Hungry, hungry HIPAA: A moment’s inattention could cause a compliance catastrophe

It’s easy these days to get so caught up in the transition to ICD-10 coding that you let other policies and procedures fall by the wayside, but nothing good can come from dropping your guard on HIPAA.

The possible violations are many, and the consequences for you and your patients are potentially severe.

A single employee with an Instagram account could inadvertently violate patient privacy just by taking a photo with a patient or a computer screen in the background. But most practices and their staff are generally aware of this kind of mistake.

Of much greater concern is a significant data breach from hackers or thieves. One study showed a 50- percent uptick in healthcare-related data breaches in 2014 alone. This is because healthcare records are good business for criminals.

Credit card companies have been on the ball about reporting unusual charges, but insurers don’t monitor patient claims with theft in mind. So a Medicare or insurance ID number is quite valuable on the black market, and could become the basis for significant identity theft.

Since 2009, there have been nearly 1,200 data breaches affecting over 133 million patient records. The smallest reported breach was of 441 records at a hospice in Idaho. The largest is one you’re probably well aware of: the whop- ping 80 million patient and employee records involved in a breach at health insurer Anthem in January 2015.

The HIPAA language on this is specific, requiring that you “secure all electronic protected health information against accidental or intentional causes of: unauthorized access, theft, loss or destruction, from either internal or external sources.” This means securing not only your laptops and computers but also memory sticks and cards, smartphones, and even fax machines and copiers—especially those that double as scanners and printers (and therefore store data).

Theft is the most common cause of data breach, with laptops being the single biggest target, followed closely by paper records. Think you’re in the clear because you use electronic health record (EHR) software?

Nope. EHR systems aren’t typically the problem; rather, it’s the user’s behavior when pulling reports and data from the system. Similarly, moving data to the cloud simply transfers the problem there if you don’t clean up procedures, use secure and updated passwords, and pay attention to security procedures like logging out.

In other words, the biggest threat to the safety of your patients’ records is likely someone on your own team.

Although patients can’t sue you for a HIPAA violation, they can bring a negligence lawsuit with the violation as its basis. The amount of money at stake can be astounding. In addition to HIPAA fines, it’s not unusual for large companies that have been breached to face multibillion-dollar class action lawsuits.

What’s a busy office to do? It’s essential to earn patient confidence and keep your practice safe. Start by taking a close look at all team members who access patient records.

Follow up with training and pop quizzes to make sure your team understands privacy procedures, especially how to use secure passwords and why it’s important to log out every single time a team member steps away from a laptop or computer.

Document this training and keep it on hand in case of a HIPAA audit.

HIPAA may be far-reaching and hungry, but you can make sure you’re not the one feeding it.

 

Kathy Mills Chang is a Certified Medical Compliance Specialist (MCS-P) and Certified Chiropractic Professional Coder (CCPC), and since 1983 has been providing chiropractors with reimbursement and compliance training, advice, and tools to improve the financial performance of their practices. She leads a team of 16 at KMC University and is known as one of the profession’s foremost experts on Medicare. She or any of her team members can be reached at 855-832-6562, at kmcuniversity.com, or by emailing info@kmcuniversity.com.