With HIPAA, compliance is often easier said than done. Even with designated compliance officers, many organizations continue to make infractions that they’re not even aware of. An employee who improperly emails protected electronic health information (ePHI) to a physician. A laptop containing client information that is stolen. Paper files that are not properly disposed of.
These infractions happen all the time. And they're costly.
In 2015, a stolen laptop that exposed the PHI of 599 patients cost one hospital $750,000. Even in cases where an organization did their due diligence and was not found to be at fault for the breach of privacy, they can be penalized up to $50,000 per violation. It all depends on the circumstances.
The good news is that some of the common compliance issues are easily corrected with solutions that can mitigate your organization’s risk. Here are three:
Common Compliance Issue: Mishandled Client Files
The problem: Both active and inactive client files can be kept in such a way that it is difficult to control access to them. Paper records must be kept private, but this is increasingly difficult with staff members juggling an increasingly high volume of clients. Commonly, client records are left lying around, where they can be easily accessed by the wrong person.
The fix: Store them electronically and ensure that you can audit access to the records know for certain who has accessed client records and what they have done with those records. For instance, have they printed documents? With electronic files, it’s important to make sure that you have audit trails, so you can see who accesses records any time. This provides protection when the burden of proof is on you to assure auditors or other specialists that your records were not compromised
Common Compliance Issue: ePHI Not Secured
The problem: There are several instances where staff might think ePHI is secure, when in fact it is not. A common example of this is staff emailing patient information or attached ePHI without using encrypted email. Another example is when the PHI is stored on an unencrypted laptop or server, or is saved in software that is not adequately protecting that information. Some of these issues are particularly problematic, because it leaves PHI vulnerable to hackers.
The fix: When records are stored electronically, HIPAA requires that they are encrypted with 256-bit strength encryption. This includes when it is stored and during transmission. It’s important to note that encryption is different from standard security protocol, like passwords. Standard email is not encrypted. It’s essential to protect yourself in all scenarios.
Common Compliance Issue: Vulnerability to Disaster and Threats
The problem: If the building sprinkler system deploys, equipment malfunctions or your client records are stolen, you have problems. Paper files are particularly vulnerable to catastrophe or theft. But, even if a disaster befalls ePHI, you are required to replace those files. The problem is, a lot of organizations that are storing documents electronically don't have a disaster recovery plan or adequate backups. However, HIPAA requires that you backup and store ePHI in a secure facility offsite and have a plan to recover and reinstate the client data.
The fix: Any paper files should be converted to electronic format. This allows you to securely duplicate and store PHI offsite and restore it in the event of a disaster. It also is a deterrent to theft. Your ePHI needs to be backed up and your organization needs to have a disaster recovery plan in place. The plan must stipulate that ePHI is securely stored offsite in a data storage facility that is climate controlled and protected and should govern how these files will be reinstated. If you're shopping for a document management system, make sure that this is on your "must-have" list.
HIPAA regulations are complex, and as we seen, not knowing some aspect of the law is not justification enough to get off the hook. By putting more systems in place to correct these problems, you’re in a better position to protect PHI and your organization from hefty fines.
Milner Technologies is a leading provider of document management solutions, with extensive experience helping organizations in the behavioral health space gain control of their client files. Contact us for a free demo.