Ensuring HIPAA Compliance for Your Medical Practice
With the adoption of electronic health records (EHR) systems, a changing health insurance landscape, and rapid technological advances, it seems that no other industry that is undergoing as much change as the healthcare industry. As mandated compliance to the HIPAA final omnibus rule—which went into effect in September 2013, strengthening provider requirements for ensuring patient privacy protections—and healthcare providers have a lot to think about.
The evolving HIPAA landscape is also reflective of—and a direct response to—the countless privacy breach threats the healthcare industry faces. Hospitals, institutions and small practices are increasingly targeted for the acquisition of confidential patient information. Providers who do not adequately protect patient health information (PHI) not only risk damage to their reputation and face civil lawsuits, but also run afoul of increasing scrutiny by the Department of Health and Human Services Office for Civil Rights (OCR). Recently, the OCR handed out a record-breaking $4.8 million HIPAA fine to New York Presbyterian Hospital and Columbia University Medical Center for failure to protect PHI. This should serve as a cautionary tale, not only for large healthcare institutions but also for doctors and practitioners with smaller practices.
HIPAA compliance doesn’t necessarily mean having to invest in costly electronic systems; often it comes down to basic, common sense methods for maintaining continuous privacy for your patients’ health information. While the pilfering of electronic health information through hacking and cyber-attacks is certainly on the rise, breaches of hardcopy information are still common.
For example, in another recent occurrence, a complaint was filed against a large drugstore chain for alleged HIPAA violations, including accusations of PHI being left unattended on desks and in public areas. While the OCR did not find widespread or systematic non-compliance, individual instances were noted and suggestions were made for ensuring safeguards, one of which was enhanced staff training.
Protecting patient privacy
These troublesome violations highlight the need for ongoing HIPAA training of the doctors, practitioners and administrative staff within your practice. All employees should understand privacy and security policies and associated consequences of a violation. Policies for the handling of PHI should also be made clear. Procedures for storing, accessing and disposing of medical records and business documents should also be clearly outlined.
Patient information should never be left in plain view for others to see. On-site file rooms should be locked and access to records highly regulated. Inactive files should be transferred off-site to a secure records center where they can be protected and managed for the duration of their retention life cycle.
Records and other paperwork should promptly be disposed of. A secure NAID AAA certified shredding service eliminates expired records being left on desktops or workstations where they run the risk of being compromised. Shred collection containers can be strategically placed within your practice, enabling documents and files to be quickly and securely disposed of and shredded in accordance with HIPAA standards.
Richards & Richards provides healthcare providers throughout the Nashville area with comprehensive records and information management solutions. For more information please contact us by phone or complete the form on this page.