4 Expert Tips for Avoiding HIPAA Pitfalls

1. Patients and Their Records

One of the most common pitfalls we’ve been dealing with as it relates to violations is very basic—the right to access. The patient has a right to access their records, including radiographs, treatment plans, completed services, notes, and payment information.

We’ve seen numerous violations, from complaints that have been handled by the Office of Civil Rights as well as cases of mine in which a patient requests their records and the practice doesn’t supply them. Many states set a certain number of days within which a practice must supply records after a request. If not, then the practice must follow the federal rule, which is 30 days (and might change to 15 with the updates). This is a simple fix—supply the record.

In most cases, a request isn’t responded to because the person in the practice who received it doesn’t know how to handle it. However, in one of the cases I handled, a front desk staff member said they’d release the records only if the patient paid money they owed to the practice. You can’t hold records hostage. That violates HIPAA.

Related to the right of access is who requests the record. If a patient appears in person at the practice to request their records and shows valid identification, they don’t have to sign a release. However, if the request comes from another provider, that disclosure must be authorized. I’ve seen a lot of chatter on social media platforms among dental professionals implying that an authorized disclosure isn’t required when responding to the request for records from another provider. That’s not correct—supplying records to another provider without patient authorization is a violation.

2. Protect Electronic Records

Currently, when a patient asks for a transfer of electronic health records, HIPAA rules say  that encryption is “addressable” (covered entities determine for themselves whether the addressable implementation specification is reasonable and appropriate for them). When the rule was first put into place, encryption technology wasn’t what it is today. Now, practices can easily deploy encryption. For that reason, the proposed rule will require encryption. There’s no reason not to encrypt electronic health data.

On a related topic, consider your IT provider’s scope of services. In some cases, we find them to be insufficient or nonexistent. So, if there is a breach, was the IT provider monitoring their system? What services are you contracting for? If you’re on a “fix when broken” plan, that’s insufficient. You should be contracting for services monthly, including monitoring and updating firewalls. With the proposed rules, that would also involve vulnerability testing and ensuring all endpoints are encrypted.

Ultimately, you want an IT provider well-versed in HIPAA. Avoid general service providers. You want someone who works exclusively in healthcare. They’ll understand the need for higher levels of security.

3. Staff Training

The Security Rule states that HIPAA training should occur periodically. In other words, it’s not just one and done. Practices should appoint training on the schedule to ensure it’s completed. You also want to provide communication about HIPAA reminders, which can be woven into regular staff meetings, such as morning huddles and monthly meetings. This will ensure that HIPAA privacy and security rules are part of your practice’s ongoing discussions.

HIPAA training can be quite complex, so you want to turn to trainers with true expertise who can serve as reliable resources for your staff. HealthFirst, for example, provides a variety of training options and resources through OnTraq, which can help keep your team up-to-date on a range of compliance issues. For instance, their online HIPAA Manual and Forms allow you to access information as needed at your own pace. It includes customized HIPAA annual employee training forms (customization is key because each practice is unique), an easily understood guide for implementing content, and a file system that allows you to organize and secure training records for 5 years.

4. Conduct a Security Risk Assessment

HIPAA requires all covered entities and their business associates to conduct an annual risk assessment to ensurethey’re compliant with all of HIPAA’s administrative, physical, and technical safeguards. It also helps uncover any areas where protected health information (PHI) might be at risk. The Office of the National Coordinator for Health Information and the Health and Human Services Office for Civil Rights offer a free downloadable Security Risk Assessment Tool, which is designed for small providers. You can download the tool at healthit.gov/topic/privacysecurity-and-hipaa/security-risk-assessment-tool.

Follow the Leader

Ultimately, compliance requires a culture of safety and respect for the privacy of patients’ PHI. Leadership is key—when leaders respect and honor patients’ privacy, their staff will follow. However, if there’s a blatant disregard for patient privacy from the top, you have a domino effect that results in all staff members behaving the same way. Those leading a practice—including the practice owner and the office manager—must demonstrate their commitment to protect the patients they serve.