Privacy is a topic that is on many people’s minds today. From national security to healthcare, not a day goes by that a revelation isn’t made regarding protecting information from peering eyes. But what happens when privacy is breached?
Lincare, a national infusion and respiratory home care provider, is taking a deep breath after being handed a $240,000 civil monetary penalty from the Department of Health and Human Services’ Office for Civil Rights (OCR). The Administrative Law Judge (ALJ) ruled that Lincare was negligent in allowing patient data to be handled by an unauthorized individual.
The incident that caused the penalty revolves around a branch manager not securing and properly tracking Lincare’s Emergency Procedures Manual. The manual contained protected health information (PHI) on every patient under the care of the branch and was required to be in the possession of staff in case a patient needed urgent care.
An ALJ for the OCR determined that Lincare failed to secure data and ensure that proper policies for tracking, training and protection of PHI were in place. Penalties for failure to properly comply with HIPAA were handed out to Lincare at the maximum amounts allowed by law, which resulted in a grand total of $240,000.
Since HIPAA was formally signed into law, the OCR has only upheld a penalty of this magnitude twice. Lincare could have received a reduced penalty had it decided to admit to the breach and settle with the OCR. However, their determination to believe they were right and OCR was wrong, ended up biting them pretty hard.
What is the important take away and lesson from Lincare’s OCR penalty? Don’t just assume staff understand HIPAA because they can spell it, use its acronym or throw around buzz words that make you believe they have a clue. In all likelihood, most of your staff are unaware of the real effects that a violation could have on your agency, let alone what a violation really is.
Agencies that still rely on paper documentation are most at risk for a violation and the resulting penalty. With all of today’s technology and options, moving to an electronic medical record is the best way to prevent a breach. With that in mind, electronic records do have breach capability. For instance, if your electronic record systems allows data to be stored offline, you have to make sure the device is encrypted and password protected. Even then, you are still liable for a breach as many passwords can be cracked and encryption, depending on the level and complexity, overridden.
As a best practice we have developed these formal tips to help you start on the road to full HIPAA compliance. While even the best compliance programs can be breached, having updated policies and procedures along with education is a critical component to risk management.
Policies and Procedures: When is the last time you had a look at the IT section or the privacy section of your P & P manual? Was it written more than 6 or 7 years ago, when technology was still evolving and before the HIPAA HITECH Act was passed? It is a safe bet to say it was, or has since been slightly modified, but not totally overhauled to comply with new technology. We can bet safely on this one because the likelihood of references to smartphones being used as a primary Point of Care (POC) device might be missing and instead refer to a laptop, or a handheld device that might need to be synced by a dial-up modem. It is time for an upgrade and update – and not just a quick glance. HIPAA audits are becoming much more frequent and common now. Make sure your policies also include email, texting and other communication app policies. As technology connotes to change, your policies must adapt. Updated policies and procedures will go a long way in managing your risk and potential fine.
Encryption and Passwords: If your staff use their own cell phones or tablet to document, the need for passwords is obvious. Even if staff use a device provided by your agency to document, the device must have a password or passcode to secure the device from unwanted viewing or tampering. All Apple and Android based systems have the capability to password protect the device and even encrypt the device to prevent data breaches or tampering. You might face resistance, but can your agency sustain a $240,000 fine?
Stop Printing Paperwork: How many office staff print a patient face sheet from an electronic system to provide to clinical staff? Don’t use the excuse that printing is so that clinicians are not ‘inconvenienced’ by forcing the clinician to open a medical record and review the chart. The thought is just cringe worthy. Make them spend a couple of minutes to actually review the information rather than having it spoon-fed to them. Remember, can your agency risk a very avoidable fine? No, and all it takes is education and following a strict set of policies and procedures.
Tracking PHI: Sometimes it is unavoidable to have paper records and have these records removed from a file cabinet. For instance, during QA reviews, the reviewer might want to have information about the patient that was faxed from a referral source. Or billing might have a question about insurance that is included in the chart but isn’t available in the electronic system. When a chart is removed from the designated medical records area, (yes you should have one that is not directly public) you need to have a tracking system. Using a checkout system in which the chart is recorded as being taken out by a staff member can be as simple as a notebook. To be more advanced, you could have a database or Excel sheet with this information stored on your office’s central server for easy review and entry. Either way, the medical records manager must be managing these chart removals and following up with staff to receive the records back.
Education: You have case conference every week. Why not spend 5 minutes reviewing HIPAA policy and procedures? Don’t think that ‘they have heard it enough’ to get it. They – your staff, haven’t. Keep drilling into them what a HIPAA violation is, how it occurs, how to avoid them, your agency’s policies and procedures for handling PHI, and the RISK your agency faces. You can’t stress it enough.
Lincare is a national agency, and you are a regional agency, but that difference doesn’t matter. OCR is looking at all providers, large and small for potential HIPAA violations. Be ready, be prepared and don’t get caught. A strong set of policies and procedures will allow your agency to operate according to plan without hesitation. This ideology goes beyond just HIPAA when focusing on your entire agency – strong policies and procedures allow you to grow while retaining quality. Two lessons are learned – you must comply with HIPAA or pay, and you must update all of your policies and procedures to remain current and ready for action! Contact us to learn more!