HIPAA Consulting

HIPAA & HITECH Act – How You Can Avoid Complaints

The HITECH Act substantially expanded the HIPAA Privacy and Security Rules and increased the penalties for HIPAA violations.   Consider these recent violations and compare your risk:

• April 2011:  Massachusetts General Hospital agreed to pay the U.S. government $1 million to settle potential violations involving the loss of protected health information (PHI) of 192 patients.
  • Evidently a hospital employee while community to work accidently left documents behind on a subway train. The documents contained protected health information such as billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of providers. A mere employee mistake resulted in costly violations.
• May 2011:  Recently, a laptop containing more than 1,500 patient names and their personal information was stolen from a medical billing company employee’s car.  PhyData, LLC, a medical billing and management company located in Goodlettsville, reported the laptop stolen from the trunk of the worker’s vehicle at RiverGate Mall on May 7, 2011. Since the incident, the company has Kroll Inc. operating a toll-free call center to address questions and provide ID theft service at no cost to those affected. PhyData has now encrypted and password-protected all the laptops, reinforcing proper safety protocols with the staff.
• July 8, 2011:    UCLA Health System Agrees To Settlement To Resolve Allegations Of HIPAA Violations
  • The University of California at Los Angeles Health System (UCLAHS) has agreed to a $865,000 settlement with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) resolving allegations it violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The complaints alleged that UCLAHS employees repeatedly and without permissible reason looked at the electronic protected health information of two celebrity patients between 2005 and 2008.
  • The corrective action plan requires UCLAHS to implement Privacy and Security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over three years.
  • (The agreement specifies that it is neither an admission of liability on the part of UCLAHS nor a concession on the part of HHS that USLAHS is not in violation of HIPAA.)
• September 26, 2011 Groupons May Be Illegal: Newspaper The Sun-Sentinel (LaMendola) reported that "big discounts on health care treatments offered on websites like Groupon may be illegal, medical law experts say." The discounts are not illegal for the patients, "but for the medical professionals giving them." According to health attorneys, "because the websites keep as much as half of the patient's payment... the online discounts could be interpreted as the practitioners splitting their fees or paying kickbacks to find new patients, which is banned by Florida and federal laws."

How many patients are in your system? How is protected health information secured? Likely these incidents invoke careful review of your office’s security policies.

The future implementation of the electronic health record (EHR) raised concern for privacy and security issues.  This page is a brief overview of new requirements as well as previous requirements that may not have been fully implemented.  “Willful neglect” of these regulations may result in expensive penalties for the practice.  Penalty tiers:

• $100 per Violation:  Person did not know & by exercising reasonable diligence would not have known; cap $25,000
• $1,000 per Violation:  a violation caused by reasonable cause & not willful neglect; cap $100,000
• $10,000 per Violation:  willful neglect; cap $250,000
• $50,000 per Violation: willful neglect that is not corrected; $1.5 Million cap

Training:  One dentist who was audited was asked to provide copies of HIPAA training rosters for all members of the workforce for the last 3-years.  Make certain you are providing current HIPAA / HITECH Act training for your entire staff, not simply the administrative personnel.  Such training is provided for new hires and at least annually.  Include privacy topics in regular staff meetings and encourage incident reporting.

Passwords and Logins:  User rights are assigned to the individual team members according to job descriptions.  For example, limit access to the data base according to job assignments.  No one shares passwords. 

Designate Privacy Officer:  Designate a Privacy Officer who makes minimum necessary decisions regarding PHI.

Privacy Policy:  HIPAA required covered entities to maintain a Privacy Policy which details how the practice protects the use and disclosures of PHI. 

Notice of Privacy Practices: Display your Notice of Privacy Practices poster in the reception area.  This should be a current copy (to include HITECH language) that corresponds to your policy and lists the contact person in your office who handles a privacy complaint. 

Acknowledgement:  In addition to obtaining the necessary financial consent forms, include an Acknowledgment of Receipt of Privacy Policy.  Keep in mind that patients may designate who may receive PHI as well as how you communicate with them.   This issue is especially relevant when treating minors or adult children who live at home. 

Business Associates:  Identify your business associates—independent contractors such as consultants, trainers, information technicians, bookkeepers, accountants, software vendors who have access to your patients’ protected health information.  Obtain a Business Associate Agreement and retain signed copies in your HIPAA records.  The HITECH Act makes notification of unsecured PHI applicable to business associates including the penalty tiers.

Risk Assessment:  Conduct a thorough risk assessment regarding the security of protected health information.   Keep in mind, Congress responded to the ongoing issue of patient privacy breaches resulting from lost, stolen or misplaced harddrives, laptops, thumb drives and memory sticks with the new breach notification requirements.  Where is your data stored?  Who is responsible to back up the data? 

Additional considerations include restoration of data following a natural disaster.  With recent weather emergencies, the value of offsite data storage cannot be overemphasized. 

Security Officer:  In small practices, the same individual serving as Privacy Officer may serve in the capacity of Security Officer.  This team member assures compliance with the security provisions of HIPAA and the HITECH Act.

Privacy Breach:  The HITECH Act now requires notification of unsecure privacy breaches.  According to the law, a covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information” is required to notify each individual “whose unsecured PHI has been, or is reasonably believed by the covered entity to have been accessed, acquired, or disclosed” because of the breach.

New requirements impose the same notification on business associates.  Therefore, if a business associate is reluctant to sign a business associate agreement, please reconsider your working relationship. 

Reportable Incidents:  Secured protected health information (unlike unsecured) renders the PHI unusable, unreadable, or indecipherable to unauthorized individuals.  Verify that your management software encrypts the data.  Ensure you are encrypting emails that contain PHI.  Additionally, if your office compiles correspondence or other PHI-related information in Word documents, PDFs or other file management system, ascertain that these files are encrypted or password protected.  Not following these procedures may result in complaints and costly penalties.

Timing of Notification:  Notification of unsecure protected health information is made without “unreasonable delay.”  According to Congress, this means no later than 60 calendar days after discovery of the breach.  This applies to the covered entity as well as business associates.

Method of notification is in writing, by first class mail to the last known address of the individual. If insufficient information is on file for 10 or more affected individuals, then make a conspicuous posting on your website or in major print or broadcast media.

If unsecured PHI of more than 500 residents of a state or jurisdiction occurred, then in addition to the notification described, notifications shall be provided to “prominent media outlets.” 

Accounting of Disclosures: The HITECH Act removed the accounting exception for disclosures of PHI to carry out treatment, payment, and healthcare operations.  Now – all such disclosures must be accounted for if the disclosure is made “through an electronic health record.”  Please be sure to check your previous copy of the Notice of Privacy Practices. Many offices are still using an outdated version that lists the exception for disclosures which is no longer valid.

How are Violations Handled?  One dentist received a letter from Department of Health and Human Services of his state alleging violations in his practice.  The letter indicated that failure to provide the requested information in a timely fashion would have constituted a violation of the regulatory provision and was punishable by fine $100 to $50,000 per day. 

In summary, dental and medical practices must seriously review their HIPAA privacy and security policies.  Whether offices choose to spearhead their compliance project independently or outsource to a reputable group, HIPAA compliance truly begs our attention. 

For assistance with your compliance project, contact Modern Practice Solutions (931) 232-7738.  Please visit our Products page to order compliance material.