Is control out your information requests worth the risk?
as a practice owner or manager, you do not have to remind operate HIPAA-compliant practice is important and will become more difficult as the rules and penalties will be tighter and more progressive. The “Mile signal” from the HITECH act become enforceable, was this article written to educate readers about the article details exactly how to determine whether breach notification is necessary and see a big change for Covered entities (CE) and colleague (BA) relationship. Content also provides tried and true best practices and ways to reduce risk and liability introduced by the new rules. As with the auditor for filing income tax, use a reputable Ba outsourced services can provide protection, peace of mind and potential savings.
focused on changes in day-to-day office workflow.
effects of the changes rolled out in the HITECH Act are widespread and will affect many (if not all) aspects of HIPAA compliance. This article puts laser focus on how the changes will affect the roof party day-to-day office activities that include sensitive information as opposed to evil intent or malicious violations.
to report or not? The Tale of Two Mr. Smiths.
To really understand these changes, it is easiest to think of real-world situations. We will look at three examples of false information, and determine whether they are violating that you must follow reporting protocols
Example 1 :. John Smith, Sr., was born in 1947 and his son, John Smith, Jr., was born in 1974. The father, Mr Smith Sr., request a copy of the medical records of his sent to him. When the records arrived, they were his son John Smith, Jr. He immediately called the exercises because he is still a need for his information. You will then decide this is a fraction of the announcement action is needed:
• Question one: Was the protected health information secure? In this situation, the answer is “No.” By definition HIPAA secure means encrypted or deleted. These files were loose paper records in the mailing envelope
• Question two :. Are there any exceptions apply? (See Appendix A.) No, none of the exemptions apply
• Question three :. Is there a significant risk of financial, reputational, or other harm to the individual who was wrongly published? In this example, one would hope that the answer is “NO”! (After all, it is his son.) But, as we know that the past relationship or sensitive information in the list could be a problem. With verbal confirmation and documented historical trail, you can confirm with Mr. Smith, senior, to please either submit their records to his son or appropriate to delete them. (Note – Mr. Smith Sr. can be unaware of the danger he creates for his son if he throws simply record the trash, or even worse, leaves them in curbside recycling his box It is important to define the script and direction. Exactly what staff should say Mr. Smith, senior, to ensure that no further disclosure.)
It could be determined that this is not a crime and that you would not be necessary to follow a notification protocol. However, you must file what happened and why / how you have decided that it does not break. It would also be good PR / CSR going to contact Mr Smith Jr. and guaranteeing a protocol to protect his information, because it is very likely that his father will leave it to this mistake.
Example 2: let’s change the above example a little and assume that Mr. Smith, Sr., made a request to his information, but provided you fax in a hurry because he’s records. In this scenario, the number is likely not programmed in a pre-programmed phone database of frequently used fax numbers so it would have to be hand-entered. The numbers were accidentally captured and office receives a call from a local coffee house that they have been informed of the fax. If you can show that there is no significant risk of financial, reputational, or other harm to the individual, no notification will be required.
HHS has issued guidance to help you define the term “significant risk” (See Appendix B)
• Question one: Did the information go to another processed overall? In this example, the answer is “No,” because the coffee house is not processed Entity
• Question two :. Were you able to take immediate steps to mitigate the damage including the return or destruction of information and a written confidentiality agreement? This area is ambiguous, it would be wise to get advice from a legal website. If your employee who answered the call from the café followed well-defined, documented instructions, including to secure the signature of a written confidentiality agreement, it could be determined during the review that you was not a significant risk of further publication or ill-intended use of the data. To ensure that a written confidentiality agreement proves to be unsuccessful, words such as “Do you agree that you will not further disclose this information and you do not plan to use any of the information that would prove harmful to the patient?” and a response from the café manager “I agree. I sit next to my shredding and records are shredded as we speak,” can help protect your argument for not breach and no notice required. Again, this is a beautiful shade of “gray areas” and HIPAA professional legal advice is always recommended. When in doubt, call the infringement and inform
Therefore, in the above example, you would not be necessary to follow the reporting mandate
Example 3 :. Finally, let’s tweak the sample one last time and assume that Mr. Smith, Sr., the information requested his faxed. But instead of calling from a gracious coffee house manager, office receives a call that is transferred to the medical voicemail from a person who did not identify himself and leaves no further information contact. You can not retrieve the phone number of the caller, etc.
you are unable to safety ensure that the information will be disposed of properly or it is not a significant risk, as defined. In this case you will have to endure a cumbersome burden after the announcement of your breach protocol
1. The patient must be informed of any relevant notification criteria.
2. First internal documents must be updated and submitted correctly.
3. You have to complete annual filing with the US Department of Health and Human Services of http://www.hhs.gov
4. Your job may be subject to $ 100 a violation charge in accordance with the decision of HHS and / or OCR
For clarity, the following are some more quick example :.
1. Entries Mr Smith has faxed a Covered Entity. Notice required.
2. Entries were sent to his lawyer and they were going to outsourced billing service. No notice is necessary because the defined exemptions cover “Labor” and declined BA (attorney and outsourced billing service would be considered employees). In addition, if you can determine that the email recipient was encrypted, and of course your company an email is encrypted, then are all NOT unsecured information and reporting required.
3. Entries his were lost in the mail two months and beat up the envelope comes back to training with “could not stand” sticker. No notice is required if you can decide the envelope remains closed and does not appear to have been opened.
4. Entries were faxed his coffee house and Mr. Smith was friendly coffee house and apply them (and enjoy a free cup of coffee on you). No notice is required if you can document the internal HIPAA compliant documentation for protocols that you follow proper protocol immediately reduce damage, including to ensure the signed confidentiality agreement from the coffee house recipient.
5. Mr. Smith receives his record as intended, and two months later, he comes into office with a page of medical records belonging to another patient. The record is named, but no other piece of Protected Health Information (PHI). No notice is required – .. Only two pieces of Public Health together could lead a person to be able to provide harm to self
The new paradigm-ways to reduce risks and best practices tips
It is easy to understand why these new rules and associated penalties have left many practices stumped and wondering, “What can I do to prevent this expensive and time consuming fraction besides turning my office in “Patient-free ‘practice? “There are several scenarios to consider, and luckily no one could prohibit patients
The first way is possibly the most obvious – continuous and rigorous training on the new rules HIPAA and changes. In addition to training, the implementation of workflow processes and checks and balances in connection with the registration system are met can help reduce the number of office-related errors. A well documented current HIPAA Compliant Privacy Protocol will help streamline the whole process if the breach or violation occurs and reporting Decision steps are necessary. Finally, the exercise may want to consider placing responsibility on staff. As one might imagine, but these tasks can reduce the number of errors, this extra training and workflow management comes at the expense of its own terms of staff and senior management resources. If the office is experiencing a high rate of turnover, project HIPAA compliance training could very easily become a full time job.
What is another solution? Transfer responsibility.
The HITECH Act updated to include HIPAA privacy and security provisions that currently affect trade partner. Civil and criminal penalties apply directly to the affiliate business. The significance of this change in the law is that you can transfer the responsibility for violation of BA rather than shouldering the burden yourself.
Given the onerous nature go, it might make sense for you to let someone else take the risk of information Mr Smith landing in the wrong place. What’s more, to shift the responsibility onto the BA, you can outsource all the analysis, consideration and data in the event of a break with the required internal audit to review each and every opportunity to PHI information to travel outside exercise.
The health department it certainly seems logical fit to transfer this responsibility. You can reduce the statistical probability of exercises incurring a penalty or violation or worse – a full blown fraction require notification – by simply reducing the number of opportunities to the medical records department of the need to disseminate information. In short, let’s count the service as data files Technologies do this for you.
Consider Business Associates such as data files Technologies that specialize in working with practices that have changed to Electronic Medical Record (EMR) system. In the digital environment, these companies can become fully functional outsourced medical records department for training. At least, they handle the majority of distribution PHI allow customers to minimize the possibility or even prevent the above examples of violations from occurring.
In making the case for outsourcing to BA, reduce risk and shifting responsibility from you, covered Entity, could be the most obvious selling point, but the benefits extend far beyond include the following:
• The workload redistribution / Natural attrition. Although the practice may be perfectly happy with the performance of the current fulfillment specialist, if he / she moves, rehiring and retraining newcomers can not make sense according to the new rules and regulations. BA can work as an extension of fulfillment and registration system department.
• daily processing data. Select BA who can work take requests very quickly instead of in-house model where fulfillment is relegated and other priorities become more pressing or backup service model that works requests on certain days. Faster record fulfillment leads to better patient relationships and satisfaction and ultimately, increased patient retention and word-of-mouth referrals.
• Reduction calls. Whether it is patients, underwriters or other methods of registration system and fulfillment team fields a ton of phone calls asking about the status of records requests. By using BA with rapid turnaround times, these calls is significantly reduced, if not eliminated completely.
• Responsibility for risk diversification. More than simply move go obligation from your job to BA, the risk reduction comes from choosing the right BA. For example, the safety data is data, chain of custody protocols and best practices workflow procedures ensure PHI patient is safe.
• Elimination staff training and retraining. Keeping exercises compatible and properly trained staff can be a major strain on resources and time management. However, outsourced employees very reliable, tech savvy and well-versed in HIPAA compliance and changes
With this in mind, the overriding message is clear -. You can unburden yourself from legal risks, resource base and busywork health meet by selecting reputable companies. With all these line changes, the time is right to remove a large burden of exercises. Not only will you transfer responsibility, but you will also experience a delay time savings and peace of mind to work with a partner that has the singular goal of making your job to focus on your patients.
Appendix A – Exemptions defined by HHS
1. Workforce Use -. Unintentional acquisition, access or use of PHI by labor partner if PHI is not further used or disclosed in a manner that violates the Privacy Rule
2. Labour Media -. Unintentional dissemination of Public Health with a workforce member to another member of the workforce if PHI not further used or disclosed in a manner that violates the Privacy Rule
3. No Way to keep information – unauthorized parties CE or BA has a good faith belief that irrelevant that the PHI is disclosed would hardly be able to keep information
Annex B. – a significant risk Guidelines for HHS
1. Covered Entity includes socio – accidental disclosure of PHI from one CE or BA employee to another similarly situated CE or BA employee, proved that PHI is not further used or disclosed in any way that violates the Privacy Rule
2. Immediate measures to reduce -. Immediate measures to reduce the damage including the return or destruction of information or a written confidentiality agreement
3. Types of Information Included -. The information was limited to just the name of the individual or limited data