The fact that noncompliance with the Health Insurance Portability and Accountability Act (HIPAA) can attract fines as high as $50,000 per violation, and the recent US$750,000 HIPAA settlement by a Radiation Oncology group in Indiana has been disconcerting and unnerving for all medical practices and healthcare providers. According to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), smaller private practices are the most in need of corrective actions, followed by hospitals, outpatient centers, pharmacies, and health plan providers. Since 2003, close to 24,000 HIPAA violation cases have undergone corrective action with the assistance of the OCR, and fines of almost $23 million have been paid by hospitals, pharmacies, and private practice groups.
Common HIPAA issues that prompt investigations include:
- Impermissible disclosure of protected health information (PHI)
- More than minimum necessary disclosure of PHI
- Lack of necessary PHI safeguards
- Lack of protection for electronic PHI
- Denial of PHI access to patients
The statistics are daunting, and it is, therefore, imperative for physicians to keep themselves, their staff, and their medical practice HIPAA compliant. Some procedures and practices to help accomplish compliance include:
- Training staff adequately to handle PHI.
- Designating a staff member to focus on HIPAA security measures and educate others.
- Assigning different security levels to staff to prevent unnecessary or inadvertent exposure and to ensure sharing of information on a need-to-know basis only.
- Prohibiting sharing of passwords amongst staff members.
- Avoiding an overly cautious approach of not sharing PHI with even family members of patients.
- Reminding staff to access patient medical records only if necessary and with written permission from the patient.
- Closing computer programs before leaving a desk. Systems that automatically log out or go offline after a set period of inactivity can be helpful.
- Securing electronic data transfer with encryption, passwords, and authentication.
- Verifying via a two-step process, for example, password plus voice recognition or password plus fingerprint.
- Storing PHI files in locked cabinets, shredding for disposal, and faxing with cover sheets.
- Choosing a HIPAA-compliant cloud server for data storage.
- Ensuring third party contracts with your group are also HIPAA compliant.
You are only as safe as your most vulnerable practice.
The good news is that since 2003 more than 10,000 investigations by OCR found no HIPAA violations and in another 10,000 cases, early intervention and technical assistance by OCR prevented an investigation being initiated.
You are only as safe as your most vulnerable practice. To ensure conformity with HIPAA regulations, investment in a cloud-based EHR practice management system that is HIPAA compliant will be an astute decision. Analysis of your practice and a robust plan to correct deficiencies in HIPAA compliance or breach of protected health information, could save you, literally, hundreds of thousands of dollars and one massive headache.