Otolaryngology Coding Alert

You should take HIPAA seriously — because insurers do.

Ever wonder whether the government is still taking HIPAA seriously? The Office of Civil Rights (OCR), which oversees the HIPAA program, scored one of its biggest settlements of all time last year, and has been on a roll in 2021 as well.

Last fall, an Arkansas-based otolaryngology practice revealed that an unauthorized person gained access to a staff member’s email account, and used it to send unauthorized messages. A further analysis indicated that protected health information (PHI) such as patient names, dates of birth, diagnoses, and Social Security numbers had been compromised. Situations like this underscore how essential it is to remain vigilant about protecting patient privacy.

HIPAA Rules Include Serious Complexity

It’s not surprising that many practices are challenged to fully understand the HIPAA Privacy and Security Rule, said Melissa Dill, product management leader for the healthcare consulting practice at Crowe.

“I think there are always challenges with deeply understanding the actual HIPAA Rule,” Dill noted. “It is very complex. It has largely remained intact from its original implementation. There were related updates made to the HITECH Act in 2009, and now there are additional changes that were proposed in December of 2020. Often, it’s a lack of familiarity with the original HIPAA rule, as well as the changes that have come since then.”

Practices should keep in mind that there are two familiar parts to HIPAA, Dill said. “There’s the Privacy Rule, which tends to be more focused on the non-electronic and access aspects of an individual’s protected health information, and then there’s a Security Rule, which focuses on the electronic management of that individual’s information.”

Privacy Rule Violations Vary

When it comes to the Privacy Rule, violations vary in intensity, from minor violations to serious ones. “Simple things such as physicians’ handwritten notes being left somewhere where they can be seen by individuals who don’t have a need to see those notes, or things being printed out and left on a printer for others to see,” Dill said. “Or an individual calling an office and wanting information and perhaps not being the patient, but being a patient’s parent, daughter, or child who does not have permission to access such records. Those sorts of things that you don’t necessarily think of as an issue are the easy things to have a compliance issue or a violation.”

Some Practices Don’t Have Proper Information Security in Place

On the side of the Security Rule, physician practices must have the appropriate security measures in place to protect their systems, Dill said. “Are they investing in the technology and resources to monitor compliance and protect electronic health records in their practice?”

If practices are investing in that technology and resources, they should confirm that they’re investing in the right tools that will protect them from breaches, or from cybersecurity incidents, Dill said. “Those have to be very seriously considered. All you have to do is go online and search ‘cybersecurity breaches in health care’, and it will bring up a laundry list.”

HIPAA Fines, Audits Remain Serious

If you thought HIPAA fines and audits are a thing of the past, think again. “They are very real,” Dill said. “2020 was a very busy year for the OCR to investigate these breaches, and there was one settlement in 2020 that was $6.85 million, which was the second-largest in history.”

Last year, the following HIPAA violations were publicized, Dill says:

• A data breach stemming from a provider’s dispute with a business associate: $100,000 settlement
• A health system employee stole a laptop: $1 million settlement
• An insurance company had a HIPAA breach that impacted the private information of over 10 million people: $6.85 million fine
• A medical practice’s electronic health record was hacked, exposing the information of over 200,000 people: $1.5 million fine
• A multispecialty clinic refused to give a patient his/her medical records: $15,000 fine
• A physician services provider refused to give medical records to the parents of a minor: $10,000 fine

“Many of these fines are for physician practices, and several are related to access to a person’s record,” Dill said. “And then there were times when something was lying around in office and someone forgot there was private information included — those things are important to monitor.”

Remember: If you aren’t worried about a fine as low as $10,000, think about how many E/M visits it would take for you to earn that much money. For instance, you’ll collect approximately $92 every time you report 99213 (Office or other outpatient visit for the evaluation and management of an established patient, which requires a medically appropriate history and/or examination and low level of medical decision making. When using time for code selection, 20-29 minutes of total time is spent on the date of the encounter).

Therefore, you’d have to perform 109 level-three office visits to pay that fine, which would take up about 36 hours of the physician’s time.