December 15, 2017
Technology is supposed to make life easier. This is largely why the transition from paper to electronic health records became a requirement in 2011. However, it's evident the integration of technology has posed new challenges in protecting patient health information (PHI), as required by the Health Insurance Portability and Accountability Act (HIPAA).
According to Kathryn Wickenhauser 1, a regulatory compliance advisor with DataFile Technologies, technology has posed these two special challenges:
- preventing HIPAA violations and breaches due to human error; and
- protecting information from hackers.
In light of these challenges, we've shared the following best practices for covered entities looking to further protect PHI. Incorporating these practices can mean the difference between Health and Human Services (HHS) giving you a thumbs up or hitting you with a fraud or abuse determination after your next audit.
Create a Compliance Plan
If your institution has five or more clinicians, you will have at least one inadvertent disclosure of PHI every year. HHS's determination in that case will depend on whether you have a compliance plan in place.
All employees should be aware of the compliance plan, and be sure to follow it. Its contents can simply mirror HHS Security Guidelines2, or you can additionally include some of our suggestions below. Either way, if you don't already have a compliance plan in place, make one now.
Have Employees Double Check the Fax Number
One of the most common mistakes that leads to a HIPAA violation or breach involves miskeying a fax number. While this simply constitutes human error, you can prevent information from being sent to a wrong fax recipient by:
- Notifying employees a miskeyed fax is one of the most common ways that HIPAA violations and breaches occur.
- Posting a sign by the fax machine instructing employees to double check the fax number against the number on the patient authorization sheet before pressing 'Send'.
- Making double checking the fax number officially part of the compliance plan.
Audit Uploaded Files
Another common mistake that leads to a HIPAA violation or breach involves misfiling information in patient files. For instance, in scanning and uploading information, someone can inadvertently upload it to the wrong patient file. Then, when fulfilling an information request, the whole file can get sent along, containing the wrong patient's information.
As suggested by Kathryn Wickenhauser, one way to prevent this situation is to audit the file for accuracy. While time will not permit auditing the whole file, employees can at least check the first and last page, as well as checking 20% of the file's contents randomly.
Covered entities have been strategizing ways to protect information against hackers, as they've increasingly been infiltrating systems to get PHI.3 What HHS determines are adequate enough measures going forward will depend on the size and resources of the institution. However, at the very least, information that is emailed or handed over to a patient in a USB drive or other similar device should be encrypted. Encryption prevents outside hackers from gaining access to that patient information, whether it be a hacker on your system or the patients'.
Making a "Reasonable and Appropriate" Determination
HHS requires that your security measures be "reasonable and appropriate." (4) This rule takes into account that not all security measures are appropriate for every covered entity since they vary greatly in size, function, and resources. For instance, a solo practice is unlikely to have full-time IT staff to set up anti-hacking security measures as an insurance company would. However, that doesn't necessarily mean the solo practitioner shouldn't do anything, like install a $25 anti-virus software program.
Thus, what you do, and don't do, should go through that reasonable and appropriate determination. That way, in the event of a HIPAA violation or breach, you can easily justify to HHS why you did not utilize certain resources.
When There's a Breach, Revisit Your Compliance Plan
If a breach does occur, you'll need to revisit your compliance plan to determine whether there is anything else that you can reasonably do to prevent future breaches. The goal in mind is to always ensure a low probability that PHI will be compromised, or what the industry calls LowProCo.
If you're interested in more information on HIPAA compliance, or want other information on best business practices, contact us at Lorman Education Services.
(1) Shannon Geis, "Does your practice know what to do when protected information gets in the wrong hands?" MGMA. August 29, 2017. Available at https://www.mgma.com/practice-resources/mgma-connection-plus/online-only/2017/august/does-your-practice-know-what-to-do-when-protected-health-information-gets-in-the-wrong-hands.
(2) HHS, "Guidance on Risk Analysis Requirements under the HIPAA Security Rule." Available at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf.
(3) Total HIPAA Compliance, "How HIPAA Can Help Deter Hackers." August 2, 2016. Available at https://www.totalhipaa.com/hipaa-can-help-deter-hackers/.
(4) HHS, "HIPAA Basics for Providers: Security, Breach, and Notification Rules." Available at https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurity.pdf.