Most chiropractors are familiar with the importance of safeguarding their patients" protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) and the consequences that can occur from a violation of the privacy law. Even if you are one of them, your practice could still be in danger of violating HIPAA if you arc not up-to-date on the changes to the laws brought by the final HIPAA omnibus rule. The changes brought to HIPAA by the omnibus rule mean that a violation could result in not only a damage to your reputation, but also significant criminal and civil fines. The new enforcement features, strengthened by an active program of HIPAA audits, means your practice must be more vigilant of your privacy and security programs than everbeforc. Lets take some time to review the most frequently encountered violations, as well as what your practice can do to avoid them. Unauthorized Access of PHI One of the most common HIPAA violations typically occurs by accident. While accidental, the unauthorized access of protected health information (PHI) by a member of your practice's team can be a serious offense. This can occur by the inadvertent addition of the wrong recipient to an e-mail containing PHI or by picking the incorrect chart from the computer screen. On a much higher level of significance, cybercrime, the unauthorized use of PHI with the intent of committing insurance fraud or identity theft, is on the rise and individuals trafficking in stolen personal information are often caught and prosecuted to the fullest extent of the law. Your practice can avoid this offense by tightening the security to all of your patient records. Set up administrative safeguards to prevent unauthorized personnel from accessing, viewing, or receiving PHI. An important step in this process is to set up a password-protected, centralized system for accessing PHI. and to place one tnisted practice team member in control of who gets a password. You should also change your passwords periodically in case of any possible breach of privacy. Inform your staff that you monitor access to patient records on an ongoing basis and be sure to train those with access about the proper methods for protecting privacy. Make sure your staff knows that you will hold them accountable for any breach they cause—intentional or otherwise. Lack of Patient Access to PHI When requested, your patients must be allowed to access their private health records. Your electronic health record (EHR) system should provide you with the ability to create a portal for patients that is protected by username and password. Provide your patients with this information upon intake and periodically follow up with patients to be sure that they arc aware of their access. Improper Use of the Internet Your office policy should clearly outline what are and are not permissible uses of social media, e-mail, and the Internet in your practice. When you institute a social media policy, be cognizant of Section 7 of the National Labor Relations Act. which protects certain kinds of speech on social media. Be sure that your practice team members are aware that posting any protected health information on social media—even when the patient is not identified by name—is a privacy violation and subject to review. Your staff members should also know that they should not send any unencrypted e-mails tliat include PHI. This policy should include their personal mobile devices. Failure to Protect Paper Documents When protected documents fall into the wrong hands, it can result in financial penalties to your practice and cause great personal and even employment upset for your patients. You can prevent this from happening by not allow ing patient records to leave your practice. Patient records should be stored in a locked cabinet or room that can be accessed only by authorized personnel. You should avoid placing any stickers or other methods of identification of a patient's diagnosis on the outside of the patient's chart. If patient records arc to be stored offsite. be sure that they arc in a secured setting. When outsourcing the shredding of patient records, utilize a professional service that guarantees privacy. Being Overheard Discussing PHI You should train your practice team members to be aware of who else may be listening to their conversations, whether it is when discussing a patient's condition in earshot of the reception room or when leaving a message on a patient's answering machine. Inform vour staff that thev arc not to leave am PHI in phone messages and not to discuss it where they can be overheard by other patients or visitors. You should provide private spaces where discussions of health information in person or via the telephone can be held. Not Providing a Notice of Privacy Practices HIPAA"s omnibus rule changed the rules about providing patients with access to your notice of privacy practices. Prior to omnibus, the rule required posting of the privacy notice where patients could view it. The new rule requires you to make a significantly more extensive notice—increased to nine pages in length from the previous one-page document—available to patients. Most importantly, the new rule requires you to have an "Acknowledgement of Receipt or Refusal of the Notice" signed by each patient and retained in their chart. Make this part of your everyday routine practice procedure for all patients. What Else You Should Know HIPAA violations must not be taken lightly. HIPAA compliance is an active and ongoing process that requires the attention of every member of your practice team. If you do not currently have a qualified security and privacy officer as a member of your staff, your practice should consider hiring an outside HIPAA compliance consultant to conduct an audit of your current privacy safeguards and to determine whether improvements arc required. New technology tools arc developed on a regular basis that can assist you with your compliance obligations. A compliance consultant can help guide you to the most appropriate tools for your practice. The Office of Civil Rights (OCR) is responsible for the investigation and prosecution of HIPAA violations. The OCR provides practices with leeway when a violation is reported, and will work with practices to address remediation plans when a breach of PHI occurs. The key point is that your practice must be able to demonstrate that your HIPAA policies arc current, that your practice team members arc trained on a regular basis, and that the protection of your patients" privacy is a part of your practice"s culture. While audit insurance is available, most policies do not provide coverage in the case of breach of PHI. The new HIPAA rule increased penalties for noncompliance tliat arc based upon whether a violation is promptly corrected and the level of negligence involved. If you should identify a potential breach in your practice, it is important to act quickly to engage an attorney who is an expert in HIPAA compliance so that you can hopefully avoid a headline-making settlement. Dr. Mark Sanna is a member of I he Chiropractic Summit, the ACA Governor's Advisory Board and a board member of the Foundation for Chiropractic Progress. He is the president and CEO of Breakthrough Coaching (www.mybreaklhrough.com 1-800-723-8423).
