Providers and patients are the gears that turn the massive engine that is the healthcare industry and medical records chronicle this system. Without the accurate keeping of data related to a patient’s personal health and treatment history, the entire system would grind to a halt.
Medical records run throughout the entire healthcare system making each step of the process documented enough to provide privacy. A patient’s medical records are viewed during a medical observation and as a result new medical records are created that are passed on to payers responsible to compensate a practice for services provided. From there, data administrators process and refine data that is then sent back to the healthcare provider where the process begins again. The responsibility of handling those records with accuracy and care are massive, requiring third party personnel to make the process function smoothly. These third party groups assist in processing data at a higher rate and efficiency than record administrators alone. This allows the transition of medical records in a timely and accurate manner. This is essential to the healthcare provider as the way a practice handles its medical records could either provide a positive experience for the patient or sink the whole operation all together.
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1998 to provide clear legal guidance for the handling of medical records. The HIPAA Act outlines privacy standards for those directly involved with the healthcare process in the United States and the industries that support them. The HIPAA Act was passed with the intention of protecting the medical records of patients that were stored in multiple locations as a result of the healthcare boom. As the options for care expanded, the federal government believed that the patients’ right to privacy should be protected.
The HIPAA Act was designed to do just that, to protect medical records from those who are not actively involved in a patient’s care. Personal information involving a person’s health is a very private matter and patients deserve to have that right to privacy respected. Healthcare providers, supporting industries and business associates of those entities are required to protect patient data under HIPAA. Medically sensitive information about patients is to be kept confidential and accessed only as required.
The healthcare provider is any entity that is directly involved with the medical care of a patient or any entity that provides professional advice related to that treatment. Medical billers are some of those entities that offer professional services to healthcare providers that assist in receiving compensation for care provided. Business associates are those entities that offer additional assistance to these parties to accomplish their goals regarding HIPAA compliance.
While the above mentioned parties are held responsible for protecting a patient’s medical records, the patient is empowered by the law to keep their information as private or as public as they wish. If any entity responsible to uphold HIPAA regulation fails to do so, they may be subject to fines or penalties enforced by the United States Department of Health and Human Services Office of Civil Rights. While patients are certainly able to release their personal information largely on their own terms regarding what information is shared, with whom information is shared, and for what duration that information is available, there are certain instances in which the federal government reserves the right to permit the release of private medical records to third party entities.
Considering that the protection of medical records is crucial to any business in the healthcare industry, it is very important to establish what information is specifically protected under the HIPAA Act. The term medical records under HIPAA are understood to cover any information generated by interactions with healthcare providers that are preserved in any form. This definition goes as far as to include oral accounts of physician-patient interaction.
Even non-health related data can be considered medical records. Any information that can be used to personally identify a patient in any way is considered a medical record for HIPAA purposes. This can include a patient’s contact information, such as their phone number, home and e-mail addresses. Many other documents often considered to be secondary data such as prescriptions, counsel, distributed literature, etc. are considered to be medical records and are therefore protected under the HIPAA Act.
While the concepts of personal privacy are held and appreciated by the wide majority of Americans, these laws cause little change unless responsible entities comply with the regulations set forth within the HIPAA Act. Compliance with HIPAA is essential to prevent fraud and abuse from taking place against the patient and their privacy. All of those healthcare providers, medical billers and their business associates must comply with the security measures established by HIPAA. These security measures come in three forms: physical, technical and administrative security. Each three of these securities must be applied to all medical records that a particular entity is responsible. If a responsible party fails to secure each of the documents appropriately, that party is liable to be punished for non-compliance.
The first form of security a healthcare company must use to protect its medical records is a physical form of security. This is simply to ensure that the data in question is not physically accessible to third parties that do not have an interaction with the patient that warrants access to their records. Physical security for data can be accomplished by simply having a lock on files or cabinets that contain sensitive patient data, with the keys being available only to those that have a valid need to access those medical records.
The second form of security, technical, largely refers to e-documents that have become more and more popular with the expansion of the Internet. Technical security tends to be a bit more complicated to accomplish as those responsible for protecting files on a network must constantly search for vulnerabilities or methods that could make an illegal theft of documents from taking place via the Internet. This often includes firewalls and special business-specific programs that prevent private health information from leaving the home network.
Third, administrative policy addresses company policy that is intentionally amended to increase the security of confidential information within the company. This may include e-mail and cellphone policy to be instituted within the company that seeks to prevent a theft of data from the business by its own employees. Failing to establish administrative policy is one of the most common ways that the HIPAA Act is violated.
Establishing the security and abiding by the regulations set forth by HIPAA can be a daunting task. Many steps must be taken to ensure that documents are secured in a way that is in complete compliance with the HIPAA laws. For this reason, many healthcare-related companies choose to have an outside organization come and conduct a compliance audit to verify that the company’s policies and procedures are sufficient to prevent any penalties under HIPAA guidelines. Once such an audit is conducted and results come back that the business is indeed in compliance with HIPAA security standards, an entity can promote the fact that it is HIPAA certified, proving to potential patients and clients that this entity can be trusted to provide a legally sufficient level of security to private health information. With this certification comes consumer confidence that their information will be protected from those with ill intent.
Those entities that are able to establish and carry out the security standards set forth by HIPAA are termed to be HIPAA compliant. While securing private health information is a major component of being HIPAA compliant, another aspect of correctly handling medical records is releasing that information appropriately. This compliant release of private health information can be accomplished through the use of an authorization form. This authorization form is to be authorized by HIPAA responsible entity and must include clear and concise language that can be understood by the patient giving authorization. The form must include exactly what information is being released, to whom that information is being made available, and for what duration that private information will be made available.
Once this information has been included by the healthcare-related party and has been understood by the patient, he or she may give their authorization by signing the authorization form. This authorization form must be retained for the records of the practice and the patient alike, while being protected by the security provisions outlined under the HIPAA Act. Having such a release form required under the HIPAA Act gives power to the patient to both protect their data from unauthorized parties and to know exactly how any data that is released will be used.
The authorization form protects patient data in the majority of situations where third party access is requested. However, there are particular situations in which the patient’s right to privacy is trumped by another’s demand for those same medical records. This trumping of a patient’s privacy is seen most prominently when medical records are involved in litigation. If medical records are obtained legitimately for these purposes, the release of medical records without patient authorization is still compliant with HIPAA regulations. The same is true when medical records are subpoenaed by a court. In this situation, whether or not a patient authorizes the release of their private health information, it is within the rights and obligations of the healthcare-related entity to release the documents to the requesting parties.
Seeing the amount of responsibility and additional work that is required to handle private health information in a HIPAA compliant manner, it is not unreasonable to seek assistance from a third party business associate. These associates can perform a variety of functions while processing medical records. While these firms can be a great help, they can also cause quite the headache if they fail to comply with HIPAA privacy regulations.
Over the past year, several major HIPAA violations occurred. The parties involved ranged from private medical practices to large government organizations. This goes to show that not just any group can handle data in a HIPAA compliant manner. A trustworthy organization must be able to provide security in all three areas: physical, technical and administrative.
In June 2014, Parkview Health System, Inc. agreed to pay an $800,000 fine after potential violations were discovered surrounding the physical security of their medical records. The violations were discovered by the Department of Health and Human Services’ Office of Civil Rights during an investigation stemming from a complaint received by a retiring physician that the company had violated HIPAA privacy laws. During the summer of 2008, Parkview was given charge over some 8,000 files while the patients of this particular doctor were transferred to new practices. The violation occurred on June 4, 2009 when Parkview employees left over 70 boxes full of medical records on the physician’s driveway after finding that he was not home to receive the delivery. The boxes were left unattended on the driveway for some time. The records were within eyesight of a heavily-travelled road, just miles away from a busy shopping center. At any point in time, those files could have been compromised and private patient data had the possibility of being released or even stolen.
This was a major violation of HIPAA security rules that mandate patients private health information be kept in a secure location not accessible by non-authorized third parties. As a result, Parkview agreed to pay an $800,000 fine and institute a corrective action plan that involves updating the company’s security policy, providing additional trading to its staff and provide a report detailing the company’s implementation of those measures to the Office of Civil Rights.
Technical security is becoming more and more important as foreign and domestic criminals alike have targeted confidential consumer data in recent years. Contact and demographic information is especially useful to thieves seeking to steal the identities of American citizens.
Along these same lines, a major HIPAA violation of technical security standards occurred in May 2014. The responsible parties were the New York and Presbyterian Hospital and Columbia University. Both parties failed to secure thousands of patients’ private information that was held on their network. As a result, The Department of Health and Human Services Office for Civil Rights collected its largest HIPAA settlement to date: $4.8 million.
The investigation began after the parties submitted a joint breach report in September of 2010. The report disclosed the failure to secure the data of nearly 7,000 individuals. The compromised data included personal information regarding the patients’ status, medications and lab results.
The breach in question occurred on a shared network and firewall. While the New York Presbyterian Hospital and Columbia University are both considered separate entities, they do work jointly. Faculty members at Columbia are known to also serve as attending physicians at the hospital. The breach is believed to have occurred when one of the attending physicians, employed as a faculty member at Columbia, attempted to deactivate a personally owned computer from the shared network. Once the device left the network, the private health information that remained on this particular device found their way onto the public Internet. The records were even able to be searched for via Google.
The lack of technical safeguards was found to be to blame for the breach. While the breach was certainly of no little importance, the investigation did shine even more light on the partnership that proved to be incredibly unflattering. The Office of Civil Rights found that neither New York Presbyterian nor Columbia University had made any previous efforts to ensure that its servers were secure or that the necessary software was installed to sufficiently protect patient data.
Of particular importance is that those handling a large volume of cases must be systemically diligent in enforcing HIPAA privacy standard or face dire consequences. Especially weak links are business associates who do not implement standards well.
As it has been outlined throughout this presentation, the process of understanding and maintaining HIPAA compliance can be a daunting for any organization responsible to uphold and maintain these standards. Amidst the flood of other obligations related to the practice of medicine, many of these organizations seek assistance from a third party to ensure that the necessary tasks are completed in a timely, accurate and professional manner.
At this point, the burden of HIPAA compliance by the business associate falls on the organization having work outsourced. If the third party associate is incapable of handing case data appropriately, the business agreement can end up being more of a hindrance than a help.
Read more about Telegenisys’ role in HIPAA compliant case work