Cardiology Coding Alert


Gain Deep Understanding of HIPAA Security and Privacy Rule to Secure PHI

Hint: Learn how to properly dispose of PHI.

As technology advances, healthcare providers must keep up with the times, which means understanding privacy and security for patients’ protected health information (PHI). The Privacy Rule tends to be more focused on the nonelectronic and access aspects of an individual’s PHI, according to Melissa Dill, product management leader for the healthcare consulting practice at Crowe. On the other hand, the Security Rule focuses on the electronic management of that individual’s information.

Read on to make sure you know how remain compliant in your practice.

Violations Range From Minor to Massive

The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules offer organizations guidance on how best to set up policies and implement procedures to assess risks, protect PHI/ePHI, and avoid violations. The Rules advise not only on the provisions of the federal law, but also provide practices with guidelines to assist with HIPAA compliance planning.

PHI is best defined as “all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral,” according to the HHS Office for Civil Rights (OCR) guidance on the HIPAA Privacy Rule. Furthermore, any personal information that can identify the patient and is associated with the medical record is also protected data. In fact, federal guidance lists 18 categories of “personal identifiers” that must be secured by covered entities (CEs) and business associates (BAs). A few of these include names, phone numbers, medical record numbers, and most dates related to birth, death, admission, and discharge.

When it comes to the Privacy Rule, violations vary in intensity, from minor violations to serious ones. Dill points to common issues like “simple things such as physicians’ handwritten notes being left somewhere where they can be seen by individuals who don’t have a need to see those notes, things being printed out and left on a printer for others to see, or an individual calling an office and wanting information and perhaps not being the patient, but being a patient’s parent, daughter, or child who does not have permission to access such records.”

Many of these kinds of incidents happen when someone left papers lying around the office without realizing or remembering they contained private information, Dill says. “Those sorts of things that you don’t necessarily think of as an issue are the easy things to have a compliance issue or a violation,” cautions Dill.

Examples: In 2020, OCR publicized the following HIPAA violations, Dill says:

  • A data breach stemming from a provider’s dispute with a business associate: $100,000 settlement
  • A health system employee stole a laptop: $1 million settlement
  • An insurance company had a HIPAA breach that impacted the private information of over 10 million people: $6.85 million fine (second largest in history)
  • A medical practice’s electronic health record was hacked, exposing the information of over 200,000 people: $1.5 million fine
  • A multispecialty clinic refused to give a patient their medical records: $15,000 fine
  • A physician services provider refused to give medical records to the parents of a minor: $10,000 fine

Remember: If you aren’t worried about a fine as low as $10,000, think about how many evaluation and management (E/M) visits it would take for you to earn that much money. For instance, you’ll collect about $92 for every level-three, established patient office visit with a Medicare patient. Therefore, you’d have to perform 109 level-three office visits to pay that fine, which would take up about 36 hours of the physician’s time, assuming the physician spent the minimum 20 minutes referenced in the visit’s code descriptor.

Invest in Strong HIPAA Security or Pay the Price

On the side of the Security Rule, practices should consider adopting or refining the systems they currently have in place. This might mean investing in technologies and other resources to monitor compliance and protect patient records. If practices are investing in those technologies and resources, they should confirm that they’re investing in the right tools that will protect them from breaches or from cybersecurity incidents, Dill says. These things “have to be very seriously considered. All you have to do is go online and search ‘cybersecurity breaches in healthcare,’ and it will bring up a laundry list.”

Dispose of PHI Correctly and Communicate With Staff

Generally, practices can violate privacy laws without realizing it and without bad intent. “I think a lot of the disposal problems are just plain old organizational-procedural inertia — staff are doing things the way they’ve always been done, and nobody has checked to see if it’s the proper, secure way,” explains Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems LLC in Charlotte, Vermont.

“Staff may assume what they throw away is destroyed when it may not be,” Sheldon-Dean continues. It’s important everyone look more carefully at their nonelectronic information and get into the habit of handling it with the same care as electronic information. This means checking all the paper, pill bottles, or data. “It all needs to be subject to information flow analysis to ensure all information is secure until destroyed,” Sheldon-Dean advises.

Reminder: Though the HIPAA Privacy and Security Rules don’t offer specifics on the best way to dispose of PHI, OCR does provide helpful examples on how to safeguard used patient data and how to safely discard it.

OCR also offers guidance on the intersection of the rules and PHI disposal. The following topics outlined in their frequently asked questions (FAQ) section:

  • Acceptable methods for getting rid of PHI, ePHI, and other associated items
  • Business associates’ roles in disposal
  • Reusing hardware that may contain old ePHI
  • Off-site disposal of PHI/ePHI by home health and hospice workers
  • Medical records retention and disposal

Also, understand that if anyone throws out PHI with the trash, it must be “rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster,” OCR notes in the FAQs on PHI disposal.