HIPAA has been in place since 1996, but violations and misinterpretation continue today for healthcare providers small and large alike.
Anthony Patane, PMP, information technology advisor with PRN Advisors, offers four critical areas for ASC leaders to consider when creating HIPAA compliance training programs and remaining vigilant.
1. Common violations to watch for. HIPAA is designed to ensure protected health information privacy and security. Here are five common violations for ASC leaders to be aware of and avoid.
• Disclosing information to a thirty party without consent. "Sharing patient information to friends and family members or chitchatting with co-workers is one of the most common HIPAA violations. Employees should be reminded that talking about a patient is against federal law," says Mr. Patane.
• Releasing information without the correct forms. Before releasing patient information, ensure the proper HIPAA authorization forms are filled out. "The forms should include patient's legal name, what is allowed to be disclosed and through what date authorization is allowed," he says.
• Failing to destroy information. Patient information that becomes outdated or is incorrect must be properly destroyed, whether in paper or electronic form. Information in paper form must be shredded or burned. "Any computers that may house PHI information must be properly destroyed and receipt of destruction must be kept on file," he
• Improperly securing devices that store information. Any device that contains PHI, such as computers, mobile phones, tablets and USB drives, needs to be properly secured. There should also be policies in place in the event any of these devices are lost or stolen. "Having passwords and/or 'kill switches' on these devices should be in place to help mitigate this violation," says Mr. Patane.
• Lack of protection from hackers. As smaller providers, ASCs may not seem likely targets for hackers. Regardless, ASC leaders are responsible for ensuring their centers have safeguards against cyberattacks. "This means making sure the perimeter security around your computer system is in place," he says. "This includes firewalls, data encryption and password policies are all in place to prevent any potential hacking."
2. Avoiding misinterpretation. HIPAA only applies to healthcare providers, payers, clearinghouses and their business associates, but the law remains misunderstood, often due to lack of education. "A good example of this is when a daughter of a patient was informing a nurse that her 85-year-old mother (who was in surgery) had some allergies to medicine and wanted to make sure the provider knew about this. The nurse refused to listen, stating HIPAA policy does not allow family members access to patient information," says Mr. Patane.
The nurse in this scenario did not understand that HIPAA did not apply to this situation. The patient's daughter was asking to provide information, not asking for access to information. If the daughter had actually been requesting patient information, the nurse would not have been necessarily bound by HIPAA. "Another gray area: HIPAA does not require patients to give consent in writing. They can verbally ask that a friend or relative receive information. Facilities may legally demand a signature on a form. This is more about process than HIPAA," he says.
3. Best practices for remaining compliant. The first step to maintaining HIPAA compliance is putting in place a process for staff education, whether through an online course or in-person sessions. "This should apply for all employees on a yearly cycle and be tracked to hold accountability of the employee," says Mr. Patane.
In addition to scheduling training at regular intervals, ASC leaders need to ensure all staff members have a way to communicate about HIPAA issues that arise. "This may be through both a HIPAA compliance solution like a web portal, toll-free number or even an email address dedicated to HIPAA issues that gets checked by a an appointed staff member," he says.
When analyzing HIPAA compliance protocols in place at an ASC, leaders should consider conducting a risk assessment. Do the policies take into account all aspects of day-to-day operations at the center? If not, these polices need to be reviewed and updated.
4. Commit necessary resources. Many ASCs do not have the manpower to dedicate a leader or leaders to take charge of compliance education. Consider outsourcing HIPAA services. "Services should include establishing a baseline of policies and procedures along with providing updates to the organization every three months through a webinar or onsite visit," says Mr. Patane.
If an ASC has the bandwidth, consider creating a HIPAA compliance task force. This team can head up training efforts for all of the center's workers, track compliance and update policies when needed.