Common HIPAA Violations

That Privacy Act – HIPAA – seems sometimes complicated with all its rules about protecting patient information, while at the same time hopefully making the medical part of the record available to related providers, and improving patient care. The act permits providers to communicate electronically to patients with both email and text, as well as make the clinic or hospital record system available online to patients. It seems that unintentional disclosures keep popping up. With email, it’s a good idea to confirm email alerts to patients reminding them of their agreement to such communication before sending actual information. Providers should try for encrypted email or at least limit what can be disclosed if email is not encrypted. Patients may refused such communications but it’s safe to assume that if not prohibited by the patient, it is acceptable. So, ask and document that permission. HIPAA Complaint Email statement (attached to the bottom of every email): The information contained in this transmission may contain privileged and confidential information, including patient information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. In the provider’s office, it is important to note potential violations. Have you been in such an office and heard the receptionist ask a patient for a full name, birthdate, verify an address, phone number,...

Medical Records – A Hacker Bonanza

Reported by Reuters news, medical information is worth 10 times more than credit card number on the black market. Last month, the FBI warned healthcare providers to guard against cyber attacks after one of the largest U.S. hospital operators, Community Health Systems, Inc., said Chinese hackers had broken into its computer network and stolen the personal information of 4.5 million patients. Security experts say cyber criminals are increasingly targeting the $3 trillion U.S. healthcare industry, which has many companies still reliant on aging computer systems that do not use the latest security features. “As attackers discover new methods to make money, the healthcare industry is becoming a much riper target because of the ability to sell large batches of personal data for profit,” said Dave Kennedy, an expert on healthcare security and CEO of TrustedSEC, LLC. “Hospitals have low security, so it’s relatively easy for these hackers to get a large amount of personal data for medical fraud.” The data for sale includes names, birth dates, policy numbers, diagnosis codes and billing information. Fraudsters use this data to create fake IDs to buy medical equipment or drugs that can be resold, or they combine a patient number with a false provider number and file made-up claims with insurers, according to experts who have investigated cyber attacks on healthcare organizations. Medical identity theft is often not immediately identified by a patient or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected. Stolen health credentials can go for $10 each,...

Medical Record Privacy?

If you’ve had medical care recently, you and your medical and other private information are now on a medical provider computer. Are your records safe? Well, don’t be too sure. From the Orange County Register, reporters note that thieves, hackers and careless workers have breached the medical privacy of nearly 32 million Americans. Those numbers, taken from new U.S. Health & Human Services Department data, underscore a vulnerability of electronic health records. Medical records contain sensitive information patients would be horrified to share, alcohol and drugs, use, psychiatric problems, etc. Despite ever-tighter federal regulations, “we recognize that sometimes security is still compromised,” said Dr. Jacob Reider, HHS’ deputy national coordinator for information technology. The government promotes online privacy and most of the breaches have resulted from not following the guidance. The government is imposing big fines on insurers, hospitals or doctors that lose control of records. In May, HHS levied a record $4.8 million penalty against New York-Presbyterian Hospital and its partner, Columbia University. The grounds: In September 2010, some 6,800 patients’ records were accidentally exposed to Internet search engines. The sheer volume of information, encrypted or not, is just too tempting for...

HIPAA Compliance Deadline 2013

Medical practices that have not added new patient rights to their privacy notices, as required by the federal government, have until September 23 to become law-abiding. The formal name for the ubiquitous set of papers that receptionists hand to patients is the Notice of Privacy Practices (NPP). It was created by the Health Insurance Portability and Accountability Act (HIPAA). The notice explains how physicians may use and disclose the “protected health information (PHI)” of patients without their authorization, and what uses and disclosure require prior approval. In January, the Department of Health and Human Services (HHS) published new HIPAA privacy regulations, which NPPs must abide by which took effect March 26. HHS gave physicians and other entities governed by HIPAA until September 23, 2013 to comply. NPPs must inform patients about new prerogatives they have under HIPAA. For example, patients now can order their healthcare provider not to tell their health insurer about services they elect to pay for out of pocket. Some of these private payments are for psychiatric treatment, said practice management consultant Mary Pat Whaley, founder of a Web site called Manage My Practice. “Many people are skittish about running mental health issues through their insurance,” said Whaley, noting the stigma frequently placed on psychiatric disorders in the workplace and elsewhere. NPPs also must state that patients can opt out of receiving information about any fundraising conducted by a healthcare provider, a provider cannot sell a patient’s PHI without his or her explicit authorization, and if a patient’s PHI accidentally goes public, the provider must notify him or her about the breach. Whaley said medical practices...

HIPAA Basics

HIPAA, the Health Insurance Portability and Accountability Act, is a critical legislative process enacting laws to protect information and deals with other elements of insurance options. Physicians are challenged every day in every way to contain or reduce cost, improve access to care, and to maintain and improve the quality of the care that they give. Patients are now more informed than ever before because of their exposure to the Internet that brings information of all kinds with the click of a mouse. Privacy of personal information is a greater concern than ever before. We are in an age of information and managing this information is a critical requirement for all businesses. Health care researchers have been gathering and disseminating vital, statistical information for years. De-identification of that data, coupled with the aggregation of the data has brought about increased awareness in trends and analyses of treatment plans and outcomes for patients. Protecting personal, private health care information is a must. The HIPAA Act of 1996, Title II, is about Administrative Simplification. At first glance, the requirements seem overwhelming. Not only must electronic transaction standards be implemented, but must also have standards for code sets, identifiers, privacy and security. What impact do these new regulations have on physician private practice? What steps are to be followed to bring a practice into compliance? If a provider performs or provides a service to perform electronic transactions, for eligibility, claims, coordination of benefits, remittance advice, and/or referral authorizations or notices, these transactions now have standards specified by the HIPAA Transaction and Code set rules and regulations. The HIPAA rules and regulations for...

Hybrid Medical Records

In keeping with the progress and technical aspects of medical information (medical records), Med-Certification monitors industry progress with EMR (Electronic Medical Records) technology. It is clear that no matter how “paperless” healthcare organizations become using EMR, it appears inevitable that hospitals and private practice providers will still have to deal with some form of the handwritten chart words, making it necessary to have strong policies and procedures in place. Here is some information about the applications from the hospitals regarding their efforts. As hospitals and private providers transition from paper to electronic medical billing and health records, they are working in what is commonly referred to as a hybrid environment: a combination of paper, EMR, and document imaging. Maintaining order in this setting can be challenging for HIM departments. Here to Stay At Rochester General Hospital, HIM Director Barbara Gerringer, RHIT, says the hospital began its adventure into the hybrid world by scanning its emergency department records, followed by lab and ancillary reports such as radiology and typed records (e.g., discharge summaries and operative reports). All are now available electronically in their EDCO electronic document management system (EDMS), which serves as the organization’s EMR and legal medical record. Gerringer notes that defining a hybrid medical record must align with how an organization defines its legal record. “When we started this process, we said that anything available electronically was the legal document, so when we had a release-of-information [ROI] request, we would call the document off of the system and copy the rest of the paper record,” she says. “We continued to file the paper record even if it was...