February 26, 2020 The days of simply shredding paper records and files to dispose of Protected Health Information (PHI) are behind us as the use of technology continues to become more prevalent within the medical industry. Under the HIPAA Privacy Rule, practices are required to implement the proper administrative, technical, and physical safeguards when it comes to protecting patient privacy. This rule dictates that covered entities are responsible for implementing and maintaining these policies. For many practices, disposing of electronic or regular PHI in the proper way may be daunting. Instead of always shredding a paper file, practices now have to follow recommended methods to dispose of data provided by the U.S. Department of Health and Human Services. These methods include: Without a simple checklist to follow, it is difficult to guarantee that the best measures are being taken to protect this secure data. In fact, covered entities and business associates have been hit with hefty fines for not disposing of PHI properly. RELATED: IS YOUR PRACTICE MEETING HIPAA DATA SECURITY REQUIREMENTS? DOWNLOAD OUR HIPAA CHECKLIST AND FIND OUT! In one well-publicized example, a shredding company left thousands of patient files unlocked and unguarded for anyone to take. The shredding company, as well as the covered entity whose files were left unsecured, were both hit with monetary settlements. Another incident of improper PHI handling left almost 10,000 individuals impacted. In this case, a pharmacy disposed of an electronic device used for customer signatures without properly wiping the device first. This exposed a vast amount of PHI including patient names and signatures along with prescription numbers and medication names. Many of these incidents occur due to the lack of policies set in place by the practices for business associates and other outside parties handling patient data. Another case that led to monetary penalties totaling a whopping $140,000 resulted from a medical billing company disposing of 67,000 patient records in a public dumpster. Unfortunately, improper disposal of PHI is the source of many data breaches and HIPAA violations. Implementing the correct policies for disposal of PHI is paramount, and each employee must be trained on proper PHI disposal to ensure that your practice is taking every step possible to keep protected health information secure.
Tax Audits vs HIPAA Audits | What You Need to Know
February 21, 2020 When you think of the most wonderful time of the year – tax season probably isn’t the first thing that comes to mind. But even though the filing process can be a bit daunting, it’s the lesser of two evils when compared to the IRS audit that could result from not submitting anything at all. So while you file your taxes this time every year in hopes of not having to face the IRS this tax season – what are you doing to prepare for a HIPAA audit? As long as you do everything right, the changes of the government showing up on your doorstep are pretty slim. In fact, considering only about 0.5% of all tax returns filed are actually audited – you have a 6% better chance of becoming a millionaire than you do facing the IRS. But despite the unlikely odds, we’re all still focused on staying off the government’s radar by filing each and every year. This better safe than sorry mentality should also apply to the precautions taken to avoid a HIPAA audit, but for many practices, it doesn’t hold the same weight. Over the past few years, the Office for Civil Rights has investigated more HIPAA complaints and ran more random practice audits than ever before, bringing the total amount of HIPAA fines to over $19 million – just between 2020-2021 alone. So why have we seen such a major increase lately? With technology use in healthcare on the rise and changes in government standards and patient needs, it is easier for Protected Health Information (PHI) to be accessed by those with malicious intent and seemingly harder for practices to provide patients with their own PHI when requested. So just as we all go through the tax filing process – ensuring that you have a complete HIPAA program is pretty similar: So why don’t practices pay more attention to HIPAA, like they do their taxes? It all comes down to the lack of education on what HIPAA compliance really entails. The reality for many practices is that, because of misinformation or lack of education, the proper safeguards are never put in place and data breaches are growing more and more common. The worst part? A HIPAA fine could cost your practice, and has cost many others, millions of dollars in addition to time-consuming administrative burdens. And on top of that, unlike late payment fees or penalties on taxes, once a breach occurs under HIPAA there is no going back – and no way to reduce the government’s levied fines. Our takeaway? You shouldn’t just be preparing for tax season – HIPAA audit season has proven to be a year-round occurrence that deserves just as much of a priority as filing taxes does.
How to Handle HIPAA in Public Health Emergencies
February 6, 2020 Wondering how your practice needs to handle HIPAA privacy when it comes to public health emergencies, like the recent Novel Coronavirus outbreak? Read the OCR’s tips below! As the Novel Coronavirus (2019-nCoV) outbreak continued to make news, the Office for Civil Rights (OCR) sent a recent bulletin out including additional information for how to handle PHI and how the HIPAA Privacy Rule should be applied with regard to public health emergencies such as this one. Even in public health emergencies, covered entities (as well as business associates) are still expected to adhere to HIPAA regulations and safeguard the security and privacy of their PHI consistent with HIPAA law. Here’s a few key takeaways from the OCR bulletin that your organization should remember: As a reminder, all PHI disclosures even in these circumstances should be limited to the minimum information necessary, including continuing to adhere to role-based access for internal employees. If a public health agency such as the CDC requests information, all requested information should be treated as the minimum necessary for the public health purpose.