Regulation of Medicine
HIPAA: Key Areas Where Problems Occur
January 4, 2017
In 2015, the Department of Health and Human Services (HHS) released a report concerning HIPAA breaches, security and breach notification compliance, and breaches of unsecured protected health information. According to the report, the majority of covered entities audited, particularly smaller entities, continued to show HIPAA deficiencies with regard to privacy, security, and breach notification.
Privacy Rule Concerns
Improper notice of privacy practices - HHS found that patients were either not receiving a Notice of Privacy Practices (NPP) or the notice was deficient. The Final Rule made some changes in how practices can use or disclose a patient’s Protected Health Information (PHI). As a result, this required updates to your NPP. You can download a sample NPP from our website: www.magmutual.com.
Timeliness and cost of providing medical records - Under HIPAA, a provider must provide access to the medical and billing information, upon request and as soon as possible, but no later than 30 days after the request. Copies must be provided in the format requested by the patient, if the provider has the capacity to do so. For most situations, this means that if you have electronic medical records (EMRs), and they request a digital copy (such as a PDF), you must do so if your current system has that capability. When providing records to a patient, a provider may only charge a “reasonable, cost-based” amount for copies. Charging a per-page copy fee to a patient, typical when paper records were copied, may no longer be considered reasonable or cost-based with EMRs. You may not deny a patient a copy of their medical records because of unpaid charges for services received. Additionally, in some cases, you may not charge a fee for searching and retrieving medical records. Refer to your state-specific laws related to copying fees.
Provide only the relevant medical record information—The Minimum Necessary Standard requires that you only produce those portions of medical records that are needed for the purpose in which the disclosure is permitted. For example, you are permitted to disclose some HIPAA protected health information (PHI) when sending a patient to collections for not paying a bill. However, the billing information will usually suffice in this situation, and a provider should not also disclose medical treatment notes unless required.
Authorization issues - These include failing to obtain a necessary HIPAA compliant authorization when required or using an authorization form that does not contain all required information. You may find a sample authorization form on our website: www.magmutual.com.
Security Rule Concerns
Maintain a current risk analysis - Performing a thorough risk analysis, and updating it on a periodic basis, is the first step to ensuring compliance with the HIPAA Security Rule. A risk analysis helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. It also helps reveal areas where PHI could be at risk. If a HIPAA complaint is filed, the first thing the government will ask for is the most recent risk analysis. Failing to have the risk analysis, or failing to update it, has been prominently cited as the justification for sanctioning large fine amounts when a substantial data breach occurs.
- To assist in this compliance effort, the Office of Civil Rights, in conjunction with the Office of the National Coordinator, created an online tool that will help walk you through creating or updating your risk analysis. It is available at www.healthit.gov/providers-professionals/security-risk-assessment
Lost or stolen data - “Media Movement and Disposal” refers to PHI lost or stolen when being moved or when being improperly disposed. Loss or theft of PHI was the cause of 65 percent of breaches involving more than 500 patients’ information. Most of these were lost or stolen laptops, thumb drives, DVDs, cellphones and other forms of portable media, but it also includes briefcases or paper patient files that are stolen from cars or left behind in taxi cabs.
- Be cautious in situations where laptops, thumb drives, or cellphones that are not encrypted could be stolen. Encryption capabilities may be an upfront cost now, but it could save you in fines as well as damage to the practice’s reputation with your patients.
- In terms of disposal, make sure that any copies of medical records are securely destroyed. Never throw billing information or copies of medical records out with the normal trash. And don’t forget to wipe the hard drive on your leased digital copier before returning it.
Audit and monitoring - HIPAA requires that covered entities regularly audit their systems for intrusions and have policies and procedures for how and when that monitoring will occur. Most health care professionals do not have internal information technology experts to rely on and may use outside contractors. Providers should raise these issues and discuss auditing and monitoring with their contractors. Without auditing and monitoring of your systems, you could be hacked and not even know it.
Breach Notification Concerns
Under the Final Rule, an unauthorized acquisition, access, use, or disclosure of PHI that doesn’t fall into one of the exemption categories is presumed to be a breach and requires notification of the affected individuals, the Office of Civil Rights, and in some cases, the media. If the breach occurs at or by a Business Associate (BA), the BA must notify the covered entity. Refer to the Office of Civil Rights website for specific guidance on reporting a breach at http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.
Privacy and confidentiality is the foundation of a trusting relationship between a patient and his/her physician. Studies have shown that the public is deeply concerned about the privacy and security of their health information and that the HIPAA Privacy Rule has reduced some of those concerns.1 It is important that we comply with these laws to provide our patients with the greatest privacy and security protection of their health information afforded to them under the law.
Suggested Action Items
- Make sure your Notice of Privacy Practices (NPP) are updated. You can find sample forms in our HIPAA Toolkit.
- Respond to medical record requests as soon as possible, but no later than 30 days after the request is made.
- Limit the use or disclosure of protected health information to the minimum necessary to accomplish the intended purpose. (The minimum necessary rule does not apply to disclosures for treatment purposes.)
- Ensure that the authorization form you are using includes all of the required components.
- Perform and maintain a current security risk analysis. A security risk analysis tool is available for download at www.healthit.gov/providers-professionals/security-risk-assessment
- Physically secure and encrypt data on laptops, thumb drives, DVDs, cellphones, and other forms of portable media.
- Regularly perform audits on your systems to prevent intrusions.
- Train your staff on the steps to take in the event of a HIPAA-related complaint.
U.S. Department of Health and Human Services, Office for Civil Rights. (2014). Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012. Washington, DC.
2 Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information. (2009). Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: National Academies Press.
Created by MagMutual from materials provided by COPIC as part of MagMutual and COPIC’s alliance to improve patient safety and quality of care for all of our PolicyOwners.
Want to learn more?
Interested in how MagMutual can help?View our products
The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.