Advanced HIPAA 2016 - KMC University HIPAA MT... · 3/19/2016 13 3. Write HIPAA Policies & Procedures Phone Messages/ Appt. Reminders •Reminders are good •Postcards are ok •Answering

3/19/2016

1

Advanced HIPAA 2016

Abbie Miller, MCS-P

Today’s Agenda

•A HIPAA eye toward social media and texting

•Please get your Business Associate agreements in order!

•Some definitions pertaining to HIPAA Privacy

•Dispose of patient information correctly

•New and existing employees must be trained, and it must be documented

What is the HIPAA Privacy Rule?

•Standards that address the use and disclosure of individuals’ protected health information or PHI by covered entities•Standards for individuals' privacy rights to understand and control how their health information is used

3/19/2016

2

Should You Bother With Compliance?

Cardiac Practice Fined for Not Shielding Patient Info

Should You Bother With Compliance?

Federal government has fined a Phoenix cardiac medical practice $100,000 for posting patient appt. information online

Should You Bother With Compliance?

..agreed to pay penalty to settle violations of HIPAA…

3/19/2016

3

Should You Bother With Compliance?

HHS investigations found no policies and procedures and few safeguards to protect PHI

Should You Bother With Compliance?

…also didn’t have documentation of trained employees, no risk analysis conducted, no privacy or security official

Some Definitions

• Covered Entity: any provider who transmits or receives health information in electronic form in connection with a covered electronic transaction.

• Business Associate (BA): A person or company that acts on behalf of a covered entity performing functions that involve the use or disclosure of PHI.

• Protected Health Information(PHI): Individually identifiable health information that is maintained or stored in electronic or any other form or medium. It includes demographic and financial information about the patient.

• Electronic Protected Health Information (ePHI): Individually identifiable health information that is transmitted, maintained, or stored in electronic form.

3/19/2016

4

7 Steps to Achieve Privacy Compliance

1. Install a Privacy Officer

2. Define Minimum Necessary for Your Office

3. Write HIPAA Privacy Policies and Procedures

4. Customize Your NPP (Notice of Privacy Practices)

5. Train Your Team Members

6. Monitor Your Active Privacy Program

7. Business Associate Agreements In Place

Monitor Your Active Privacy Program

•Conduct Initial Program Audit

•Conduct Regular Self-Audits•Privacy Program

Audits• NPP Acknowledgement

Audits

1. Install a Privacy Officer

Be careful to choose someone who:• can understand the

rules and guidelines that govern HIPAA• can acquire all new

HIPAA rules and regulations and stay updated on any changes• can comfortably work

alongside practice leadership personnel

3/19/2016

5

1. Install a Privacy Officer

Privacy Officer Role•Develop, implement,

maintain and assure adherence to the Privacy Policies and Procedures for your practice

Privacy Officer Purpose•Oversee the protection

of PHI

1. Install a Privacy Officer

2. Minimum Necessary Standard

•The minimum necessary standard requires you to evaluate your practices and enhance any safeguards as needed to avoid and limit unnecessary or inappropriate access to and disclosure of PHI.

3/19/2016

6

2. Minimum Necessary Standard

•The Privacy Rule requires you to take reasonable action to limit the use or disclosure of, as well as requests for, PHI to the minimum necessary to accomplish your intended purpose.

2. Minimum Necessary Standard

•Determine your own set of standards in P&P

• Entire medical record may be appropriate in certain circumstances• Identify who needs

access to PHI to carry out duties

• Identify specific categories of PHI for each group

•Does not apply to:• Health care providers for

treatment purposes• The individual in

question• Those under

authorization• Disclosures to HHS• Required by law• Prior to 4/14/03

Common Uses and Disclosures: TPO

•Does not require signed authorization•Must list on the NPP

Treatment: Doctors can share information freely with each other

Payment: billing and collections activities; determination of eligibility

Healthcare Operations: Quality assurance, scheduling, auditing, and employee review

3/19/2016

7

3. Write HIPAA Policies & Procedures

•You are required to have written HIPAA Policies and Procedures in place for a valid HIPAA Compliance Program in your office.

3. Write HIPAA Policies & ProceduresPatient’s Right to Restrict Disclosure

•Can request restriction of info to carry out payment or HCO•Can restrict information given to a family member •Not required to agree to the restriction.•Special form should be used for documentation

3/19/2016

8

3. Write HIPAA Policies & Procedures Authorizations: Non-TPO

•Selling a patient mailing list•Employer disclosures•Life insurance eligibility

questionnaires•Marketing and

testimonials•Must stipulate the

approved use•Have an expiration date

3/19/2016

9

3. Write HIPAA Policies & Procedures Incidental Uses and Disclosures

•Unintentional•Overhead phone conversations when answered at the front desk.•A patient passing by another room where treatment is taking place•Everyday operations

3. Write HIPAA Policies & Procedures Accidental Disclosures

•Faxing or emailing PHI to the wrong destination•Disclosing PHI to an unauthorized person• If harmful, must be disclosed to the patient.•Always included on non-TPO disclosure log

3/19/2016

10

3. Write HIPAA Policies & Procedures Disclosure Logs and Accounting

•Patient may request accounting of all non-TPO disclosures

•All but incidental disclosures should be logged

•Not required for those with authorization, reporting neglect or abuse, law enforcement, or prior to 4/14/03

3/19/2016

11

3. Write HIPAA Policies & Procedures Use of Photographs

•Permitted but must be out of public view•As part of a testimonial or other marketing effort, you must have authorization•Can include in electronic or paper form

3. Write HIPAA Policies & Procedures Faxes

PRIVILEGED AND CONFIDENTIAL: This document and the information contained herein are confidential and protected from disclosure pursuant to federal law. This message is intended only for the use of the Addressee(s) and may contain information that is PRIVILEGED AND CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that the use, dissemination, or copying of the information is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify the sender immediately.

3. Write HIPAA Policies & Procedures Emails

This email, including any attachments, may include PRIVILEGED AND CONFIDENTIAL information and may be used only by the person or entity to which it is addressed. If the reader of this email is not the intended recipient, or his or her authorized agent, the reader is hereby notified that any dissemination, distribution, or copying of this email is prohibited. If you have received this email in error, please notify the sender by replying to this message, and delete this email immediately.

3/19/2016

12

3. Write HIPAA Policies & Procedures Debt Collection

•Permitted use of debt collection services

•Falls under “payment”

•Even skip tracing has been approved by HHS as routine

3. Write HIPAA Policies & Procedures Safeguards: Common Sense

3. Write HIPAA Policies & Procedures What’s OK?

• Sign in sheets: minimal information—name, time, etc.

•Verification of Callers: PHI over phone--Password, SSN, DOB, Zip, Maiden Name

• Social Security Number: use sparingly, or last four digits only

3/19/2016

13

3. Write HIPAA Policies & Procedures Phone Messages/ Appt. Reminders

•Reminders are good•Postcards are ok•Answering machines are

ok•Do not leave PHI on the

call, or results of test•OK to say that you are

reminding of an appointment and date/time• Should include that

information in the NPP

3. Write HIPAA Policies & ProceduresMore Common Sense

•Not required:• Private rooms• Soundproof rooms• Wireless encryption• Encrypted telephones

•A good idea:• Have patients wait a few

steps back from counter• Curtains or screens• Speaking quietly• Files turned backward • Folders marked

confidential• All faxes/email that

contain PHI marked confidential

• Fax machines secure locations

3. Write HIPAA Policies & Procedures EOB’s and COB’s

•When coordinating benefits, blacken any other patient’s PHI on EOB•Clear out anything that does not apply to the claim•Otherwise is a violation of HIPAA law.

3/19/2016

14

3. Write HIPAA Policies & Procedures Oral Communication

•Overheard conversations are unavoidable

•Phone conversations are ok

•Training situations

•Calling out patient’s name is not a violation

3. Write HIPAA Policies & ProceduresPatient’s Right to Access Information

•Patient will request in writing•Must act upon this

within 30 days if onsite, 60 if written notice•Can be in summary

form if agreed to•May charge a

reasonable fee

3. Write HIPAA Policies & Procedures Destruction of Medical Records

•You are responsible for wrongful disclosures due to improper disposal of PHI.

•Shred, get receipt

•Erase

•Proper disposal

3/19/2016

15

.

•Most state laws provide a maximum that can be charged for copying medical records.

•NPP says first request in 12 months is free

3. Write HIPAA Policies & Procedures

Copying Fees

3. Write HIPAA Policies & ProceduresOther Patient Rights

•Can submit amendment to record, not a change

•Must consider amendment, don’t have to accept

•Can designate a personal rep•Deceased-legal rep• Parent usually for minor

3. Write HIPAA Policies & Procedures Disclosures to Law Enforcement

• CAN NOT disclose DNA information to law enforcement trying to locate an individual

•May use your own policies for the good of the patient

•Victims of domestic violence/abuse•Privacy Rule does not interfere with federal or state laws

3/19/2016

16

3. Write HIPAA Policies & Procedures Privacy Complaints

•Handled by your office Privacy Compliance Officer•Patients may not be forced to waive their right to complaints as a condition of treatment

•Step 1: PCO formally files complaint within their office-complaint form•Step 2: PCO tries to resolve complaint within their office•Step 3: If patient persists, instruct to file with Office for Civil Rights

3. Write HIPAA Policies & Procedures

3. Write HIPAA Policies & Procedures

•Have a policy & procedure for every area of PHI risk as well as for patient rights•Include:•Faxes & emails•Phone calls•Neglect/abuse•Etc.

3/19/2016

17

4. Customize Your NPP (Notice of Privacy Practices)

•HIPAA gives your patients a right to be informed of the privacy practices of your office•HIPAA gives patients the ability to be informed of their rights concerning HIPAA privacy

4. Customize Your NPP (Notice of Privacy Practices)

•A statement from the provider to the patient on how the patient’s PHI will be handled and protected by the office.

•Must be provided on or before the first delivery of service, except in an emergency.

3/19/2016

18

4. Customize Your NPP (Notice of Privacy Practices)

•Must make a good faith attempt to obtain a written acknowledgement that they have received a copy of your NPP.

5. Train Your Team Members

•Ongoing training required, updates•Access PHI on “need to know” basis•Keep employment records separate from treatment records•Fully explain sanctions for failure to comply.

3/19/2016

19

3/19/2016

20

6. Monitor Your Active Privacy Program

•Conduct Initial Program Audit

•Conduct Regular Self-Audits•Privacy Program

Audits• NPP Acknowledgement

Audits

Audit Your Privacy Program

3/19/2016

21

Audit Privacy Safeguards

Audit Privacy in Patient Charts - NPP

7. Business Associate Agreements

•Must comply directly with HIPAA Privacy

•A person or entity that provides certain functions on behalf of the covered entity

•Not a member of the provider’s work force

•A CE who discloses PHI to providers for TX are NOT business associates

3/19/2016

22

Who are Business Associates?

•Vendors or other external entities that are considered business associates must also be considered part of a healthcare organization's security plan. All linked organizations should be properly identified and have signed a business associate agreement. This will ensure all involved parties are aware of what is mandated by HIPAA. Internal policies such as privacy notices and breach notifications should not be overlooked because they are as critical as the technology aspect.

7. Business Associate Agreements

The Privacy Rule requires that you obtain satisfactory assurances from your business associate that they will appropriately safeguard the PHI it receives or creates on behalf of your office. The satisfactory assurances must be in writing in the form of a contract or other agreement between yourself and the business associate.

7. Business Associate Agreements

•Examples are billing companies, consultants, auditors, clearing house, attorney, collection agency, document shredders, answering service, contractors, software vendor, offsite record storage.

3/19/2016

23

HIPAA Omnibus Rule - BAA

•You no longer have to report failures of your BAs•BAs are DIRECTLY liable for

these violations

•BAs are responsible for their subcontractors

•BAs MUST comply with Security and Breach Notification rules

•YOU ARE RESPONSIBLE FOR THE AGREEMENT!!

HIPAA Omnibus Rule - BAA

•You had until Sept 23, 2014 to bring all BAA up to date and in conformance with new rules.

•Agreements in place prior to March 26, 2013 remain compliant until renewed or modified or Sept 23, 2014

09/2014--HIPAA Omnibus Rule - BAA

•You MUST review your relationships and determine if a BAA is needed

•Does your associate create, receive, maintain, store, or transmit PHI on your behalf?

3/19/2016

24

Epic Fail

3/19/2016

25

Purpose of HIPAA Security

•Protect ePHI

Electronic Protected Health Information

•Confidentiality

• Integrity

•Availability

7 Steps to Achieve Security Compliance

1. Install a Security Officer

2. Understand the rules

3. Make a list of ePHI

4. Conduct a Risk Analysis

5. Implement policies & procedures

6. Deliver security awareness training

7. Monitor ongoing security processes

Step 1: Install a Security Officer

Be careful to choose someone who:• can understand the

rules and guidelines that govern HIPAA• can acquire all new

HIPAA rules and regulations and stay updated on any changes

3/19/2016

26

Step 1: Install a Security Officer

Be careful to choose someone who:•will be able to

comfortably work alongside practice leadership personnel• is technologically savvy

Step 1: Install a Security Officer

Step 2: Understanding the Rules:Who Must Comply & How

•any provider who sends or receives ePHI electronically

•covered entities must adopt measures to safeguard ePHI

3/19/2016

27

Step 2: Understanding the Rules:Types of Safeguards

•Administrative Safeguards

•Physical Safeguards

•Technical Safeguards

Step 2: Understanding the Rules:Security Controls

•Administrative Controls

•Physical Controls

•Technical Controls

Step 2: Understanding the Rules:Security Principles

•Comprehensiveness

•Scalability

•Technology Neutrality

3/19/2016

28

Step 3: List ePHI: Your Information Systems

Step 4: Perform a Risk Analysis

•Standard #2Security Management Process

•Risk Analysis is an Implementation Specification

•Required

6 Steps to Risk Analysis

•Understand your information systems

•Identify threats in your environment

•Identify vulnerabilities that threats could attack

3/19/2016

29

6 Steps to Risk Analysis

•Identify probability that a threat could attack, analyze the criticality of impact, and summarize risk

•Implement applicable measure

•Document your process and results

Your Risk Analysis

Step 5: Policies & Procedures:

•HIPAA relies on standard business practices for policy development•Procedures are step-by-step instructions that implement the policies

3/19/2016

30

Step 5: Policies & Procedures:Workforce Security

•You must provide only the minimum necessary access to ePHI that is necessary for a team member to do his/her job.

Step 5: Policies & Procedures:Workforce Security

Step 5: Policies & Procedures:Workforce Security

3/19/2016

31

Step 5: Policies & Procedures:Contingency Plan

•A Contingency Plan is needed to implement strategies for recovering ePHI should an office have an emergency or occurrence that disrupts critical business operations. •ePHI must be available

when needed, and your contingency planning determines what is necessary in the event of a power outage or other occurrence.

Step 5: Policies & Procedures:Contingency Plan

•You must establish and implement, as needed, policies and procedures for responding to emergencies (•Your Contingency Plan must include Disaster Recovery Plan and Emergency Mode Operations Plan

Step 5: Policies & Procedures:Contingency Plan

3/19/2016

32

Step 6: Policies & Procedures:Train Your Team Members

Step 7: Monitoring Ongoing Security Processes

• Ensure your security plans, policies and procedures continue to adequately protect your ePHI • Implement an ongoing

monitoring and evaluation plan•A technical and non-

technical evaluation of your security controls and processes must be done to document any needs for change

3/19/2016

33

Step 7: Monitoring Ongoing Security Processes

•All appropriate areas and employees must be included in the evaluation. •When an environmental or operational change has occurred that could significantly affect your ePHI, you must conduct an evaluation.

Step 7: Monitoring Ongoing Security Processes: Breach Notification

Step 7: Monitoring Ongoing Security Processes: Self Audits

3/19/2016

34

Are you in HIPAA Denial?

•HIPAA is something I can get to when I’m not busy…

•I did my HIPAA-thing in 2003, I’m all set.

•No one is REALLY going to check my program

•I’m a small provider

•HIPAA is too complicated, “they” don’t expect me to do this

Time to Act!

Time to Act!

3/19/2016

35

Timeline

•HIPAA - 1996

•HITECH - 2009

•OMNIBUS - 2013

HITECH Expansion

•ReachoBefore: Covered Entities:

healthcare organizationsoAfter: Covered Entities:

expanded to business associates

HITECH Expansion

• Economics

oBefore: 2003-2008 – 31,000 cases reported, no one fined;

in 2009, CVS fined $2.25 M-Daily fine: $100/day

oAfter: Fines up to $1.5 M / year; regulators at HHS now benefit directly from fines levied (significant uptick in fines)—Daily fine: $50,000/day

3/19/2016

36

HITECH Act

• Further expanded the businesses covered by HIPAA Privacy and Security Rules by beefing up BA agreements

•Required all to comply with redefined security breach notification rules

• Enhanced penalties that can be handed down, and increases enforcement

• Widened the scope of Privacy and Security protections available under HIPAA;

• Increased potential legal liability for non-compliance;

•Provided more enforcement of HIPAA rules.

HITECH Act

Omnibus Final Rule

March 26, 2013September 23, 2013

3/19/2016

37

Know Your State Laws

If your state privacy and confidentiality laws are more stringent then HIPAA laws, you must comply to which has the highest level of protection.

Omnibus: Three Main Focuses

•Privacy, Security, and Breach Notification policies and procedures

•Notice of Privacy Practices

•Business Associate Agreements

HIPAA Omnibus Rule - Breach

•Redefines Breach

•Harder to avoid reporting a breach

•Redefines: “significant risk of financial, reputational, or other harm”

3/19/2016

38

HIPAA Omnibus Rule - Breach

•Breaches presumed reportable unless after performing a risk assessment (applying four factors) it is determined there is “a low probability of PHI compromise”

HIPAA Omnibus Rule - Breach

•1) Nature and extent of the PHI involvedconsider:•Sensitivity of the information from a

financial or clinical prospective• Likelihood the information can be re-

identified

HIPAA Omnibus Rule - Breach

•2) The person who obtained the unauthorized access

consider:•Does this person have an independent

obligation to protect the confidentiality of the information

3/19/2016

39

HIPAA Omnibus Rule - Breach

•3) Whether the PHI was actually acquired or accessed

consider:•Was the exposed PHI actually accessed

by anyone who may have had the ability to access or acquire

HIPAA Omnibus Rule - Breach

•4) The extent to which the risk has been mitigated

consider:•Getting a signed confidentiality

agreement from the recipient

HIPAA Omnibus Rule - Breach

•No need for independent entity to conduct risk assessment

•No need to conduct assessment if notification is made

•Take steps to reduce risks in future

•Must still adhere to requirements for individual notification, HHS notification, and media posting where applicable

3/19/2016

40

HIPAA Omnibus Rule - Disclosures

At the patients request, you may NOT disclose information to a patient’s health plan if they have paid out of pocket for their care.

HIPAA Omnibus Rule - Disclosures

3/19/2016

41

HIPAA Omnibus Rule - Marketing

•New rules limit circumstances when you can provide marketing communication to your patients WITHOUT written authorization

HIPAA Omnibus Rule - Marketing

1) the physician receives no compensation for the communication;

2) the communication is face-to-face;

3) the communication involves a drug or biologic the patient is currently being prescribed and the payment is limited to reasonable reimbursement of the costs of the communication (no profit);

HIPAA Omnibus Rule - Marketing

4) the communication involves general health promotion, rather than the promotion of a specific product or service; or

5) the communication involves government or government-sponsored programs.

Physicians are still permitted to give patients promotional gifts of nominal value.

3/19/2016

42

HIPAA Omnibus Rule - Copies

•Changes to timeframes and fees for patient’s written requests of PHI

•You have 30 days (with ONE 30 day extension)

HIPAA Omnibus Rule - Copies

•Must provide access to EHR and other electronic records in electronic form of patient requests

• “readily reproducible”

•Otherwise, must be in another mutually agreed upon electronic format

•Hard copies only ok when individual refuses all e-formats

HIPAA Omnibus Rule - Copies

•You must consider transmission security when emailing PHI

•You can send in unencrypted email if the patient is made aware of risks and still requests

3/19/2016

43

HIPAA Omnibus Rule - Copies

•New rule modified the costs that may be charged to the patient for copies• include labor costs

• supply costs if the patient requests a paper copy

• if electronic, the cost of any portable media (such as a USB memory stick or a CD)

• Must follow state law if a lower reimbursement rate is set.

HIPAA Omnibus Rule - NPP

•NPP must be update NPP

• Include:•New breach notification

guidelines•Updated patient rights

concerning disclosures to health plans•Marketing using PHI

HIPAA Omnibus Rule - NPP

•Post revised NPP

•Make copies available•All new patients•Anyone who requests

•Post new NPP to website

3/19/2016

44

Acknowledgement(Notice of Privacy Practices)

•Must make a good faith attempt to obtain a written acknowledgement that they have received a copy of your NPP.

3/19/2016

45

New Rules – Game Changer?!

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

HIPAA Omnibus Rule -Vigorous Enforcement

•Unaware of violation - $100 to $50,000

•Reasonable cause violation - $1,000 to $50,000

•Willful neglect - $10,000 to $50,000

•Willful neglect - $50,000 to $1.5 million

•Multiple HIPAA violations - surpass $1.5 million.

3/19/2016

46

Does Enforcement Happen?

Massachusetts provider settles HIPAA case for $1.5 million

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively referred to as “MEEI”) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle potential violations of the HIPAA Privacy and Security Rules. MEEI has also agreed to take corrective action to improve policies and procedures to safeguard the privacy and security of their patients’ protected health information and retain an independent monitor to report on MEEI’s compliance efforts. OCR’s investigation followed a breach report submitted by MEEI, as required by the HIPAA Breach Notification Rule, reporting the theft of an unencrypted personal laptop containing the electronic protected health information (ePHI) of MEEI patients and research subjects. The information contained on the laptop included patient prescriptions and clinical information. OCR’s investigation indicated that while MEEI’s management was aware of the Security Rule, MEEI failed to take necessary steps to comply with the requirements of the Rule, such as such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting, and response.

Does Enforcement Happen?

HHS Settles with Health Plan in Photocopier Breach Case

Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information stored in copier’s hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the hard drives to its leasing agents.

HIPAA Social Media and Texting Woes

•In today’s world of Social Media dominance, it’s easy to forget that HIPAA violations are a real concern

•Texting is also considered “electronic means”

3/19/2016

47

Scenario #1

•Associate doctor leaves to open new clinic•Calls his buddy the CA and asks her to take pictures of a patient’s x-rays and text them because he doesn’t have time to wait for them to send them through the mail

Scenario #2•CA posts on Facebook

“Just met (name of famous football player)… he is such a nice guy”

• Friend replies, “How did you meet?”

•CA replies, “Came in to get adjusted for low back problem”

•Profile reveals CA works at ABC Chiropractic

General Rules of Thumb

Don’t talk about patients, even in general terms.

•It’s too easy to identify patients by geography, circumstances, etc.

•A simple slip up can have far-reaching effects

3/19/2016

48

General Rules of Thumb

When providing educational content on your site, blog or Facebook page, avoid specifics

• OK to be general like, “Low back concerns of XYZ nature often present with these symptoms…”

• Never point out a specific case with any particulars that could be traced back to a patient

General Rules of Thumb

If you wouldn’t say it in the elevator, don’t put it online.•You can try speaking

your post out loud before hitting the enter key. •You are always

representing your office and your profession

General Rules of Thumb

Don’t mix your personal and professional lives.•Use separate accounts for your

personal and professional lives • Don’t friend patients on

Facebook • Check privacy settings often and

assume that anything you put online could become public• If you want to have a

professional presence on Facebook, create a page apart from your personal account

3/19/2016

49

General Rules of Thumb

Only use your cell phone for business texts if PW protected• Don’t use for

appointment scheduling or for having a whole conversation about a condition

• This becomes part of the medical record

• Need to be able to track and document

Record Retention

•HIPAA related documents are retained for 6 years

•Applies to authorizations, audit records, CA agreements, and contracts

Destruction of Medical Records

•You are responsible for wrongful disclosures due to improper disposal of PHI.•Shred, get receipt•Erase•Proper disposal—not sitting around in office

3/19/2016

50

Know What Happens if you Sell Your Practice

• HIPAA allows for the exchange of PHI without a written release between current and prior, or contemporaneously treating

• Does not permit the handover of PHI from one doctor to another, without the patient’s written permission, when a practice is being sold

• Dr. A does not know if all of his/her former patients are going to treat with Doctor B. For this reason, Dr. A cannot just hand over patients’ confidential records to Dr. B

• Just handing the records over to the purchasing practitioner or corporate entity may seem expedient, but it is a HIPAA violation

Possible Solutions• Patients may not stay with new provider

• May make sense for the purchasing practitioner to agree to retain the records on site, essentially providing storage services for the selling practitioner’s records

• Seller and purchaser enter into a contractual agreement that the purchaser will provide the seller with access to the physical record upon reasonable notice (such as two business days), and that the purchaser will not release or dispose of any original records without the seller’s written permission

• As a part of this process, it will be necessary for seller and purchaser to execute a BAA, which helps ensure compliance with HIPAA’s requirements

Authorization is Required

•Patients who elect to stay with new provider can sign authorization

•New provider can then legally access the stored records

•Authorization is kept on file

3/19/2016

51

HIPAA is a Process…Not an Event

•Implementation requires commitment

•Don’t try to do it alone

•Realize, that like OIG Compliance it’s a process that will be ongoing, evergreen

•Take the first step to update what you have in place with these new forms and procedures

•Have fun! Helping Increase Paperwork Across America!

Need [email protected]