Regulation of Medicine

article

Common HIPAA Compliance Issues and How to Avoid Them

Executive Summary 

Healthcare providers must ensure that they have adequate measures in place to protect patient data and prevent a HIPAA violation. The three main aspects of HIPAA that continue to be a challenge for organizations are privacy, security and breach notification. Providers should ensure compliance in those areas to avoid the financial penalties and hassle of a HIPAA-related complaint.  

Recommended Actions  
  • Consider implementing encryption in all electronic devices used within your healthcare organization. 
  • Ensure that your practice has a policy for how to handle a HIPAA-related complaint and that all staff are appropriately trained. 
  • Consider employing a vetted third-party vendor for your practice’s paper shredding and hard drive destruction. 

The Department of Health and Human Services (HHS) continues to find that covered entities, particularly smaller entities, show HIPAA deficiencies regarding privacy, security and breach notification. 

Privacy Rule Concerns 

Improper notice of privacy practices 

HHS found that patients either were not receiving a Notice of Privacy Practices (NPP) or the notice was deficient. The Final Rule made some changes in how practices can use or disclose a patient’s Protected Health Information (PHI). As a result, this required updates to your NPP. You can download a sample NPP from the sample policies tab in the HIPAA Toolkit 

Timeliness and cost of providing medical records 

Under HIPAA, a provider must provide access to medical and billing information upon request and as soon as possible, but no later than 30 days after the request. Copies must be provided in the format requested by the patient if the provider has the capacity to do so. For most situations, this means that if you have electronic medical records (EMRs) and a patient requests a digital copy (such as a PDF), you must do so if your current system has that capability. 

When providing records to a patient, a provider may only charge a “reasonable, cost-based” fee for copies. Charging a per-page copy fee to a patient, typical with paper records, may no longer be considered reasonable or cost-based with EMRs. You may not deny a patient a copy of their medical records because of unpaid charges for services received. Additionally, in some cases, you may not charge a fee for searching and retrieving medical records. Refer to your state-specific laws related to copying fees.  

Provide only the relevant medical record information 

The Minimum Necessary Standard requires that you produce only those portions of medical records that are needed for the purpose in which the disclosure is permitted. For example, you are permitted to disclose some PHI when sending a patient to collections for not paying a bill. However, the billing information will usually suffice in this situation, and a provider should not disclose medical treatment notes unless required. 

Authorization issues 

These include failing to obtain a necessary HIPAA-compliant authorization when required or using an inadequate authorization form. You can find a sample authorization form on the sample forms tab in the HIPAA Toolkit. 

Security Rule Concerns 

Maintain a current risk analysis 

Performing a thorough risk analysis and updating it on a periodic basis is the first step to ensuring compliance with the HIPAA Security Rule. A risk analysis helps your organization ensure that it is compliant with HIPAA’s administrative, physical and technical safeguards. It also helps reveal areas where PHI could be at risk. If a patient files a HIPAA complaint, the first thing the government will ask for is the most recent risk analysis. Lack of a risk analysis, or lack of one that is up-to-date, has been prominently cited as the justification for sanctioning large fines when a substantial data breach occurs. 

Lost or stolen data 

“Media Movement and Disposal” refers to PHI lost or stolen when being moved or improperly disposed. Loss or theft of PHI was the cause of 65% of breaches involving more than 500 patients’ information. Most of these were lost or stolen laptops, thumb drives, DVDs, cellphones and other forms of portable media, but it also includes briefcases or paper patient files that are stolen from cars or left behind in taxi cabs. 

  • Be cautious in situations in which unencrypted laptops, thumb drives or cellphones could be stolen. Encryption may be an upfront cost now, but it could save you in fines as well as damage to the practice’s reputation. 
  • In terms of disposal, securely destroy copies of medical records. Never throw billing information or copies of medical records out with the normal trash. And don’t forget to wipe the hard drive on your leased digital copier before returning it. 
Audit and monitoring 

HIPAA requires that covered entities regularly audit their systems for intrusions and have policies and procedures for how and when that monitoring will occur. Most health care professionals do not have internal information technology experts to rely on and may use outside contractors. Providers should raise these issues and discuss auditing and monitoring with their contractors. Without auditing and monitoring of your systems, you could be hacked and not even know it. 

Breach Notification Concerns 

Under the Final Rule, unauthorized acquisition, access, use or disclosure of PHI that doesn’t fall into one of the exemption categories is presumed to be a breach and requires notification of the affected individuals, the Office of Civil Rights, and in some cases the media. If the breach occurs at or by a Business Associate (BA), the BA must notify the covered entity. Refer to the Office of Civil Rights website for specific guidance on reporting a breach. 

Patient Concerns 

Privacy and confidentiality are the foundation of a trusting relationship between a patient and physician. Studies have shown that the public is deeply concerned about the privacy and security of health information and that the HIPAA Privacy Rule has reduced some of those concerns. It is important that healthcare organizations and providers comply with these laws to provide patients with the greatest privacy and security protection of their health information afforded to them under the law.  

Suggested Action Items 
  • Make sure your Notice of Privacy Practices (NPP) is updated. You can find sample forms in our HIPAA Toolkit. 
  • Respond to medical record requests as soon as possible, but no later than 30 days after the request is made. 
  • Limit the use or disclosure of protected health information to the minimum necessary to accomplish the intended purpose. (The minimum necessary rule does not apply to disclosures for treatment purposes.) 
  • Ensure that the authorization form you are using includes all of the required components.  
  • Perform and maintain a current security risk analysis. 
  • Physically secure and encrypt data on laptops, thumb drives, DVDs, cellphones and other forms of portable media. 
  • Regularly perform audits on your systems to prevent intrusions. 
  • Train your staff on the steps to take in the event of a HIPAA-related complaint. 
Lessons Learned  
  • Before employing any new electronic vendor, inquire how often the vendor audits its systems for cybersecurity intrusions and document this conversation.  
  • Maintain copies and documentation of all past security risk analyses performed by your healthcare practice in one, safe location.  
  • Ensure that your practice regularly conducts HIPAA-related training for all staff members.  
Potential Damages 

If your healthcare organization is found to be in violation of HIPAA, you could face costly fines and financial penalties. Although relatively infrequent, these violations can add up and cost your practice a significant amount of money.   

Quiz 

Answers are provided below 

True or false?  

Question 1: When disclosing medical records for a single encounter, I can send the requestor the patient’s entire medical record. 

Question 2: When providing requested medical records to a patient, I can charge them a “reasonable, cost-based” amount for copies.  

Question 3: When providing requested medical records to a patient, I can take two months to respond. 

Answers 

Question 1: False. Whenever sending medical records, the minimum necessary standard requires that you produce only the portion of medical records that relate to the encounter. 

Question 2: True. However, charging a per-page copy fee to a patient, typical with paper records, may no longer be considered reasonable or cost-based with EMRs. And a provider cannot withhold copies of medical records because of unpaid charges for services received. 

Question 3: False. A provider must provide access to the medical and billing information upon request and as soon as possible, but no later than 30 days after the request. Copies must be provided in the format requested by the patient if the provider has the capability to do so. 

12/22

Want to learn more?

Interested in how MagMutual can help?

View our products

Disclaimer

The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.