Is managing your release of information requests worth the risk?
As a practice owner or administrator, you don’t need reminding that operating a HIPAA-compliant practice is crucial-and becoming more difficult as the rules and penalties become tighter and more progressive. With “mile markers” from the HITECH act becoming enforceable, this article was written to educate readers by outlining details of exactly how to determine if breach notification is necessary and examining a major change to the Covered Entity (CE) and Business Associate (BA) relationship. The content also provides tried and true best practices and ways to mitigate the risk and liability introduced by the new regulations. Much like using an accountant for your income tax filing, using a reputable BA for outsourced services may provide protection, peace of mind and potential savings.
Focusing on changes to the day-to-day office workflow.
The effects of the changes rolled out in the HITECH Act are widespread and will impact many (if not all) facets of HIPAA compliance. This article places the laser-focus on how the changes will affect the covered entity in their day-to-day office activities that involve sensitive information as opposed to ill-intent or malicious breaches.
To notify or not? The tale of two Mr. Smiths.
To really understand these changes, it is easiest to think about a real-world scenario. We will look at three examples of wrongful disclosure of information, and determine if they are a breach for which you must follow the notification protocols.
Example 1: John Smith, Sr., was born in 1947 and his son, John Smith, Jr., was born in 1974. The father, Mr. Smith Sr., requested a copy of his medical record be mailed to himself. When the records arrived, they were that of his son John Smith, Jr. He immediately called your practice because he is still in need of his information. You must then determine is this a breach for which notification action is required:
• Question One: Was the protected health information secure? In this situation, the answer is, “No.” By HIPAA definition, secure means encrypted or destroyed. These files were loose paper records in a mailing envelope.
• Question Two: Do any of the exclusions apply? (See Appendix A.) No, none of the exclusions apply.
• Question Three: Is there significant risk of financial, reputational, or other harm to the individual that was wrongfully disclosed? In this example, one would hope the answer is, “NO”! (After all, it is his son.) However, as we know an estranged relationship or sensitive information in the file, could be a problem. With verbal confirmation and a documented historical trail, you could confirm with Mr. Smith, Sr., to please either hand over the record to his son or appropriately destroy them. (Note – Mr. Smith Sr. may be unaware of the risk he poses for his son if he simply throws the record in the trash, or even worse, leaves them in his curbside recycle bin. It is crucial to define a script and policy for exactly what your staff should say to Mr. Smith, Sr., to ensure no further disclosure of the information.)
Therefore, it could be determined that this is not a breach and you would not be required to follow the notification protocol. However, you must document what happened and why/how you have determined it is not a breach. It would also certainly be a good PR/Customer Service move to contact Mr. Smith, Jr. and assure him of your protocols to protect his information, because it is highly likely that his father will alert him to this mistake.
Example 2: Let’s alter the above example slightly and assume that Mr. Smith, Sr., did request his information, but provided you a fax number to expedite his receipt of the records. In this scenario, the number is most likely not programmed into your pre-programmed database of frequently used fax numbers so it would need to be hand-keyed. The numbers were accidentally transposed and your office receives a phone call from a local coffee house that they have received the information on their fax. If you can show there is no significant risk of financial, reputational, or other harm to the individual, no notification will be required.
HHS has given guidance for helping you define the term, “significant risk” (See Appendix B):
• Question One: Did the information go to another Covered Entity? In this example, the answer is “No,” because the coffee house is not a Covered Entity.
• Question Two: Were you able to take immediate steps to mitigate the harm including return or destruction of the information AND a written confidentiality agreement? This area is ambiguous, and it would be wise to get counsel from your legal resource. If your staff member who answered the call from the coffee shop followed well-defined, documented guidelines, including securing a signature on a written confidentiality agreement, it could be determined during an audit that you proved no significant risk for further disclosure or ill-intended use of the information. If securing the written confidentiality agreement proves to be unsuccessful, wording such as “Do you agree that you will not further disclose this information and that you have no intention of using any of the information that would prove harmful to the patient?” and a response from the coffee house manager “I agree. I’m sitting next to my shredder and the records are being shredded as we speak,” may help protect your argument for NOT a breach and no notification required. Again, this is a beautiful shade of “gray area” and professional HIPAA legal advice is always recommended. When in doubt, call it a breach and notify!
Therefore, in the above example, you would not be required to follow the notification mandates.
Example 3: Lastly, let’s tweak the above example one last time and assume that Mr. Smith, Sr., requested his information be faxed. However, instead of a phone call from the gracious coffee house manager, your office receives a phone call that is transferred into the medical records voicemail from an individual that does not identify themselves and leaves no additional contact information. You are unable to retrieve the phone number on caller ID, etc.
You are unable to confidently ensure that the information will be disposed of properly or that there is not a significant risk as defined. In this case, you will have to endure the cumbersome burden of following your notification of breach protocol:
1. The patient must be notified with all of the proper notification criteria.
2. Your own internal documentation must be updated and filed properly.
3. You will need to complete an annual filing with the US Department of Health and Human Services at http://www.hhs.gov
4. Your practice may be subject to a $100 violation fee at the discretion of HHS and/or OCR.
For clarity, the following are a few more quick examples:
1. Mr. Smith’s records are faxed to another Covered Entity. No notification required.
2. His records were emailed to your attorney and they were meant to go to your outsourced billing service. No notification is required because the defined exclusions cover “Workforce” and a contracted BA (the attorney and outsourced billing service would both be considered workforce). Additionally, if you can determine that the email of the recipient was encrypted and of course your company outgoing email is encrypted, then the information is NOT unsecured information and no notification required.
3. His records were lost in the mail for two months and a beat up envelope arrives back to your practice with a “could not deliver” sticker. No notification is required if you can determine that the envelope is still sealed and does not appear to have been opened.
4. His records were faxed to the coffee house and Mr. Smith graciously went to the coffee house and retrieved them (and enjoyed a complimentary cup of coffee on you). No notification is required if you can document in your internal HIPAA compliant documentation protocols that you followed proper protocols to immediately mitigate harm, including securing a signed confidentiality agreement from the coffee house recipient.
5. Mr. Smith receives his record as intended, and two months later, he arrives in your office with a page of medical records belonging to another patient. On the record is a name but no other piece of Protected Health Information (PHI). No notification is required – only two pieces of PHI together could lead an individual to be able to provide harm to the identity.
The new paradigm-ways to mitigate risk and best practice tips.
It is easy to understand why these new regulations and associated penalties have left many practices stumped and wondering, “What can I do to avoid these expensive and time-consuming breaches besides turn my office into a ‘patient-free’ practice?” There are several scenarios to consider, and thankfully none include banning patients!
The first route is possibly the most obvious–continuous and rigorous training of employees on the new HIPAA rules and changes. In addition to training, implementing workflow processes and checks and balances in regard to record-keeping fulfillment can help reduce the number of office-related errors. A well documented current HIPAA Compliant Security and Privacy Protocol will help streamline the entire process if a breach or violation does occur and notification determination steps are necessary. Finally, a practice may want to consider placing accountability on the personnel involved. As one might imagine, while these initiatives may reduce the number of errors, this extra training and workflow management comes at a cost of its own in terms of personnel and executive management resources. If an office is experiencing high rates of employee turnover, the task of HIPAA compliance training could very easily become a full-time job.
What is another solution? Transfer the liability.
The HITECH Act updated HIPAA to include the Privacy and Security Provisions which now affect Business Associates. Civil and criminal penalties apply directly to the Business Associate. The significance of this change in the law is that you can transfer the liability of a breach onto the BA rather than shouldering the burden yourself.
Given the onerous nature of compliance, it could make sense for you to let someone else assume the risk of Mr. Smith’s information landing in the wrong place. What’s more, in shifting the responsibility onto the BA, you can outsource all of the analysis, consideration and documentation in the event of a breach along with the required internal audit to review each and every opportunity for PHI information to travel outside your practice.
In the medical records department it certainly seems a logical fit to transfer this liability. You can reduce the statistical chances of your practice incurring a penalty or violation or worse–a full blown breach requiring notification–by simply reducing the number of opportunities for your medical records department to have to distribute information. In short, let a trusted service provider such as DataFile Technologies do this for you.
Consider Business Associates such as DataFile Technologies that specialize in working with practices that have converted to an Electronic Medical Record (EMR) system. In a digital environment, these companies can become a fully functional outsourced medical records department for your practice. At a minimum, they handle the majority of the distribution of PHI allowing clients to minimize the possibility or even eliminate the above example of breach from occurring.
In making the case for outsourcing to a BA, reducing your risk and shifting the liability from you, the Covered Entity, might be the most obvious selling point, but the benefits extend far beyond to include the following:
• Workload redistribution/natural attrition. While your practice may be perfectly satisfied with the performance of the current fulfillment specialist, if he/she moves, rehiring and retraining a new person may not make sense given the new rules and regulations. The BA can function as an extension of the fulfillment and record-keeping department.
• Daily processing of records. Select a BA that can process record requests very quickly as opposed to an in-house model where fulfillment is relegated as other priorities become more pressing or a copy service model that processes requests on specific days. Faster record fulfillment leads to better patient relationships and satisfaction and ultimately, increased patient retention and word-of-mouth referrals.
• Reduction of phone calls. Whether it is patients, underwriters or other practices, the record-keeping and fulfillment team fields tons of phone calls inquiring about the status of record requests. By using the BA with rapid turnaround times, these calls are dramatically reduced, if not eliminated entirely.
• Liability risk reduction. More than simply shifting the compliance onus from your practice to a BA, the risk reduction comes from choosing the right BA. For example, DataFile’s data security, chain of custody protocols, and best practice workflow procedures ensure your patient’s PHI is safe.
• Elimination of staff training and retraining. Keeping your practice compliant and your staff properly trained can be a major strain on resources and time management. Conversely, your outsourced employees are highly-reliable, technology savvy and well-versed in HIPAA compliance and changes.
With these points in mind, the overriding message is clear – you can unburden yourself from the legal risks, resource strain and busywork of medical records fulfillment by choosing a reputable partner. With all of these compliance changes, the time is right to remove a major burden from your practice. Not only will you transfer liability, but you will also experience the time-savings and peace of mind of working with a partner who has the singular goal of enabling your practice to focus on your patients.
Appendix A – Exclusions defined by HHS
1. Workforce Use – Unintentional acquisition, access or use of PHI by a workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Rule.
2. Workforce Disclosure – Unintentional disclosure of PHI by a workforce member to another workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Rule.
3. No Way to Retain Info – Unauthorized disclosure to which the CE or BA has a good faith belief that the unauthorized person to whom the PHI is disclosed would not reasonably have been able to retain info.
Appendix B – Significant Risk Guideline by HHS
1. Covered Entity to Covered Entity – Inadvertent disclosure of PHI from one CE or BA employee to another similarly situated CE or BA employee, proved that PHI is not further used or disclosed in any manner that violates the Privacy Rule.
2. Immediate Steps to Mitigate – Immediate steps are taken to mitigate the harm including return or destruction of the information or a written confidentiality agreement.
3. Types of Information Included – The information disclosed was limited to just the name of the individual or a limited data set.