Anesthesia Coding Alert

Safeguard all forms of private info, whether electronic, paper, or verbal.

Advancements in technology brought about the rise of electronic health records (EHRs) and given the ever-increasing number of providers and practices using EHRs, it’s more important than ever for your physicians and their staff to have a solid understanding of how to keep handwritten and electronic records safe.

The HIPAA Privacy Rule “tends to be more focused on the nonelectronic and access aspects of an individual’s protected health information, and then there’s a Security Rule, which focuses on the electronic management of that individual’s information,” says Melissa Dill, product management leader for the healthcare consulting practice at Crowe.

To start the year off right, consider checking your practice’s privacy pulse and revamping the processes in place to ensure proper handling and disposal of protected health information (PHI).

Realize Violations Range From Minor to Massive

Background: The HIPAA Privacy and Security Rules offer organizations guidance on how best to set up policies and implement procedures to assess risks, protect PHI/ePHI, and avoid violations. The Rules advise not only on the provisions of the federal law, but also provide practices with guidelines to assist with HIPAA compliance planning.

What is PHI? PHI is best defined as “all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral,” according to the HHS Office for Civil Rights (OCR) guidance on the HIPAA Privacy Rule. Furthermore, any personal information that can identify the patient and is associated with the medical record is also protected data. In fact, federal guidance lists 18 categories of “personal identifiers” that must be secured by covered entities (CEs) and business associates (BAs). A few of these include names, phone numbers, medical record numbers, and most dates related to birth, death, admission, and discharge.

When it comes to the Privacy Rule, violations vary in intensity, from minor violations to serious ones. Dill points to common issues like “simple things such as physicians’ handwritten notes being left somewhere where they can be seen by individuals who don’t have a need to see those notes, things being printed out and left on a printer for others to see, or an individual calling an office and wanting information and perhaps not being the patient, but being a patient’s parent, daughter, or child who does not have permission to access such records.”

Many of these kinds of incidents happen when someone leaves papers lying around the office without realizing or remembering they contained private information, Dill says. “Those sorts of things that you don’t necessarily think of as an issue are the easy things to have a compliance issue or a violation,” cautions Dill.

Examples: In 2020, OCR publicized the following HIPAA violations, Dill says:

• A data breach stemming from a provider’s dispute with a business associate: $100,000 settlement;
• A health system employee stole a laptop: $1 million settlement;
• An insurance company had a HIPAA breach that impacted the private information of over 10 million people: $6.85 million fine (second largest in history);
• A medical practice’s electronic health record was hacked, exposing the information of over 200,000 people: $1.5 million fine;
• A multispecialty clinic refused to give a patient their medical records: $15,000 fine; and
• A physician services provider refused to give medical records to the parents of a minor: $10,000 fine.

Invest in Strong HIPAA Security or Pay the Price

On the side of the Security Rule, practices should consider adopting or refining the systems they currently have in place. This might mean investing in technologies and other resources to monitor compliance and protect patient records. If practices are investing in those technologies and resources, they should confirm that they’re investing in the right tools that will protect them from breaches, or from cybersecurity incidents, Dill says. These things “have to be very seriously considered. All you have to do is go online and search ‘cybersecurity breaches in healthcare,’ and it will bring up a laundry list,” she explains.

Dispose of PHI Correctly and Communicate With Staff

Generally, practices can violate privacy laws without realizing it and without bad intent. “I think a lot of the disposal problems are just plain old organizational-procedural inertia — staff are doing things the way they’ve always been done, and nobody has checked to see if it’s the proper, secure way,” explains Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems LLC in Charlotte, Vermont.

“Staff may assume what they throw away is destroyed when it may not be,” Sheldon-Dean continues. It’s important everyone look more carefully at their nonelectronic information and get into the habit of handling it with the same care as electronic information. This means checking all the paper, pill bottles, or data. “It all needs to be subject to information flow analysis to ensure all information is secure until destroyed,” Sheldon-Dean advises.

Reminder: Though the HIPAA Privacy and Security Rules don’t offer specifics on the best way to dispose of PHI, OCR does provide helpful examples on how to safeguard used patient data and how to safely discard it.

OCR also offers guidance on the intersection of the rules and PHI disposal in its FAQs on the subject. Topics covered include:

• Acceptable methods for getting rid of PHI, ePHI, and other associated items
• Business associates’ roles in disposal
• Reusing hardware that may contain old ePHI
• Off-site disposal of PHI/ePHI by home health and hospice workers
• Medical records retention and disposal

Also, understand that if anyone throws out PHI with the trash, it must be “rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster,” OCR notes in the FAQs on PHI disposal.

Pocket These Training Tips

Staff education should always be an integral part of your HIPAA compliance plan — and your policies must include PHI disposal training, Sheldon-Dean maintains. “Do a training session with managers on the topic of handling all kinds of data securely, and then be sure each department talks through how they use and protect any PHI in any form. Then adopt and train all the staff in appropriate procedures,” he advises.

“Finally, do an audit (look in the trash) to make sure the message got through, and follow up as necessary until it does get through,” Sheldon-Dean cautions. “The important thing is to do your own auditing, and don’t leave it to the local TV news team to do your auditing for you.”

For additional information on PHI disposal and staff training, visit www.hhs.gov/sites/default/files/disposalfaqs.pdf.