| Is managing your release of information requests | | | | the envelope is still sealed and does not appear to |
| worth the risk? | | | | have been opened. |
| As a practice owner or administrator, you don't | | | | 4. His records were faxed to the coffee house |
| need reminding that operating a HIPAA-compliant | | | | and Mr. Smith graciously went to the coffee |
| practice is crucial-and becoming more difficult as | | | | house and retrieved them (and enjoyed a |
| the rules and penalties become tighter and more | | | | complimentary cup of coffee on you). No |
| progressive. With "mile markers" from the | | | | notification is required if you can document in your |
| HITECH act becoming enforceable, this article was | | | | internal HIPAA compliant documentation protocols |
| written to educate readers by outlining details of | | | | that you followed proper protocols to immediately |
| exactly how to determine if breach notification is | | | | mitigate harm, including securing a signed |
| necessary and examining a major change to the | | | | confidentiality agreement from the coffee house |
| Covered Entity (CE) and Business Associate (BA) | | | | recipient. |
| relationship. The content also provides tried and | | | | 5. Mr. Smith receives his record as intended, and |
| true best practices and ways to mitigate the risk | | | | two months later, he arrives in your office with a |
| and liability introduced by the new regulations. | | | | page of medical records belonging to another |
| Much like using an accountant for your income tax | | | | patient. On the record is a name but no other |
| filing, using a reputable BA for outsourced services | | | | piece of Protected Health Information (PHI). No |
| may provide protection, peace of mind and | | | | notification is required - only two pieces of PHI |
| potential savings. | | | | together could lead an individual to be able to |
| Focusing on changes to the day-to-day office | | | | provide harm to the identity. |
| workflow. | | | | The new paradigm-ways to mitigate risk and best |
| The effects of the changes rolled out in the | | | | practice tips. |
| HITECH Act are widespread and will impact many | | | | It is easy to understand why these new |
| (if not all) facets of HIPAA compliance. This article | | | | regulations and associated penalties have left |
| places the laser-focus on how the changes will | | | | many practices stumped and wondering, "What |
| affect the covered entity in their day-to-day | | | | can I do to avoid these expensive and |
| office activities that involve sensitive information | | | | time-consuming breaches besides turn my office |
| as opposed to ill-intent or malicious breaches. | | | | into a 'patient-free' practice?" There are several |
| To notify or not? The tale of two Mr. Smiths. | | | | scenarios to consider, and thankfully none include |
| To really understand these changes, it is easiest | | | | banning patients! |
| to think about a real-world scenario. We will look | | | | The first route is possibly the most |
| at three examples of wrongful disclosure of | | | | obvious--continuous and rigorous training of |
| information, and determine if they are a breach | | | | employees on the new HIPAA rules and changes. |
| for which you must follow the notification | | | | In addition to training, implementing workflow |
| protocols. | | | | processes and checks and balances in regard to |
| Example 1: John Smith, Sr., was born in 1947 and | | | | record-keeping fulfillment can help reduce the |
| his son, John Smith, Jr., was born in 1974. The | | | | number of office-related errors. A well |
| father, Mr. Smith Sr., requested a copy of his | | | | documented current HIPAA Compliant Security |
| medical record be mailed to himself. When the | | | | and Privacy Protocol will help streamline the entire |
| records arrived, they were that of his son John | | | | process if a breach or violation does occur and |
| Smith, Jr. He immediately called your practice | | | | notification determination steps are necessary. |
| because he is still in need of his information. You | | | | Finally, a practice may want to consider placing |
| must then determine is this a breach for which | | | | accountability on the personnel involved. As one |
| notification action is required: | | | | might imagine, while these initiatives may reduce |
| Question One: Was the protected health | | | | the number of errors, this extra training and |
| information secure? In this situation, the answer is, | | | | workflow management comes at a cost of its |
| "No." By HIPAA definition, secure means | | | | own in terms of personnel and executive |
| encrypted or destroyed. These files were loose | | | | management resources. If an office is |
| paper records in a mailing envelope. | | | | experiencing high rates of employee turnover, the |
| Question Two: Do any of the exclusions | | | | task of HIPAA compliance training could very |
| apply? (See Appendix A.) No, none of the | | | | easily become a full-time job. |
| exclusions apply. | | | | What is another solution? Transfer the liability. |
| Question Three: Is there significant risk of | | | | The HITECH Act updated HIPAA to include the |
| financial, reputational, or other harm to the | | | | Privacy and Security Provisions which now affect |
| individual that was wrongfully disclosed? In this | | | | Business Associates. Civil and criminal penalties |
| example, one would hope the answer is, "NO"! | | | | apply directly to the Business Associate. The |
| (After all, it is his son.) However, as we know an | | | | significance of this change in the law is that you |
| estranged relationship or sensitive information in | | | | can transfer the liability of a breach onto the BA |
| the file, could be a problem. With verbal | | | | rather than shouldering the burden yourself. |
| confirmation and a documented historical trail, you | | | | Given the onerous nature of compliance, it could |
| could confirm with Mr. Smith, Sr., to please either | | | | make sense for you to let someone else assume |
| hand over the record to his son or appropriately | | | | the risk of Mr. Smith's information landing in the |
| destroy them. (Note - Mr. Smith Sr. may be | | | | wrong place. What's more, in shifting the |
| unaware of the risk he poses for his son if he | | | | responsibility onto the BA, you can outsource all |
| simply throws the record in the trash, or even | | | | of the analysis, consideration and documentation in |
| worse, leaves them in his curbside recycle bin. It | | | | the event of a breach along with the required |
| is crucial to define a script and policy for exactly | | | | internal audit to review each and every |
| what your staff should say to Mr. Smith, Sr., to | | | | opportunity for PHI information to travel outside |
| ensure no further disclosure of the information.) | | | | your practice. |
| Therefore, it could be determined that this is not | | | | In the medical records department it certainly |
| a breach and you would not be required to follow | | | | seems a logical fit to transfer this liability. You can |
| the notification protocol. However, you must | | | | reduce the statistical chances of your practice |
| document what happened and why/how you | | | | incurring a penalty or violation or worse--a full |
| have determined it is not a breach. It would also | | | | blown breach requiring notification--by simply |
| certainly be a good PR/Customer Service move | | | | reducing the number of opportunities for your |
| to contact Mr. Smith, Jr. and assure him of your | | | | medical records department to have to distribute |
| protocols to protect his information, because it is | | | | information. In short, let a trusted service provider |
| highly likely that his father will alert him to this | | | | such as DataFile Technologies do this for you. |
| mistake. | | | | Consider Business Associates such as DataFile |
| Example 2: Let's alter the above example slightly | | | | Technologies that specialize in working with |
| and assume that Mr. Smith, Sr., did request his | | | | practices that have converted to an Electronic |
| information, but provided you a fax number to | | | | Medical Record (EMR) system. In a digital |
| expedite his receipt of the records. In this | | | | environment, these companies can become a fully |
| scenario, the number is most likely not | | | | functional outsourced medical records department |
| programmed into your pre-programmed database | | | | for your practice. At a minimum, they handle the |
| of frequently used fax numbers so it would need | | | | majority of the distribution of PHI allowing clients |
| to be hand-keyed. The numbers were accidentally | | | | to minimize the possibility or even eliminate the |
| transposed and your office receives a phone call | | | | above example of breach from occurring. |
| from a local coffee house that they have | | | | In making the case for outsourcing to a BA, |
| received the information on their fax. If you can | | | | reducing your risk and shifting the liability from |
| show there is no significant risk of financial, | | | | you, the Covered Entity, might be the most |
| reputational, or other harm to the individual, no | | | | obvious selling point, but the benefits extend far |
| notification will be required. | | | | beyond to include the following: |
| HHS has given guidance for helping you define the | | | | Workload redistribution/natural attrition. While |
| term, "significant risk" (See Appendix B): | | | | your practice may be perfectly satisfied with the |
| Question One: Did the information go to | | | | performance of the current fulfillment specialist, if |
| another Covered Entity? In this example, the | | | | he/she moves, rehiring and retraining a new |
| answer is "No," because the coffee house is not a | | | | person may not make sense given the new rules |
| Covered Entity. | | | | and regulations. The BA can function as an |
| Question Two: Were you able to take | | | | extension of the fulfillment and record-keeping |
| immediate steps to mitigate the harm including | | | | department. |
| return or destruction of the information AND a | | | | Daily processing of records. Select a BA that |
| written confidentiality agreement? This area is | | | | can process record requests very quickly as |
| ambiguous, and it would be wise to get counsel | | | | opposed to an in-house model where fulfillment is |
| from your legal resource. If your staff member | | | | relegated as other priorities become more |
| who answered the call from the coffee shop | | | | pressing or a copy service model that processes |
| followed well-defined, documented guidelines, | | | | requests on specific days. Faster record fulfillment |
| including securing a signature on a written | | | | leads to better patient relationships and |
| confidentiality agreement, it could be determined | | | | satisfaction and ultimately, increased patient |
| during an audit that you proved no significant risk | | | | retention and word-of-mouth referrals. |
| for further disclosure or ill-intended use of the | | | | Reduction of phone calls. Whether it is |
| information. If securing the written confidentiality | | | | patients, underwriters or other practices, the |
| agreement proves to be unsuccessful, wording | | | | record-keeping and fulfillment team fields tons of |
| such as "Do you agree that you will not further | | | | phone calls inquiring about the status of record |
| disclose this information and that you have no | | | | requests. By using the BA with rapid turnaround |
| intention of using any of the information that | | | | times, these calls are dramatically reduced, if not |
| would prove harmful to the patient?" and a | | | | eliminated entirely. |
| response from the coffee house manager "I | | | | Liability risk reduction. More than simply |
| agree. I'm sitting next to my shredder and the | | | | shifting the compliance onus from your practice to |
| records are being shredded as we speak," may | | | | a BA, the risk reduction comes from choosing the |
| help protect your argument for NOT a breach | | | | right BA. For example, DataFile's data security, |
| and no notification required. Again, this is a | | | | chain of custody protocols, and best practice |
| beautiful shade of "gray area" and professional | | | | workflow procedures ensure your patient's PHI is |
| HIPAA legal advice is always recommended. When | | | | safe. |
| in doubt, call it a breach and notify! | | | | Elimination of staff training and retraining. |
| Therefore, in the above example, you would not | | | | Keeping your practice compliant and your staff |
| be required to follow the notification mandates. | | | | properly trained can be a major strain on |
| Example 3: Lastly, let's tweak the above example | | | | resources and time management. Conversely, |
| one last time and assume that Mr. Smith, Sr., | | | | your outsourced employees are highly-reliable, |
| requested his information be faxed. However, | | | | technology savvy and well-versed in HIPAA |
| instead of a phone call from the gracious coffee | | | | compliance and changes. |
| house manager, your office receives a phone call | | | | With these points in mind, the overriding message |
| that is transferred into the medical records | | | | is clear - you can unburden yourself from the legal |
| voicemail from an individual that does not identify | | | | risks, resource strain and busywork of medical |
| themselves and leaves no additional contact | | | | records fulfillment by choosing a reputable partner. |
| information. You are unable to retrieve the phone | | | | With all of these compliance changes, the time is |
| number on caller ID, etc. | | | | right to remove a major burden from your |
| You are unable to confidently ensure that the | | | | practice. Not only will you transfer liability, but you |
| information will be disposed of properly or that | | | | will also experience the time-savings and peace of |
| there is not a significant risk as defined. In this | | | | mind of working with a partner who has the |
| case, you will have to endure the cumbersome | | | | singular goal of enabling your practice to focus on |
| burden of following your notification of breach | | | | your patients. |
| protocol: | | | | Appendices |
| 1. The patient must be notified with all of the | | | | Appendix A - Exclusions defined by HHS |
| proper notification criteria. | | | | 1. Workforce Use - Unintentional acquisition, access |
| 2. Your own internal documentation must be | | | | or use of PHI by a workforce member if the PHI |
| updated and filed properly. | | | | is not further used or disclosed in a manner that |
| 3. You will need to complete an annual filing with | | | | violates the Privacy Rule. |
| the US Department of Health and Human | | | | 2. Workforce Disclosure - Unintentional disclosure |
| Services at | | | | of PHI by a workforce member to another |
| 4. Your practice may be subject to a $100 | | | | workforce member if the PHI is not further used |
| violation fee at the discretion of HHS and/or OCR. | | | | or disclosed in a manner that violates the Privacy |
| For clarity, the following are a few more quick | | | | Rule. |
| examples: | | | | 3. No Way to Retain Info - Unauthorized disclosure |
| 1. Mr. Smith's records are faxed to another | | | | to which the CE or BA has a good faith belief |
| Covered Entity. No notification required. | | | | that the unauthorized person to whom the PHI is |
| 2. His records were emailed to your attorney and | | | | disclosed would not reasonably have been able to |
| they were meant to go to your outsourced billing | | | | retain info. |
| service. No notification is required because the | | | | Appendix B - Significant Risk Guideline by HHS |
| defined exclusions cover "Workforce" and a | | | | 1. Covered Entity to Covered Entity - Inadvertent |
| contracted BA (the attorney and outsourced billing | | | | disclosure of PHI from one CE or BA employee |
| service would both be considered workforce). | | | | to another similarly situated CE or BA employee, |
| Additionally, if you can determine that the email of | | | | proved that PHI is not further used or disclosed in |
| the recipient was encrypted and of course your | | | | any manner that violates the Privacy Rule. |
| company outgoing email is encrypted, then the | | | | 2. Immediate Steps to Mitigate - Immediate steps |
| information is NOT unsecured information and no | | | | are taken to mitigate the harm including return or |
| notification required. | | | | destruction of the information or a written |
| 3. His records were lost in the mail for two | | | | confidentiality agreement. |
| months and a beat up envelope arrives back to | | | | 3. Types of Information Included - The |
| your practice with a "could not deliver" sticker. No | | | | information disclosed was limited to just the name |
| notification is required if you can determine that | | | | of the individual or a limited data set. |