8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

Transcription

1 Billing & Reimbursement Revenue Cycle Management 8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID Billing and Reimbursement for Physician Offices, Ambulatory Surgery Centers and Hospitals Billings & Reimbursements Revenue Cycle Management

2 Common HIPAA Compliance Errors to Avoid Contents To prevent your staff from accessing medical records inappropriately, implement policies regarding appropriate record access and train your staff accordingly. 4 Texting or ing unencrypted PHI. 4 Failing to perform a risk analysis. 5 Failing to update the Notice of Privacy Practices. 5 Ignoring record amendment requests. 6 Not providing enough training. 6 Over-charging for medical record copies. 6 Being too open with access. 6 Releasing too much information. 2

3 Common HIPAA Compliance Errors to Avoid Keeping your patients protected health information (PHI) private is critical. Besides being unethical and illegal, HIPAA violations can be very expensive. Penalties for HIPAA violations range from $100 per violation, when the offenders don t know they re violating the law, up to $50,000 per violation when the violation is due to willful neglect and is not corrected. Physicians Practice recommends your medical practice take steps to avoid these common HIPAA compliance errors: 3

4 Texting or ing unencrypted PHI. Text messages are a convenient way for physicians to communicate with patients or other providers, but texts can be read by or forwarded to anyone. Text messages on your wireless company s server are not encrypted, so they re not secure and therefore violate HIPAA. To send secure text messages, you need to put a secure messaging service with encryption on your smartphone. To send secure messages, use a secure application. These apps use filters that recognize sensitive information (e.g., social security number or credit card information), attachments or key words like sensitive in the subject line and then automatically encrypt the message. If your patients insist on receiving PHI via , get their written permission to send and receive their s. To avoid using , you could use secure messaging through your patient portal. Failing to perform a risk analysis. HIPAA requires providers who create or store PHI electronically to conduct a security risk analysis following a series of steps to assess potential risks and vulnerabilities to the confidentiality, integrity and availability of their electronic PHI. Because a security risk analysis is now required for the Electronic Health Record (EHR) incentive program, auditors are checking whether practices have performed this analysis. 4

5 Failing to update the Notice of Privacy Practices (NPP). HIPAA requires medical practices to update their NPP, display it prominently in their facility and on their website, have patients sign it and give patients a copy. You may need to add this information to your NPP: Uses and disclosures of PHI that require authorization An individual s right to restrict certain disclosures of PHI to a health plan An affected individual s right to be notified following a privacy or security breach Ignoring record amendment requests. Under HIPAA, patients can request changes to their medical record, and practices must address those requests within 60 days. If you don t agree with the patient s request, explain why you re not making the change. Give the patient a copy of your written explanation and include it and the patient s written request for record amendment in the EHR. 5

6 Not providing enough training. HIPAA requires formal education and training about the privacy and security rules. Jim Hook, a healthcare consultant, recommends medical practices provide HIPAA training to all staff when they re hired and then at least once a year thereafter. Be sure to document the training you provide. You re also required to provide periodic security reminders to your staff. You could do this by sharing s regarding relevant privacy or security issues in the news, or by including a regular HIPAA column in your staff newsletter. Over-charging for medical record copies. HIPAA requires practices to provide copies of medical records when patients request them. You re only allowed to charge a cost-based fee that s set by most states and is usually limited to 50 cents or $1 per printed page. You re not allowed to charge a processing/handling fee. To ensure compliance, examine your state s regulations and consult an attorney if necessary. Be sure to provide medical record copies within the required timeframe (usually 30 days, but it may be shorter in some states). Being too open with access. Only staff members who need access to medical records for treatment or payment purposes or healthcare operations should be reading them. To prevent your staff from accessing medical records inappropriately, implement policies regarding appropriate record access and train your staff accordingly. Run EHR audits regularly to determine whether anyone s guilty of record snooping. Releasing too much information. Providing too much PHI to outside entities, such as when responding to subpoenas for medical records or requests for information from payers or immunization records from schools, is a HIPAA violation. Pay close attention to the specific information and dates of records requested (in the case of a subpoena) so you don t provide extra PHI. 6

7 About MediGain MediGain is a full-service revenue cycle management and healthcare analytics company devoted to improving billing and reimbursement for healthcare providers cross the United States. MediGain provides a full suite of billing, reimbursement, credentialing and coding services to physician groups, provider networks, ambulatory surgery centers and hospitals. In addition, MediGain has industry leader proprietary business intelligence and predictive analytics that help their clients run the business of their practice. For more information on how MediGain can maximize revenue, reduce expenses and allow you to spend more time providing your patients with quality healthcare, visit our website, call us at or marketing@medigain.com Dallas Parkway, #200 Plano, Texas