GUEST WRITER: Breck Hopkins, JD, AFMC’s General Counsel and Privacy Officer
It’s easy for our busy daily routines to crowd out attention to protected health information (PHI). Those of us working in health care-related jobs come in contact with it every day. Let’s review why it’s essential to protect PHI.
PHI is any individually identifiable health information that is transmitted or maintained in any form or medium (oral, paper or electronic) by a covered entity or its business associates, excluding certain educational and employment records.
Let’s drill down a little deeper on what those terms mean.
- Health information is information about an individual’s past, present or future health status, the provision of or payment of an individual’s health care. Even if the information does not refer to any health care services provided to an individual, it is PHI if it shows that the individual received health care services or benefits from a specific covered entity.
- Covered entity means a health care provider, payer, health insurance company or health information clearinghouse.
- Business associate means a person or entity that performs a function or activity on behalf of a covered entity, or provides services to a covered entity that involve the creation, receipt, maintenance or transmission of PHI.
- Individually identifiable means information that has enough data to support a reasonable belief that the information can be used to identify a specific individual.
Examples of PHI include:
- Billing information from a doctor or clinic
- Email to a doctor’s office about a medication or prescription
- Health care provider appointment scheduling notes
- Voice mails about health care appointments
- Any record containing both a person’s name and name of that person’s medical provider
- Any document that includes a Medicaid or Medicare number
Consequences of breaching PHI
Violating the very strict and complicated definitions and rules under the Health Insurance Portability and Accountability Act (HIPAA) can cause serious repercussions – both for individual employees as well as the company, clinic, practice or hospital where the PHI breach occurred. The Office of Civil Rights does not grade on a curve. You can be 99.99 percent in compliance, but if .01 percent contributes to a breach, reach for your checkbook.
For example, when a physician connected his personal laptop to a hospital network and then disconnected, PHI was visible on the internet. The civil money penalty exceeded $4 million.
Most common violations
The most frequent cause of HIPAA violations is the theft or loss of devices with unencrypted patient health information. This can include laptop computers, tablets and smartphones, even your own personal devices if you use them to access this information.
Another common cause of violations is the improper filing or disposing of documents. It’s much easier for this to happen and it happens more frequently if you’re using a paper filing system. It’s almost inevitable that an employee will eventually file a patient’s record incorrectly or accidentally get rid of a document without first shredding it. Sometimes people just have a bad day or get distracted. Mistakes happen, but they happen more with paper.
Consider what happens if you put a paper file in your car to study at home or take to another clinic tomorrow. You get T-boned when another driver runs a red light and a wrecker removes your car. A breach has occurred.
How to avoid PHI breaches
To be certain that information is not individually identifiable, the following information must be removed:
- Any reference to a geographic subdivision smaller than a state, including street address, city, county, precinct, Zip Code and their equivalent geocodes. The exception to this is if the initial three digits of a Zip Code, according to the current publicly available data from the Bureau of the Census:
–The geographic unit formed by combining all Zip Codes with the same three initial digits contains more than 20,000 people; and
–The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone numbers
- Fax numbers
- Electronic-mail addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic or code
Avoiding HIPAA violations is much easier than coming under time-consuming investigations and paying crippling fines. The following tips will help covered entities protect PHI:
- Eliminate PHI on paper and from unencrypted electronic devices.
- Encrypt all electronic devices that receive, send or use PHI; use firewalls and passwords.
- Guard against receiving or storing any PHI that is not necessary to carry out your business functions.
- Store data with a secure cloud provider that has frequent security checks.
- Keep all electronic devices, especially smartphones, in a secure location at all times.
- Train employees to never discuss patients (even without using their names) in small talk in or outside the office. It is almost always a HIPAA violation.
- Assign an employee to check every signed HIPAA release/authorization form. If the patient skipped even one blank, the form may not be valid. Any release made in reliance on the form may violate HIPAA.
- Double-check and update your business associate agreements. In 2013 HIPAA rules changed to add new required content for privacy notices. If yours have not been updated, they are no longer valid.
- Always wipe the hard drive of a copy machine before removing it because copy machines have hard drives that store data.
- Use only the operating systems supported by the manufacturer on all devices connected to the internet. Install all security updates (supported by the manufacturer) immediately on all internet-connected computers and medical devices.
- Be sure you are in control of all devices where PHI can be created, received, sent or used. Establish written policies that explain your control requirements.
- Always destroy outdated patient information by shredding or burning. A staff member must witness the entire process if you use a commercial recycling company. Recycling collection bins should be secure.
- Train staff on the dangers of opening emails. The most common method of hacking computer systems is through regular system users who open phishing emails. Responding to them often gives the hacker the user’s password and information needed to obtain PHI. There’s an amazing amount of personal information available on social media. Just because the sender pretends to know you and mentions your dog by name, it can still be a hacking attempt.
- Always furnish patients their records on demand and in the requested format. HIPAA violations can result if you summarize information, charge more than actual cost of reproduction, or link it to a concession or agreement from the patient.
- Be sure computer screens or paper files are not visible to patients at check-in or -out. Enforce clean-desk policies to removed PHI information when not in use. This includes mobile workstations in hallways, exam rooms or nurses’ stations. Use privacy filters on mobile device screens.
- Always have an annual security risk assessment and make all the corrective actions suggested by the assessment. This is the single most important thing you can do to stay in compliance.
If you’d like a free consultation about security risk assessments, contact AFMC Health IT HERE or call 501-212-8616. AFMC has qualified and experienced teams that can perform your security risk assessment, including review of your computer security configurations.
If you work with AFMC and have HIPAA questions or suspect there’s been a breach, please do not hesitate to contact me, Breck Hopkins at 212-8646 or 519-1890.