hipaa: how to avoid becoming a worst case scenario
TRANSCRIPT
Tom Murphy: Danna‐Gracey
30 years of extensive experience with claims and risk management
An experienced risk management consultant, providing physicians and various medical entities with risk and claims management techniques for implementation
Maintains an advisory position for various societies involving malpractice, claims and tort reform
A frequent guest lecturer for numerous medical societies and associations, sharing his expertise with the medical community while gaining additional insight into the business of medicine
Performs malpractice claims studies for medical specialty societies
HIPAA – How to Avoid Becoming a Worst‐Case Scenario
Today’s Speaker:
Katherine Becker, JD, LLM, CHC, CHPC, CPC‐A
Associate Consultant
Katherine Becker is a graduate of the University of Wisconsin Law School and received her LLM inhealthcare law from the Loyola University Chicago. She has experience working in the courts,lobbying as well as private practice. She had the honor of serving as a Judicial Intern for theWisconsin Supreme Court, where she researched and participated in drafting opinions. Herexperience includes analyzing the effect of new legal developments on clients’ business interests;experience which she uses to help Acevedo Consulting’s clients in navigating the compliance risksinherent in health care reform. Katherine uses her background in health care and law to assist clientsin developing and maintaining compliance and HIPAA programs. She also assists clients withMedicare and Medicaid enrollment, as well as state licensing with the Agency for Health CareAdministration. Katherine also advises clients on participation in incentive programs such as PQRSand Meaningful Use. She also works with Accountable Care Organizations offering guidance as theydevelop and maintain compliance for participation in the Medicare Shared Savings Program.Katherine is certified in Healthcare Compliance (CHC) and Healthcare Privacy Compliance (CHPC)through the Health Care Compliance Association and a certified Professional Coder (CPC) through theAAPC.
Policies
• Do you have policies? • When was the last time you read them? • Are you training your staff on your policies?
4
Patient Compliant
• Patient requests x‐ray records from doctor’s office and is told there will be a $15 fee.
• Patient complains to the practice about the fee and does not receive a response.
• Patient files a complaint with the Office of Civil Rights. • Have we heard from OCR?
5
Patient Record Fees
• What do you charge patients for copies of their records? • Do you have different fees for different types of records?
• Paper• Electronic• X‐rays, MRI, etc.
• Are your fees published for your patients?• In Notice of Privacy Practices? • Record Request Form?• Policies?• Website?
6
Portal
• You cannot charge patients for retrieving their records through the patient portal.
•Make sure that your portal works and is being used appropriately. For anyone who has been attesting to Meaningful Use, you’ve been attesting that you have a patient portal and it works.
7
Review Your Policy!!
• Make sure you can justify the cost you are charging to the patient.• Based on cost of materials• Salary of person who is filling request• Cost of postage
• You are allowed to use an average cost, but it must be reasonable. • Make sure you update all relevant policies or signs that include a cost.
8
Lost Records
• Physician loses over 100 patient records after his car is broken into.• Some records include complete social security numbers, date of birth and payment information.
• Breach was reported January 2015. • Have we heard from OCR?
9
Records
• Where are your records? • Paper, electronic, etc.• If electronic are they sitting on the actual hardware or is it being accessed remotely?
• If PHI resides on the hardware, it is mobile? • Are devices with PHI encrypted? • Who is allowed to leave with PHI? • Who is allowed to have remote access to PHI? • Do you have policies?????
10
Patient Complaint
• Practice sends out an email to patients letting them know the practice will no longer be accepting Blue Cross Blue Shield.
• Practice forgot to BCC patients, so the entire contact list was visible to all recipients.
• Patient complained to the State Attorney’s office. • Did the State Attorney’s office respond?
11
Complaints
• Make sure your staff is trained on how to handle patient complaints whether expressed verbally or in writing.
• Who handles complaints? • How are the complaints documented?
• Patient’s chart? • Central complaint file?
• Note: At no time during the OCR audit were we told who the complaining patient was.
12
Record Request Mix Up
• Patient emails doctor asking for his medical records to be either mailed or sent via FedEx. Patient says the office offered to fax him the records, but he does NOT want them faxed as he shares the fax machine with the whole office.
• Patient receives records via fax and from multiple people in his office.
13
Record Requests
• How are record requests handled? • One person? Whoever receives the request? • How will you send record requests?
• Mail? • Email? • Fax? • In person pickup?
• How are requests documented? • Form? • Verbal?
14
• Patients generally have the right to receive copies of their PHI via email. • You must warn them that unencrypted email is not a secure form of communication. • If the patient accepts the risks, then you must comply.
•Make sure you have the risks and patient consent in writing!!
15
Email Access
• This should be a very controlled form of access. Not everyone should have the ability to email patients.
• Do NOT let employees email patients their records from personal email addresses.
• If you do not have a corporate email, set one up and make sure that the privacy officer maintains control of the account.
• Audit this heavily. Make sure that patients who have received PHI via email have the corresponding request in their chart.
16
HIPAA in the Media• NFL player visiting S. Florida over the 4th of July has an incident with fireworks.
• Media picks up on the event through police reports, but no one knows what the injury was.
• Employee from Jackson Memorial Hospital took pictures of the patient’s medical record and sent them to ESPN.
17
Results so Far
• Hospital has fired 2 employees• OCR is still investigating• NFL player is suing ESPN as well as the hospital
18
Social Media
• Practice had a biller who used Snapchat to share a patient photo with coworkers.
• Practice had policy about cell phone use in the office, but was not following it.
• Do you have policies on: • PHI on devices? • Social Media?
19
Handling Patient Information
• Have you trained your staff on the appropriate use of PHI? • Remember HIPAA has a minimum necessary standard!• Patient records are not for our own amusement whether the patient is someone we happen to know or a celebrity.
• Make sure that you have found ways to audit who is accessing PHI.
20
Improper Marketing
• OCR settles with a PT Group for $25,000, implementation of a corrective action plan and annual reporting of compliance for a one year period.
• PT Practice failed to reasonably safeguard PHI• Improperly disclosed PHI without an authorization• Failed to implement policies and procedures with respect to PHI that were designed to comply with HIPAA’s requirements on authorizations.
• What did they do?
21
Patient Testimonials
• Make sure you have a signed authorization before including patient testimonials on your website, walls, etc. and save it!!!
• Never assume that a patient is ok with you sharing their information with others no matter how happy they were with your services.
• If you intend to use the patient testimonial make sure the patient sees a copy of it first and approves. • Is it just text? • Do you use full name? • Do you include a picture?
22
Business Associate Agreement
• OCR initiated a breach investigation after a breach report on September 27, 2011 which indicated that an unencrypted password‐protected laptop was stolen from a business associate’s employee’s locked vehicle.
• During the investigation it was determined that: • There was not a business associate agreement in place • The organization had failed to do a system wide security risk assessment.
23
OCR Result
• Penalty of $1.5 Million • Required to develop an organization wide risk analysis and risk management plan
• Required to train all appropriate work force members on all policies and procedures
24
Business Associate Agreements
• Make sure you have a business associate agreement with anyone outside your organization that handles your PHI• Shredding company• Lawyers• Outside transcription • Auditors• Etc.
• Make sure your agreements are current and reflect your relationship as it exists now.
25
Security Risk Analysis
• Make sure you have a Security Risk Analysis• This should be reviewed at least yearly, but may need to be done more frequently if there are changes to the practice that change your risks.
• Make sure you can defend your answers when you identify a risk area. For instance if you have PHI residing on mobile devices, but are choosing not to encrypt what is your justification for that?
26
What is the takeaway?
• A complaint by one patient is just as powerful as a breach of hundreds of patients. • Never assume that something “goes without saying”• Look around your office now, is there anything you would not want to have to defend?
27
When Reviewing Your Policies
• Always view it from the perspective of an audit. • When was the last time you trained your staff on your policies? • Audit your own policies and work flow to make sure that the two match. If they don’t you need to determine whether the work flow or the policy needs to change.
28
Most of the Time Your Medical Malpractice Insurance Doesn’t Offer Enough Coverage
Your Business Office Policies Don’t Cover Cyber
Do I need additional insurance?
Claims Made by Clients or Employees
Regulatory Procedures
Fines and Penalties Relating to Privacy Laws
Cost to Notify Affected Individuals
Cost to Restore Data/Computer Programs Damaged by Hackers/Virus
Business Interruption and Extra Expense Due to a Breach
Some Policies Include Loss of Money Due to Hacking
What does Cyber Insurance cover?
Acevedo Consulting Incorporated2605 West Atlantic Avenue, Suite D‐102
Delray Beach, FL 33445561.278.9328
www.AcevedoConsultingInc.com
32