Protect Your Practice From HIPPA InvestigationsPosted June 20, 2016 by Stacy Bolzenius
The Health Information Portability and Protection Act (HIPAA) was created in 1996 to safeguard patients’ medical information. Since then it has been divided into three sections — the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. Each provides federal standards for how medical data is protected and distributed, as well as how patients are notified of a potential health information breach.
According to the U.S. Department of Health and Human Services (HHS), the Office of Civil Rights (OCR) has received 132,559 complaints and has begun 887 compliance reviews since 2003.With HHC’s toll-free number, online form, and a dedicated email address for complaints, it is easier now than ever to file a HIPAA complaint. Since a single complaint reaching OCR has the ability to greatly hinder your practice while an investigation takes place, it is vital that you create compliance protocols and ensure that your staff adheres to them.
Understand the Process
Should any of your patients have a HIPAA complaint to lodge, what do they do? Does your office have a HIPAA complaint form at the ready? Is there a HIPAA compliance officer in-house that can take the written form, speak with the patient, determine if a violation has occurred and resolve the complaint? The goal is for a patient to not only be aware of her rights, but understand how to exercise them in-house without involving HHS.
If your practice receives a complaint, it is vital that your staff be aware that it is the right of the patient to file one. Once a complaint is received, there must be a process in place to resolve the patient’s complaint before the complaint is formally lodged with HSS. This must include contacting the patient as soon as possible to make them aware of the process, keeping the patient informed on the steps being taken to mitigate risk and address their complaint, formally notifying the patient of the outcome of the investigation, and keeping detailed documentation so the practice can avoid any complaints in the future.
Such a process not only conveys the importance of HIPAA to the patient but to the front office staff as well, who may be prone to the greatest number of violations simply because they do not understand the severity of the outcome.
Know Common Problem Areas
According to HHS, the private practices are the most common type of entity that has been required to take corrective action due to a HIPAA violation, with hospitals and outpatient facilities coming in at second and third, respectively. For women’s health physicians, these entities cover the entirety of your practice and require the most diligent care in order to keep patient information confidential.
Throughout the history of HIPPA, the OCR has investigated a variety of instances where HIPPA laws were broken. The most common among them were:
- Impermissible use and/or disclosure of information
- Lack of safeguards on information
- Lack of patient access to their health information
- Lack of administrative safeguards on electronic information
- Use and/or disclosure of more than the minimum necessary information
Offer Robust Training
One of the best ways you can prevent a HIPPA violation is to make sure your staff is properly trained. HIPPA compliance should be incorporated into your orientation training for new staff members, and regular refresher courses should be offered to make sure everyone stays up to date with any new developments. Ongoing training is especially important if your office has experienced a HIPPA violation.
To learn more about how to protect your practice, reserve your place in one of our in person or online seminars and make HIPAA privacy a priority.