HIPAA (Health Insurance Portability and Accountability Act) is the bible for protection of health information. It is not surprising that HIPAA audits are on the rise. Patient complaints are the number one driver behind being chosen for a HIPAA audit.
A review of typical violations helps medical office staff to fully understand how their duties and interaction with patients are so critical to make sure the office is in compliance with the law.
Here are the most typical violations:
- Watch the information authorization expiration date since patients set that date on their signed records.
- Watch for potential missing signatures on all registration documents (releasing information without a signature is major)
- Timely providing patient information requests ñ remember the right to receive electronic copies on demand.
- Caution with disposal of patient records ñ shred them
- Passwords to authorized users to prevent snooping from visiting family or employees who might look at records without authorization.
- Releasing information to an undesignated party (only the exact person(s) listed on the authorization form may receive patient information.
- Releasing unauthorized health information, e.g, the wrong document that has not been approved for release. A patient has the right to release only certain parts of their medical record.
- Releasing wrong patient’s information due to name similarities
- Right to revoke clause – Any forms a patient signs need to have a Right to Revoke clause or the form is invalid. Therefore, any information released to a third party would be in violation of HIPAA regulations.
- Unprotected storage of private health information. Think about sticky notes, medical charts, checks, etc., sitting on the front desk for all to read or the unprotected access to electronic records.
Examples of Violations
- Telling friends or relatives about patients in the hospital, particularly the patient names or providing information from news sources that would clearly identify who the patient is
- Discussing private health information in public areas of the hospital, including the lobby of a hospital, an elevator or the cafeteria.
- Discussing private health information over the phone in a public area
- Not logging off a computer system that contains private health information
- Need to Know Issues: Example: The security guard in a healthcare institution needs to know the name and room number of patients to guide visitors. This is allowed; but, any other information, such as diagnosis or treatment, is not to be disclosed. A nurse needs access to private health information for the patients in his/her unit but not for any patients that are not in that unit.
- HIPAA regulations for “minimum necessary information disclosure” include: A health insurance company will need information about the number of visits the customer had; but, isnít allowed to view the entire patient history.
- Interviews: Allowing members of the media, insurance people, law enforcement to interview a patient in a substance abuse facility
- Including private health information in an email sent over the Internet
- Releasing information about minors without the consent of a parent or guardian
Make sure you know the rules. All of the HIPAA law as it relates to medical office staff is available at www.med-certification.com free of charge; also the law is included in all of the training courses.