HIPAA: Are Your Office Records Truly Secure?

Understanding key patient record issues can help keep your practice in the clear.


HIPAA: Are Your Office Records Truly Secure?

Understanding key issues can help keep your practice in the clear.

Ron Sterling


HIPAA privacy standards cover any protected health information (PHI), both electronic and paper records in the possession of a covered entity (your practice). However, HIPAA security requirements only cover PHI stored electronically in your practice. Both the privacy standards and the security requirements present significant challenges to ophthalmic practices.

Ophthalmic practices have electronically stored PHI that may not be recognized as such in the practice. Indeed, even if you use a paper patient chart that contains all patient information and images, you can still have HIPAA security exposure. For example, storing Microsoft Word files containing transcribed office notes, sound files with dictated notes, and images stored in a fundus camera, OCT or other devices are covered by the HIPAA security standards.

HIPAA privacy standards pose other challenges. Many practices do not adequately protect patient information or maintain appropriate standards to avoid inappropriate disclosures. For example, informal release of information procedures is not compliant with the paperwork dictated by the HIPAA privacy standards. In many practices, the HIPAA privacy consent or acknowledgement may not be completed for all patients or reference an obsolete notice of privacy practices.

Consequences of non-compliance

Practices that do not properly protect patient records may be subject to a variety of risks and even cash penalties. For example, a Phoenix-based five doctor practice was recently assessed a $100,000 fine for failing to meet HIPAA Security Standards. In order to make sure you are appropriately working within a HIPAA compliant framework, consider the following key issues:

HIPAA Paperwork - Many practices use an outdated notice of privacy practice (NPP) and even a dated business associates agreement to address privacy requirements. The notice presents how your practice complies with HIPAA privacy and informs your patients about your procedures. The business associates agreement is a required document for non-employees who may come in contact with PHI while performing services for your practice. Practices that have not updated those documents in the past three years may be operating with an outdated HIPAA framework. You may need to update the notice of privacy practices for significant changes to your organization such as the implementation of an electronic health records (EHR) system.

HIPAA Standards - In a surprising number of situations, practices lack appropriate HIPAA compliance policies and procedures. Required policies include standards for how PHI is secured and how access is authorized. They also address how access to the EHR is stopped when an employee resigns or is terminated. These policies are even necessary to cover the response to employees who may violate the practice’s HIPAA standards. Policies drive procedures including how paper records are secured and handled as well as how backups of computer based patient information are management and stored.

Supervision and Training - In addition to having a HIPAA compliant framework, the practice is required to maintain a structure to support HIPAA. For example, covered entities need a HIPAA privacy officer and a HIPAA security officer. These positions are functions, not full-time employees. However, the HIPAA security and privacy officers must be knowledgeable in relevant HIPAA issues and monitor your adherence to the standards and policies. Additionally, practices need current policies and training programs for employees and doctors. Like it or not, the failure to keep standards current or failing to maintain records according to compliance standards can expose patient records to inappropriate disclosure and your organization to embarrassment and penalties.

Monitoring and Response - Investing time and effort to set up HIPAA compliant mechanisms are not worth much if you do not maintain the relevant policies and procedures. Since the healthcare environment is changing, compliance efforts need to respond. From handling an inappropriate disclosure to insuring that electronic exchanges of PHI with other providers or patients are properly secured and managed, HIPAA security and privacy efforts will need to change to address emerging standards and issues. For example, secured messaging under stage 2 of meaningful use may require some changes to your HIPAA strategy and procedures.

HIPAA privacy and security requirements are key ophthalmic business standards. Failure to meet these requirements can lead to a variety of unpleasant situations that can strain your commitment to patients and unnecessarily expose your practice to embarrassment and penalties. Meeting the HIPAA requirements will consume some time and effort to establish the right processes and standards. However, maintaining these requirements is easier than scrambling to deal with an improper disclosure of information or penalty. OP

images Ron Sterling is president of Sterling Solutions and a nationally recognized leader on EHR. He publishes the blog, www.Avoid-EHR –Disasters. com and authored the HIMSS Book of the Year “Keys to EMR/EHR Success.”