Electronic transfer of healthcare information is governed by a set of standards laid down in the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Some of the specific electronic transactions that were covered under the Act included explanation of benefits and insurance payments, verification of patient eligibility, referrals and prior authorization of patients, patient visit information and inquiries relating to claim status. However, since the inception of the Act, electronic technology and its use had evolved; thus making the standards outdated. In order to keep up with the advances in technology and its use in healthcare, the standards were updated under the new HIPAA laws.
HIPAA 5010 replaced version 4010 and was put into compliance on January 01, 2012. Under the 5010 regulations, there are over 850 changes to data entry and electronic claims transactions. For example, in order to accommodate ICD 10 codes, there is an increase of the field size for patient diagnosis in the HIPAA 5010 version. The changes under HIPAA 5010 which cover along with support of ICD 10 codes, other benefits like allowing multiple identifiers, information requirements on eligibility verifications, easier to comprehend NPI instructions and reduced denials has resulted in reducing manual claims processing and transaction costs.
The aim of the Health Insurance Portability and Accountability Act was to set standards relating to electronic transmission of personal health information under secure methods to maintain its confidentiality. The HIPAA Privacy Rule establishes conditions and limits to the use and disclosure of any personal health information without the patients authorization. Healthcare providers and clearinghouses, schools, government agencies and any other organization that provides healthcare services are covered under this rule. Although all healthcare service providers are supposed to adhere to the HIPAA Privacy Rule; the reality is that there are violations that take place. The ever changing regulations make it difficult to keep up with the rules. However, there are some violations that occur in larger numbers than others. Let us look at some of these common HIPAA violations that result in fines, sanctions or even loss of license.
Unsecured records
Any document with personal health information (PHI) has to be kept in a secured location on your premise. While physical files need to be secured under lock and key, digital files have to be secured with passwords and encryption. A password ensures that only those authorized can access the files, Encryption on the other hand, ensures that the files cannot be accessed through hacking your system or even in the case of a lost or stolen device.
Mishandled medical records
A rather common violation that occurs when a healthcare provider using a written chart or record of the patient leaves it on the table or in the examination room – thus, making it available for another patient or other unauthorized personnel to examine it. All physical records must be kept away before allowing another person into the room.
Disclosure by employees
An employee discussing about a patients case with a co-worker, family or friend results in a HIPAA violation. While discussions between two workers who are both involved in treating the patient is permissible; discussing or talking about it with anyone not connected to the treatment is not acceptable and can result in fines.
Texting PHI over un-encrypted devices
Relaying information through various apps on a smartphone has come to stay. However, texting PHI over any device to another, wherein either or both do not have encryption, allows potential hackers to access the information. Non encrypted devices are also vulnerable if they are lost or stolen. Posting photographs on social media is a violation too and is punishable under the Act.
Accidental disclosure
Imagine you are at a social gathering and someone makes an inquiry about a friend’s health condition. In case you answer the query, remember disclosing information to an unauthorized person is a HIPAA violation. Such cases do occur frequently at social gatherings and it is best to be prepared with a standard response that does not breach the PHI.
Lack of employee training
The HIPAA Act requires every employee, intern, volunteer who would have access to PHI to undergo training to familiarize themselves with HIPAA regulations. Non compliance of this rather easy rule can lead to fines.
Authorization for disclosure
Any disclosure or use of PHI not used for payment, treatment, any healthcare operations or permitted by the Privacy Rule requires a written consent from the concerned individual. The best way to avoid violating this rule is to play safe and get prior authorization from the patient.
Unauthorized release of PHI
Imagine treating a celebrity at your facility. It is very easy to get carried away and release information to the media – who in turn release it for the rest of the world. This is a gross violation of the Privacy Rules. Another common violation is providing information to family members of the patient – only dependents or Power of Attorney holders of the patient are allowed access to their health records.
Disposal of records
Any record that contains PHI should be disposed off in a proper manner. While using a paper shredder for physical records is the proper way; digital records need to be erased from all media for proper disposal. This violation can be controlled by proper training and enforcement at your premise.
Non HIPAA compliant associate agreement
One of the common violations that occur in a large number of cases is entering into a business associate agreement with a non HIPAA compliant vendor who will be provided or given access to PHI. The responsibility to ensure that PHI from your premise is shared with only those who are HIPAA compliant is yours. Violations can be expensive to your practice.
We, at MedConverge, can help!
Non adherence to the constant changes to HIPAA regulations to meet the changing healthcare landscape can result in violations in your premise leading to criminal or civil fines and damage to your reputation. To ensure that your practice does not get embroiled in such a situation, our team ensures that your billing adheres to the latest HIPAA guidelines.
References
- Monegain, B. (2015, December 28). 10 most recent HIPAA breaches. Retrieved September 05, 2018, from www.healthcareitnews.com: https://www.healthcareitnews.com/news/10-most-recent-hipaa-breaches
- The Most Common HIPAA Violations You Should Be Aware Of. (2017, October 26). Retrieved September 05, 2018, from www.hipaajournal.com: https://www.hipaajournal.com/common-hipaa-violations/
- Version 5010 . (2018). Retrieved September 05, 2018, from www.cms.gov: https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/Versions5010andD0/Version_5010.html
- What is HIPAA 5010 and What Will its Laws and Rules Do? (2018). Retrieved September 05, 2018, from www.mb-guide.org: http://www.mb-guide.org/hipaa-5010.html