Security and Privacy Officer on staff.
HIPAA Insurance • While audit insurance is available, most policies do not provide coverage in the case of breach of PHI. • The new HIPAA rule increased penalties for noncompliance and they are based upon whether a violation is promptly corrected and the level of negligence involved.