Gastroenterology Coding Alert

Beware how easy it is to accidentally violate privacy laws.

As technology continues to advance, it’s more important than ever for healthcare providers to have a solid understanding of how to keep handwritten and electronic records safe. The HIPAA Privacy Rule refers to all non-electronic access to an individual’s protected health information (PHI). “Then there’s a Security Rule, which focuses on the electronic management of that individual’s information,” says Melissa Dill, Managing Director for the healthcare consulting practice at Crowe in Nashville, Tennessee.

As we approach the new year, consider checking your practice’s privacy pulse and revamp your PHI disposal processes.

Realize Violations Range from Minor to Massive

Background: The HIPAA Privacy and Security Rules offer organizations guidance on how best to set up policies and implement procedures to assess risks, protect PHI/ePHI, and avoid violations. The rules advise not only on the provisions of the federal law, but also provide practices with guidelines to assist with HIPAA compliance planning.

What is PHI? PHI is best defined as “all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral,” according to the HHS Office for Civil Rights (OCR) guidance on the HIPAA Privacy Rule. Furthermore, any personal information that can identify the patient and is associated with the medical record is also protected data. In fact, federal guidance lists 18 categories of “personal identifiers” that must be secured by covered entities (CEs) and business associates (BAs). A few of these include names, phone numbers, medical record numbers, and most dates related to birth, death, admission, and discharge. For a full list, go to https://www.hipaajournal. com/considered-phi-hipaa/.

When it comes to the Privacy Rule, violations vary in intensity, from minor violations to serious ones. Dill points to common issues like “simple things such as physicians’ handwritten notes being left somewhere where they can be seen by individuals who don’t have a need to see those notes, things being printed out and left on a printer for others to see, or an individual calling an office and wanting information and perhaps not being the patient, but being a patient’s parent … or child who does not have permission to access such records.”

Many of these kinds of incidents happen when someone leaves papers lying around the office without realizing or remembering they contained private information, Dill says. “Those sorts of things that you don’t necessarily think of as an issue are the easy things to have a compliance issue or a violation,” cautions Dill.

Examples: In 2020, OCR publicized the following HIPAA violations, Dill says:

• A data breach stemming from a provider’s dispute with a business associate: $100,000 settlement
• A health system employee stole a laptop: $1 million settlement
• An insurance company had a HIPAA breach that impacted the private information of over 10 million people: $6.85 million fine (second largest in history)
• A medical practice’s electronic health record was hacked, exposing the information of over 200,000 people: $1.5 million fine
• A multispecialty clinic refused to give a patient their medical records: $15,000 fine
• A physician services provider refused to give medical records to the parents of a minor: $10,000 fine

Remember: If you aren’t worried about a fine as low as $10,000, think about how many E/M visits it would take for you to earn that much money. For instance, you’ll collect about $92 for every level-three, established patient office visit with a Medicare patient (based on the 2022 national unadjusted rates). Therefore, you’d have to perform 109 level-three office visits to pay that fine, which would take up about 36 hours of the physician’s time, assuming the physician spent the minimum 20 minutes referenced in the visit’s code descriptor.

Invest in Strong HIPAA Security or Pay the Price

On the side of the Security Rule, practices should consider adopting or refining the systems they currently have in place. This might mean investing in technologies and other resources to monitor compliance and protect patient records. If practices are investing in those technologies and resources, they should confirm that they’re investing in the right tools that will protect them from breaches or from cybersecurity incidents, Dill reminds. These things “have to be very seriously considered. All you have to do is go online and search ‘cybersecurity breaches in healthcare,’ and it will bring up a laundry list.”

Dispose of PHI Correctly and Communicate with Staff

Generally, practices can violate privacy laws without realizing it and without bad intent. “I think a lot of the disposal problems are just plain old organizational-procedural inertia — staff are doing things the way they’ve always been done, and nobody has checked to see if it’s the proper, secure way,” explains Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems, LLC in Charlotte, Vermont.

“Staff may assume what they throw away is destroyed when it may not be,” Sheldon-Dean continues. It’s important everyone look more carefully at their non-electronic information and get into the habit of handling it with the same care as electronic information. This means checking all the paper, pill bottles, or data. “It all needs to be subject to information flow analysis to ensure all information is secure until destroyed,” Sheldon-Dean advises. This can include the memory inside of fax/copiers, and appropriate measures to totally wipe data from a hard drive that might be in a computer that is being discarded or sold.

Reminder: Though the HIPAA Privacy and Security Rules don’t offer specifics on the best way to dispose of PHI, OCR does provide helpful examples on how to safeguard used patient data and how to safely discard it.

OCR also offers guidance on the intersection of the rules and PHI disposal in its FAQs on the subject. Topics covered include:

• Acceptable methods for getting rid of PHI, ePHI, and other associated items
• Business associates’ roles in disposal
• Reusing hardware that may contain old ePHI
• Offsite disposal of PHI/ePHI by home health and hospice workers
• Medical records retention and disposal

Also, understand that if anyone throws out PHI with the trash, it must be “rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster,” OCR notes in a Frequently Asked Questions (FAQs) on PHI disposal.

For additional information on PHI disposal and staff training, visit www.hhs.gov/ sites/default/files/disposalfaqs.pdf.