Advice on how to prevent HIPAA violations and avoid fines
Practices of all shapes and sizes struggle regularly to keep up with the cavalcade of rules and regulations that have been heaped upon them since Health Information Portability and Accountability Act (HIPAA) was first conceived.
Add to that the expansion of ICD-10 and other onerous obligations that have come with the Affordable Care Act (also known as Obamacare), and being compliant begins to look like a script from the Mission Impossible series!
While practitioners have put a lot of time and money into “getting it right” with the big things, oft times the simplest things get overlooked, costing them the most in the way of fines and violations.
Here is a short list of the top 10 most common HIPAA violations, nearly all of them preventable with a good Acceptable Use Policy, employee handbook or basic technology safeguards that, when taken together, would cost less than the monthly support on the practice management system.
- Failure to adhere to the authorization expiration date. If an expiration date is set by the patient, confidential records cannot be released after that date. Most Practice Management Systems (PMS) provide for locks or alerts when the expiry date has passed; just turning that feature on may be a quick fix.
- Failure to promptly release information to patients. A patient has the right to receive electronic copies of medical records on demand.
- Improper disposal of patient records. Patient records must be shredded before disposal or electronic records wiped from any systems that may have contained it.
- Insider snooping. No one, including family members and co-workers, can access a patient’s medical records without proper authorization. Password protection, tracking systems and clearance levels must be utilized to prevent unauthorized access. Even basic network setups provide for much of these safeguards if they’re set up properly.
- Missing patient signature. HIPAA forms must include the patient’s signature to be valid. If you set these forms up electronically, which many PMS’ allow you to do then these fields can be required before the form is accepted by the system.
- Releasing information to an undesignated party. Only the person(s) listed on the authorization form may receive patient information.
- Releasing unauthorized health information. A patient has the right to release only part(s) of their medical record. Any part of the medical record that has not been authorized by the patient cannot be released.
- Releasing the wrong patient’s information. Controls must be in place to avoid releasing information for the wrong patient. This often occurs when patients have the same or similar name.
- Right to revoke clause. All forms signed by the patient must include a Right to Revoke clause or the form is invalid.
- Unprotected storage of private health information. Private patient information cannot be stored on unprotected devices such as smartphones, laptops, thumbnail drives or any other unprotected mobile or portable device.
Many systems today include alerts, reminders and automated procedures to cure these before they become a violation. Your technology partner should be looking for these things when they evaluate and recommend your next electronic medical record (EMR), electronic health record (EHR) or practice management system.
As a true partner in your practice, they should also help to craft the policies and procedures to cure those that cannot be automated or solved by technology alone, like shredding patient records when they are to be disposed of or making certain the right information is released to the right authorized individuals.
No system is foolproof, but the standards of compliance are based on “best efforts” and “reasonable care.” Your managed services provider needs to know this and understand what this means in relation to the size and scope of the practice. When that happens, a technology vendor becomes a true partner in the success of the practice.
Have an honest discussion with your IT services provider. Is s/he providing you the same level of care you provide your patients? If not, it may be time for a second opinion.