What You Think You Know About HIPAA is Wrong.
There are many myths and misconceptions about the HIPAA regulations. Many offices we work with are violating the HIPAA Privacy Rights of their patients while they think they are following HIPAA. Does your office email patient records to the patient upon their request? Does your office have a policy that restricts faxing patient records? HIPAA requires your office to both fax and email patient records upon request. "HIPAA is a valve, not a blockage" states HHS OCR Director Leon Rodriguez. Director Rodriguez goes on to state that the patient should be informed that these methods of transmission are not secure and could be intercepted. Once the patient understands the risks and agrees, send the records as requested. Always document that the patient was notified of the risks to protect your practice. Not sending the records in electronic or paper format is most likely a violation of the HIPAA Privacy Rule.
Does your office routinely receive and send out medical records for subpoenas. Unless the Court Order is signed by a Judge your office must either notify the person who is the subject of the information about the request so the person has a chance to object to the disclosure, or to seek a qualified protective order for the information from the court. Thus subpoenas signed by a court clerk or an attorney requires notification under the Privacy Rule.
Your office can disclose patient information to employers to administer sick leave, workers' compensation, wellness programs or health insurance. Other patient information is restricted without patient authorization, unless other laws require you to disclose.
Stay Tuned: More HIPAA myths and misconceptions will be clarified in upcoming articles.
Written by Michael McCoy
HIPAA Fines Increased
If you are a physician practice and believe that only Hospitals and large pharmacies are going to incur major HIPAA fines, think again. HHS just imposed a $100,000 penalty on a physician practice in Phoenix for non-compliance with HIPAA laws. Not only did the government impose monetary damages for their HIPAA violation, the Phoenix practice is bound by a Corrective Action Plan (CAP) for a minimum period of one year. Total costs to the practice for this HIPAA violation are unknown, but with attorney fees, the breach response requirements and other costs you can be sure the Phoenix practice has paid a lot more than $100,000 and could be paying more for at least the next year.
This HIPAA violation would have been uncovered with a security risk assessment by HITECH Associates. For as little as $299 physicians and business associates can complete an on-line risk assessment that would have uncovered the HIPAA violations and deficiencies that led to the monetary penalty and CAP. The on-line risk assessment consists of a detailed questionnaire filled out by your office, a review by HITECH Associates with your IT personnel, our inclusive risk analysis report and our exclusive Step-by-Step Compliance Plan (Risk Management Report).
For more information on HHS's findings on the Phoenix physician practice go to:
HHS Press Release: http://www.hhs.gov/news/press/2012pres/04/20120417a.html
Corrective Action Plan: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/pcsurgery_agreement.pdf
For more information on on-line risk assessments starting at $1,095 call 813-892-4411.