HIPPA 101: A Refresher
Kelly Ogle, BSDH, MIOP, CMPM, CHIP
Director of OSHA and HIPPA Services for DoctorsManagement, LLC
This auditing and compliance “Tip of the Week” was originally published by the National Alliance for Medical Auditing Specialists (NAMAS), a division of DoctorsManagement.
Your mother always said, “if they told you to jump off a bridge, would you?” In the case of HIPAA, yes! HIPAA law is all-encompassing and the consequences for violating it are severe, so aggressive efforts should be made to stay in compliance. HIPAA stands for the Health Insurance Portability and Accountability Act, and it applies to anyone in the medical field who may view or handle patient information, or even be around the information.
What does that mean to us as healthcare workers? It was established for employees to have insurance between jobs (portability) and to address fraud, waste and abuse (accountability) in health insurance. In addition to that, HIPAA introduced rules for privacy and security. Privacy and security rules both protect information, but privacy covers electronic, written and oral information whereas security only includes what is electronic. If your experience is with paper charts, then tracking is not available on people who have accessed this information. For electronic records, there must be a way to monitor the accessing of patient information. This is not because the employer doesn’t trust the employees, but HIPAA wants to make sure, as a covered entity, that we are doing everything possible to protect the information.
Anyone who sees patients directly will be considered a covered entity, whereas those entities that handle the patient information for us (IT companies, EHR vendors, etc.) are considered business associates. Business associates must protect the information the same as we do and can be held accountable just as covered entities are. In an example of the importance of protecting our information electronically, Athenahealth, one of the largest companies that sells EHR software and medical billing services, experienced a data breach affecting nearly 79 million patients. They were fined $16 million. This is the largest known HIPAA breach in the U.S. history. The information that was stolen included Social Security Numbers as well as names, addresses and employment information. Now the big shocker is this breach began with an email that multiple employees received and at least one opened. These emails were a phishing scam.
So, you can see where it is important to train and be trained on how to protect our patient information. Both covered entities and business associates should start with a risk assessment to determine their weaknesses and strengths in both privacy and security. This can be where the patients are in relation to employees when important Protected Health Information (PHI) is being discussed. Are you using encryption and anti-virus programs on your computers? This and everything in between should be considered. This includes a review of how non-electronic PHI can be protected. Below is a list of questions that are important to ask yourself about your office and how you are handling your information.
- Does the practice use a TV, music, etc., in the reception area?
- Does the check-in desk have closeable windows?
- If so, are they kept closed as much as possible?
- Can patients in the lobby overhear PHI discussions from the check-in area?
- Can patients in the lobby overhear PHI discussions from the front business office?
- Can patients checking in see and read PHI on the computer screens in the administrative area?
- Do you use a sign-in sheet?
- If a sign-in sheet is used, does it contain any PHI information that another patient could see?
- Is there often more than one person waiting at the counter to check in? If so, how is patient information protected?
- Is the door between the lobby and the clinical area kept closed? Is it lockable?
- Do staff members initiate conversations that may include PHI before entering the exam room and closing the door?
- Are exam room doors closed when a patient is in the room, and do they stay closed while the patient is there?
- Are patient records with visible PHI placed in bends/holders on or near the exam room doors?
- Are patient charts left open or closed with PHI information visible on the nurses’ station?
- Are visitors such as drug reps or equipment repair people given free access throughout the practice?
- Does the practice have patient schedules, including PHI, posted in plain view of anyone in the area?
- Can confidential discussions taking place in an exam room be overheard in the next exam room? In the hall?
- Do the providers dictate in areas where PHI could be overheard?
- How do you dispose of media or paper that might contain PHI?
- Do you have a shredder onsite or a contract in place to shred unwanted medical documents?
- Does it destroy storage media such as hard drives?
- Are they shredded onsite?
- How are documents handled/stored prior to being shredded?
- Do you have a new employee HIPAA training program?
- Do you have periodic confidentiality training?
- Who is your Privacy Officer?
- Have you developed privacy policies and procedures?
- Do you use a HIPAA-compliant Authorization form?
- Do you send PHI to employers or schools?
- Do you have a signed authorization prior to sending PHI?
- Do you post patient pictures in the practice?
- Do you have a Notice of Privacy Practices (NPP)?
- Is the NPP posted in the office?
- Is the NPP posted on the web site?
- Do you offer a copy of the NPP to all new patients?
- Do you have a list of your potential “Business Associates”? Is it current and complete?
- Have you implemented a Business Associate Agreement with each one?
- Does your state have statutes for privacy issues and if so, are they more stringent than HIPAA?
- Do you have a consistent sanction policy for failure to comply with privacy requirements?
- Does someone monitor employee use of the Internet?
- Does someone monitor employee use of patient records?
- Does someone review access logs?
- Are practice employees required to sign a Confidentiality Agreement?
- Where are current and historical medical records stored and what access controls are in place?
A security risk assessment tool can be downloaded from HealthIT.gov (https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment). This will help you with electronic storage of patient information.
Here’s why thousands of providers trust DoctorsManagement to help improve their coding and documentation.
Quality of coders and auditors. Our US-based auditors receive ongoing training and support from our education division, NAMAS (National Alliance of Medical Auditing Specialists). All team members possess over 15 years of experience and hold both the Certified Professional Coder (CPC®) as well as the Certified Professional Medical Auditor (CPMA®) credential.
Proprietary risk-assessment technology – our auditing team uses ComplianceRiskAnalyzer(CRA)®, a sophisticated analytics solution that assesses critical risk areas. It enables our auditors to precisely select encounters that pose the greatest risk of triggering an audit so that they can be reviewed and the risk can be mitigated.
Synergy – DoctorsManagement is a full-service healthcare consultancy firm. The many departments within our firm work together to help clients rise above the complexities faced by today’s healthcare professionals. As a result, you receive quality solutions from a team of individuals who are current on every aspect of the business of medicine.