Is your medical practice safe from a data breach or a HIPAA non-compliance event? After four months of decline in data breaches, the Department of Health and Human Services’ Office for Civil Rights (OCR) reported an increase of 30 percent in healthcare data breaches in April 2022. HIPAA compliance violations can, as you well know, result in thousands of dollars in fines and prove to be a significant existential threat to medical practices and healthcare organizations. It’s estimated that data breaches cost the industry billions of dollars each year. So how do you improve HIPAA compliance at your medical practice?
Compliance is a vast topic, and one can’t begin to do justice by summarizing all the information in this article. The U.S. Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to enhance the level of protection of ePHI* and ensure patient privacy. The guidelines continue to be revised; therefore, any entity in the healthcare space must be acutely aware and compliant with these guidelines.
However, to help you understand HIPAA compliance and give you actionable HIPAA compliance tips, let’s break it into two simple aspects – 1. patient information security and 2. patient information accessibility.
HIPAA Compliance with Patient Information Security
Let’s talk about information security first.
Protected health information is a patient’s private information; this includes but is not limited to the patient’s –
- Birth date
- Social security number
- Email address
- Telephone or fax numbers
- Medical record numbers
- Biometric identifiers
- Geographic information, and
- Full-face photographic images (or any similar images). Essentially, any information could allow any unauthorized third party to ascertain a patient’s identity, medical condition, or injury.
We know 90% of healthcare practices and organizations rely on EHRs or electronic health records. Patient records are accessed by healthcare devices on mobile devices such as tablets, laptops, and phones. As per HIPAA, over 2 million healthcare records were breached in April 2022. Hacking/IT incidents dominate the top cause of breaches. Most of the violations are taking place via the server and the emails. Theft and accidental loss of unencrypted mobile devices owned by physicians and staff account for many breach incidents.
Breaches must be notified to the affected individuals within 60 days of the breach and the HHS (Health and Human Services) if the breach has impacted more than 500 people.
A breach is a devastating event for a medical practice. It can result in:
- Loss of trust and reputation.
- Significant risk of a lawsuit from patients.
- Review by the OCR can result in significant financial penalties, which have gone by significantly in the last five years,
- All the above can lead to medical practice closure
So, what are the top 5 things a medical practice must do to secure its patient data and improve HIPAA compliance?
- Encourage patient communications using a HIPAA-compliant patient portal. Asking patients to send documents and information via email is a high-risk transaction. Instead, implementing a patient portal that has secure password login and multifactor authentication is a more secure method.
- All mobile devices (phones, laptops, and tablets) should be encrypted and feature remote wiping.
- All firewalls and security software should be up to date.
- Train practice staff, providers included, on securing data and digital devices. Ensure standard data security practices are adhered to –
- Strong passwords.
- No sharing of passwords.
- Logging out of networks when the work is complete.
- Avoid using personal devices for accessing EHRs.
- Access must be restricted as per staff role.
- Conduct regular risk assessments. HIPAA requires practices to conduct a complete security risk assessment to focus on vulnerable areas and look at new security risks. Recommended working with an IT security partner to carry out this assessment.
- Ensure patient information privacy.
- A medical practice cannot send marketing communication to the patient unless a patient explicitly consents to the medical practice for receiving such messages.
- Medical practice cannot share any PHI with a third party that aims to contact the patient for a sales call.
- Written consent of the patient must be obtained for the use and disclosure of psychotherapy notes. (Psychotherapy notes are the personal notes of a mental health care provider that document the contents of a counseling session and are kept separately from the rest of the patient’s medical records).
Most patients prefer to pay by credit or with debit cards. It is the practice’s responsibility to secure payment card data and prevent data breaches (also known as PCI compliance). Here are a few quick tips on ensuring the safety of patient’s financial data:
- All paper documents containing credit card information should be secured with restricted access.
- Software used to store credit card information must be from “PCI DSS Validated” service providers. (Payment Card Industry Data Security Standard)
- Never store sensitive data such as PIN or CVV (credit card verification value).
HIPAA Compliance on Patient Information Accessibility
The HIPAA Patient Right of Access law was created to provide patients with the right to request access to their personal medical records.
Interoperability and Information Blocking Final Rule defines information blocking as a practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information. Under the purview of the 21st Century Cures Act, Information Blocking, denying access to patient health information is a case of HIPAA non-compliance. Implementing health IT in your medical practice that makes it challenging to exchange EHI with other health IT systems falls under ‘information blocking.’
When a patient asks for access to their records, there is specific information that you are legally expected to provide, which is referred to as the ‘designated record set.’ It includes:
- Medical and billing records about individuals maintained by or for a healthcare provider
- Enrolment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan
- Other records that ar used by or for the practice to make decisions about their patient’s health.
Physicians are required to act on any genuine request by a patient to exchange or provide access to electronic health information stored in the practice/ hospital EHR system. Such a request could come from a patient, another provider, a health plan seeking information for clinical purposes, or a public health agency. A patient can ask for a copy of their medical record to be shared with another entity (such as another medical practice or a future employer). Typically, the request for sharing medical history must be submitted as a signed consent by the patient, with clear instructions mentioned on whom the record is to be shared. If your medical practice does not have the requested information, the patient should be guided to the source from which they can obtain that information.
Once you receive the request from a patient for access to their PHI, your medical practice must provide this information within thirty days. If there is going to be a delay, you must inform the reason for the delay and the expected time frame for providing the patient’s medical records. Once again, you cannot extend the timeline by more than thirty days.
The information can be shared as per the requested format by the patient, which could be a paper copy or electronic form (email, CD, or a flash drive). You can bill a cost-based fee for retrieving and providing the PHI to the patient; however, ensure that you let the patient know the approximate cost in advance.
Therefore, to conclude, the two aspects imperative to HIPAA compliance in your interactions with patients are (a) security of patient information systems and (b)giving access to patient records (on request). Ensure that you take the necessary steps listed above to be on track for HIPAA compliance. To quote Paul McNulty (former U.S. Deputy Attorney General), “If you think compliance is expensive, try non-compliance.”
*ePHI is defined as ‘any protected health information (PHI) created, stored, transmitted, or received in any electronic format or media.’
You may also be interested in the Importance of OSHA Training for Medical Practices