IDENTITY THEFT, PROTECTED HEALTH INFORMATION EMRs and OTHER FEDERAL REGULATORY ISSUES
This is the second in a series of articles on
avoiding fraud and theft in healthcare professionals’ offices.
The article is meant for medical professionals including physicians,
dentists, home nursing and mental health professionals. If you have any
questions about this series, feel free to contact attorney Matthew L. Kinley, a
healthcare lawyer in Long Beach, California at 562.901-3050.
Medical providers store all sorts of private information. Patients give medical providers virtually every identifying fact about themselves possible. Records kept in the office include information about the health of the patient. Billing records have banking and other important financial contacts.
Medical providers have an obligation to protect private health infomration. Federal and state laws impose specific obligations to protect information provided to medical providers. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and related regulations, the Health Inforamtion TEchnology for Economic and Clinical Health (HITECH) and realated regulations, and the California Business and Professions Codes and related regulations are all laws designed to protect patient’s privacy and to require providers to keep information private.
Medical providers, if they expect payment from Medicare, Medicaid (Medi-Cal in California) or from private payors, will have Electronic Medical Rerords systems in place. This expansion of electronic records require medical providers to institute plans to follow complicated regulations to make sure they are able to survive government audits and in order to make sure that medical records are safe. Failure to do so may result in penalties and fines.
ACTION ITEMS:
What to do to protect electronic information?
1. Hire competent people.
Take the time to carefully research people you hire. Check their references. Make sure they are not on the Office of Inspector Generals Excluded Persons list. (Persons on this list have been found by the OIG to be involved in some sort of fraudulent scheme.)
2. Prepare a HIPAA Compliance Plan. Every medical provider, no matter how small, should prepare such a plan. Failure to do so can result in serious fines and penalties, even if no information is leaked. The basics of such a plan include:
a. Appointment of a privacy officer. Takes charge of the office’s privacy efforts.
b. Security Rule Analysis. This is the first part of preparing a HIPAA plan.
c. Prepare a Breach Policy. This is what to do if there’s a breach and confidential helath information is made public.
d. Training of your employees. All employees need to be trained in basic patient privacy.
e. Privacy Notice. The law requires every health provider to have and have published a Privacy Notice.
f. Business Associate Agreements. The provider is required to protect all information if using other entities to help with collections or other information gathering.
g. Policies relating to release of information. When can a patient’s information be released? To whom can the information be released? How is such information sent (internet? e-mail?).
Some of the nuts and bolts of your plan will include:
a. Negotiating Leases. Make sure your landlord does not have access to protected health information. Most leases allow the landlord to enter the premises, either upon notice or during emergencies. These entrances into the medical space should be limited.
b. Patient sign-in sheets don’t disclose protected medical information.
c. Patient schedules can’t be seen.
d. Confidential discussions can’t be overheard.
e. Computers have proper encryption and passwords.
f. Computer monitors can’t be seen by passersby
g. Internet use is secure.
h. Filing cabinets are locked.
i. Use encryption. Monitor lap tops and portable storage devices to make sure they are not lost.
e. Keys and access items are retireved from former employees.
Modern electronic information requires that all medical providers comply with the law and institute privacy procedures. Our office provides guidance on such matters for a flat fee. You can call for a no cost consultation at any time.