1-3 Please answer Q1-3. Scenario 12-Acquired 5 Physician Practices Acme medical
ID: 125421 • Letter: 1
Question
1-3
Please answer Q1-3.
Scenario 12-Acquired 5 Physician Practices Acme medical center has recently acquired five large physician practices in the region, and you, as part of the team merging the system and processes into the medical center procedures, are evaluating the privacy and security concerns. During the evaluation it is discovered that the various physician practices have several different types of digital copiers that they use in the offices. 1. What potential HIPAA violation(s) can be identified in the scenario? 2. Is there a way to mitigate the risks for a potential HIPAA violation(s)? 3. What advice does the OCR have that can be utilized to guide this process?Explanation / Answer
According to the Health Information and Management Systems Society, complying with the HIPAA regulations can be challenging for all healthcare organizations, regardless of size. However, smaller practices face the additional challenge of having limited resources to research reliable sources of information on what is actually required by HIPAA and to then find ways to address the requirements.
There are a few things practices can do to prepare for a HIPAA audit:
• Conduct a risk analysis of your practice. This risk assessment tool can help.
• Review the OCR audit program protocol and make sure you have addressed everything in the "Audit Procedures" column.
• Make sure that staff receives adequate training.
Family physician David Kibbe, MD, MBA told Family Practice Management that the best way for physicians to approach the HIPAA regulations is to break them down into small and manageable categories and tasks. "The familiar problem-oriented approach you use to evaluate patients' medical problems can be helpful as you assess your current security situation and prioritize what needs to be done to meet the HIPAA challenge," he said. "The idea is to manage HIPAA compliance the same way you solve your patients' problems—one at a time and as the result of careful examination, diagnosis and, where necessary, consultation."
the Health Insurance Portability and Accountability Act (HIPAA) is no laughing matter. Failure to comply with this wide-reaching piece of healthcare policy could put your organization’s future in serious jeopardy — to the tune of crippling financial penalties or even criminal charges.
Thus, it’s imperative that you and your staff are not only hip to all HIPAA requirements, but also dedicated to ensuring full compliance within your organization.
the main action-items healthcare providers should be aware of:
• Know what constitutes PHI, and pinpoint all instances of PHI in your organization.
• Find a patient privacy champion in your organization, and make him or her your formal “privacy official.” That means he or she will create and implement policies and processes designed to ensure full compliance with HIPAA privacy standards. This person will also field any privacy-related concerns, questions, and requests.
• Develop a Notice of Privacy Practices (NPP) that “provides a clear, user friendly explanation of individuals rights with respect to their personal health information and the privacy practices of health plans and health care providers.” (Review sample NPPs here.)
• Record all uses and disclosures of PHI in your organization.
• Allow patients an appropriate level of control over their own PHI, consistent with the Privacy Rule.
• When necessary, obtain explicit, written consent to disclose PHI.
• Adhere to the “minimum necessary” philosophy for PHI disclosure. As stated here, that means a “[healthcare] entity must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish [an intended purpose].”
• Create a list of your business associates (i.e., external companies and organizations that may be exposed to your patients’ PHI) and ensure you have a formal business associate agreement (BAA)with each.
• Implement adequate physical, technical, and administrative safeguards to prevent illegal PHI disclosure — whether that disclosure is intentional or unintentional.
• Continuously train your staff on HIPAA policies and procedures, and ensure your privacy officer maintains a record of those policies and all associated training activities
Possible HIPAA violations and measures taken:
The HIPAA law to protect patient health information is quite well known by personnel in most physician offices. There still remain, however, some questions regarding HIPAA's rules and regulations. Providers who are not up to date with changes in the law risk potential violation that could not only damage a practice's reputation but cause criminal and civil fines.
The Health Insurance Portability and Accountability Act, commonly referred to as HIPAA, was established in 1996 to set national standards for the confidentiality, security, and transmissibility of personal health information.
Healthcare providers are required, under the HIPAA Privacy Rule, to protect and keep confidential any personal health information. It also sets limits and conditions on its use and disclosure without patient authorization. The Rule also gives patients rights to their health information, including rights to obtain a copy of their medical records, and request corrections.
HIPAA does have exceptions to the rule, however, such as if it hindered the ability to provide quality healthcare services. One example is discussion between two physicians who are both treating a patient. In addition, peer reviewed activities, disclosures needed by health plans to resolve billing questions, and other similar situations are exempted.
The Department of Health and Human Services defines covered entities as healthcare providers, health plans, and healthcare clearinghouses, which include hospitals, physicians, chiropractors, dentists, optometrists, schools, nonprofit organizations that provide some healthcare services, and even government agencies. However, those affected by HIPAA does not end there.
HIPAA violations can result in substantial fines to a practice ranging from $100 to $1.5 million. Healthcare providers can also be at risk for sanctions or loss of license.
We list below some of the more common reasons for HIPAA violation citations:
1. Employees disclosing information – Employees' gossiping about patients to friends or coworkers is also a HIPAA violation that can cost a practice a significant fine. Employees must be mindful of their environment, restrict conversations regarding patients to private places, and avoid sharing any patient information with friends and family.
2. Medical records mishandling – Another very common HIPAA violation is the mishandling of patient records. If a practice uses written patient charts or records, a physician or nurse may accidentally leave a chart in the patient's examination room available for another patient to see. Printed medical records must be kept locked away and safe out of the public's view.
3. Lost or Stolen Devices – Theft of PHI (protected health information) through lost or stolen laptops, desktops, smartphones, and other devices that contain patient information can result in HIPAA fines. Mobile devices are the most vulnerable to theft because of their size; therefore, the necessary safeguards should be put into place such as password protected authorization and encryption to access patient-specific information.
4. Texting patient information – Texting patient information such as vital signs or test results is often an easy way that providers can relay information quickly. While it may seem harmless, it is potentially placing patient data in the hands of cyber criminals who could easily access this information. There are new encryption programs that allow confidential information to be safely texted, but both parties must have it installed on their wireless device, which is typically not the case.
5. Social Media - Posting patient photos on social media is a HIPAA violation. While it may seem harmless if a name is not mentioned, someone may recognize the patient and know the doctor's specialty, which is a breach of the patient's privacy. Make sure all employees are aware that the use of social media to share patient information is considered a violation of HIPAA law.
6. Employees illegally accessing patient files - Employees accessing patient information when they are not authorized is another very common HIPAA violation. Whether it is out of curiosity, spite, or as a favor for a relative or friend, this is illegal and can cost a practice substantially. Also, individuals that use or sell PHI for personal gain can be subject to fines and even prison time.
7. Social breaches - An accidental breach of patient information in a social situation is quite common, especially in smaller more rural areas. Most patients are not aware of HIPAA laws and may make an innocent inquiry to the healthcare provider or clinician at a social setting about their friend who is a patient. While these types of inquiries will happen, it is best to have an appropriate response planned well in advance to reduce the potential of accidentally releasing private patient information.
8. Authorization Requirements - A written consent is required for the use or disclosure of any individual's personal health information that is not used for treatment, payment, healthcare operations, or permitted by the Privacy Rule. If an employee is not sure, it is always best to get prior authorization before releasing any information.
9. Accessing patient information on home computers – Most clinicians use their home computers or laptops after hours from time to time to access patient information to record notes or follow-ups. This could potentially result in a HIPAA violation if the screen is accidentally left on and a family member uses the computer. Make sure your computer and laptop are password protected and keep all mobile devices out of sight to reduce the risk of patient information being accessed or stolen.
10. Lack of training - One of the most common reasons for a HIPAA violation is an employee who is not familiar with HIPAA regulations. Often only managers, administration, and medical staff receive training although HIPAA law requires all employees, volunteers, interns and anyone with access to patient information to be trained. Compliance training is one of the most proactive and easiest ways to avoid a violation.
The privacy and security of patient health information should be a priority for all healthcare clinicians and medical professionals. Make sure your materials are current, update your manuals, and conduct annual HIPAA training to prevent potential violations. Most violations can be easily be prevented by implementing HIPAA regulations into practice policies and procedures and ensuring that all individuals with access to patient information receive the proper training.
How OCR Enforces the HIPAA Privacy & Security Rules:
OCR is responsible for enforcing the HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and 164, Subparts A, C, and E). One of the ways that OCR carries out this responsibility is to investigate complaints filed with it. OCR may also conduct compliance reviews to determine if covered entities are in compliance, and OCR performs education and outreach to foster compliance with requirements of the Privacy and Security Rules. OCR may only take action on certain complaints. If OCR accepts a complaint for investigation, OCR will notify the person who filed the complaint and the covered entity named in it. Then the complainant and the covered entity are asked to present information about the incident or problem described in the complaint. OCR may request specific information from each to get an understanding of the facts. Covered entities are required by law to cooperate with complaint investigations.
If a complaint describes an action that could be a violation of the criminal provision of HIPAA, OCR may refer the complaint to the Department of Justice for investigation.
OCR reviews the information, or evidence, that it gathers in each case. In some cases, it may determine that the covered entity did not violate the requirements of the Privacy or Security Rule. If the evidence indicates that the covered entity was not in compliance, OCR will attempt to resolve the case with the covered entity by obtaining:
• Voluntary compliance;
• Corrective action; and/or
• Resolution agreement.
Most Privacy and Security Rule investigations are concluded to the satisfaction of OCR through these types of resolutions. OCR notifies the person who filed the complaint and the covered entity in writing of the resolution result.
If the covered entity does not take action to resolve the matter in a way that is satisfactory, OCR may decide to impose civil money penalties (CMPs) on the covered entity. If CMPs are imposed, the covered entity may request a hearing in which an HHS administrative law judge decides if the penalties are supported by the evidence in the case. Complainants do not receive a portion of CMPs collected from covered entities; the penalties are deposited in the U.S. Treasury.
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.