In Part 2 of our 2 part series, we continue our chat with HIPAA expert, Loretta Duncan. Brian asks about the ins-and-outs of HIPAA’s requirements for security with electronic information.
Speaker 1: You are listening to Your Practice Made Perfect, support, protection and advice for practicing medical professionals, brought to you by SVMIC.
Brian: Hello and welcome to this week's podcast. My name is Brian Fortenberry. In our previous podcast, we were discussing HIPAA. HIPAA compliance. All issues regarding HIPAA with Ms. Loretta Duncan, who is a senior medical practice consultant with SVMIC. In this week's episode, we're going to continue that discussion and gain more information.
I have been to some doctor's offices fairly recently and in the waiting area, it almost looked like wallpaper.
Loretta: Uh huh.
Brian: There are these things posted everywhere, about these privacy notices and all of this. Are they doing that because it's absolutely necessary to create HIPAA wallpaper in their waiting rooms, or are they just doing this as a, "Hey, it might not be a bad idea," kind of thing?
Loretta: Unfortunately, HIPAA wallpaper is still required. It has been required since the beginning of the rule, but I'm glad that you brought that up, because there is again some confusion with the ... Notice of Privacy Practices, is what we're talking about. That's the six or seven page long document.
Brian: You have to sign that periodically as well, right?
Loretta: Let's talk about that. I'm glad we're talking about this, because this will clear some of this up. The requirements around the notice are number one, you do have to post it in a prominent location and posting, that's as descriptive as the rule gets. Post in a prominent location. So in my mind, and I think in most OCR investigators minds, that means you're going to have to put it up on the wall in probably the waiting room.
Now, I have seen it in binders, sitting on a coffee table with HIPAA across the top, but ... And I think that was a trend for a while, because who wants to put more stuff on your walls, especially in a very nicely decorated office. Nobody wants that.
Brian: The decor really doesn't match, to be honest.
Loretta: However, I have heard from OCR officials that the binder is not compliant. So, if you've got a binder out there with your notice in it, you need to go ahead and post it. But fortunately we have a resource for that on our website. We have a fillable PDF poster format that can be completed so that it's not as tacky as six or seven pages.
Brian: That's fantastic. What we can do is, in the podcast show notes, we can refer to that and people can have access to that as well.
Loretta: Good. Perfect.
Brian: So there does have to be some HIPAA wallpaper, but we can help with that is what we're saying.
Loretta: Yes. We can make it prettier, I guess.
Brian: Very good.
Loretta: The other thing you mentioned signing it periodically, the requirement is to provide a copy of the notice, not just a summary, but that full notice to each new patient on their first visit, so it's a one and done.
Brian: So you really only have to do it one time. You don't have to do it annually or anything.
Loretta: No. Now, what the patient needs to do is they need to sign an acknowledgement stating that they've received it and over my years of doing this, I've seen acknowledgements state that the patient has read, understood, can recite it. That's not necessary. All that's necessary is a simple statement that says, "I acknowledge that I have received the notice." But, the important thing is, is to make sure they get it.
I just took my mom to the doctor a couple weeks ago. They wanted her to sign all these things, and one of them was an acknowledgement of receipt. We didn't have it. I'm kind of a HIPAA geek, so guess what I did?
Brian: You called them on it, right?
Loretta: I just asked them for a copy and they got a little snarky with me, but anyway.
Brian: Hey, but that's the rule.
Loretta: It is.
Brian: You know what? By doing that, you're saving them a headache down the road.
Loretta: I hope so. I don't think they looked at it that way, though.
Brian: Well, you meant it that way. I know you. Are you kidding me?
Business associates. Who are business associates and what is required to be HIPAA compliant when it comes to business associates? Because I think this something practices deal with fairly often.
Loretta: They do. And there's some confusion about who business associates are. Number one, business associates are not cleaning people. Your cleaning people are not your business associates, so they don't have to sign a business associate contract. I'll explain. A business associate is any individual or third party that is not a member of the workforce, so not an employee, that provides a service to you that involves your protected health information.
So cleaning people, yes they provide a service for you, but that service should never involve ... It's not meant to involve your protected health information. But your collection agency, that's going to involve ... Their service to you is going to involve your protected health information. Your billing system, your electronic health records vendor, all of them are going to involve ... That's going to involve your protected health information. So your requirement to be HIPAA compliant is to have a business associate agreement in place, which we also have a sample online.
Brian: Fantastic. We'll make that available as well. What happens, because things go wrong, right? You end up having a situation where some records were sent to the wrong place or something is lost, or there's a breach of some type of healthcare information. What if a patient files a complaint? Then what?
Loretta: What happens, if the patient files a complaint with you, you need to address it and document it and make sure everything is good, to the extent that you can and nothing else goes beyond that. You don't have to report complaints that come into your practice. But, if a patient goes to the next level and files a complaint with the Office of Civil Rights, then the Office of Civil Rights is going to send you a letter. In most cases that's what happens. They send a letter to the practice, and they indicate what the complaint is and in most cases, if it's a minor issue they will typically just cite the part of the regulation that the patient has complained about and give you a friendly little reminder. They don't even ask for a response.
They might just say, "Here's what you're supposed to do. Make sure you do it. We'll keep this open for the next six months. If we hear any more complaints, then we may delve in further, but basically that's it."
Brian: I refer to some of those types of letters as, "Hey, it's been brought to our attention," letter.
Brian: So it's kind of, "Hey, we have been informed this. Remember this is the rule and no more," right?
Loretta: And don't do it again, exactly. But there are some cases, where it may be a violation that is a little more serious and so the Office of Civil Rights may initiate an investigation. Typically, in cases where there has been a breach of patient information and that breach involves 500 or more of your patients, you will be investigated. In fact, I was talking to a practice about a year ago that ... When you have a breach of 500 or more, you have to also report that to HHS, through their online portal within 60 days of discovering that breach.
When it's reported, this particular practice reported it on a Friday afternoon and was called by an investigator on Monday morning.
Brian: Wow. That's fast.
Loretta: It surprised me that they're moving that fast. So when you have a breach of patient information, and it's a large number, that's going to warrant a whole lot more attention than one patient complaining about you talking too loudly in the exam room.
Brian: This is always interesting to me and being as vague as we need to be, what are some of the things going on out there that people go, "Boy, this happens more than you would think, and it's a breach and people don't even realize it's a breach," whether it be when you sign in. What is a breach there? Or overhearing conversations, like you were saying, or things like that. In your experience, what are you seeing as some of the things that are breaches that are seeming way too common that people might need to know about?
Loretta: I think something that happens quite often, goes back to that work related reason to access information. I get a lot of calls from practices where an employee or a physician, has decided they're curious about a patient, whether it be in their practice or maybe the hospital record system, and they've decided that, "I have the ability to log in, so I'll just take a little peek." A lot of those are probably not being reported as they should, but that's the importance of running audit reports and getting those red flags, because the practice does have an obligation to periodically audit their records and determine if that activity is happening.
And if it is, they have to address it. Now you mentioned signing in at the front desk, and patients overhearing conversations. A lot of those are not breaches. A lot of those are considered incidental disclosures. An incidental disclosure is not a violation of HIPAA, if it is as a result of a permitted use or disclosure. For example, when HIPAA first came out, everyone freaked out about calling patients back by their name.
Brian: Oh really? So when the nurse comes out and says, "Stan Jones," or whatever?
Loretta: Exactly. So I would go into these practices, and they would be using a number system, because they thought, "Well, we can't call a patient by their name." That was never ... Again, another misconception of HIPAA. So, that is an incidental disclosure. If you're taking a patient back to an exam room and a physician and a nurse are discussing scheduling a test for another patient, unless the physician is yelling down the hallway to the nurse, you're probably okay. If they're using reasonable safeguards, that's an incidental disclosure.
When the law was written, it was understood that we can't keep a patient in a little privacy bubble from the point they come in, until they leave.
Brian: It's impossible, wouldn't it?
Loretta: Right. But you do have to be careful. You don't want to have a discussion at the front desk, about a $1,500 past due balance and you're going to terminate the patient if they don't pay it. That should not happen at the front desk. That's a private conversation that should happen.
Brian: One that just popped into my mind, was a young lady going to her OB/GYN and as she's coming out the door the receptionist says, "Congratulations on finding out you're pregnant."
Loretta: That could not be a ... The difference there is that's not a permitted disclosure, so that would not be considered an incidental disclosure. That would absolutely be considered a violation. That brings up another point. Conversations within the practice about patients. Again, there needs to be a work related reason. It's different, because when you work in healthcare, you're really held to a different standard when it comes to patient privacy and you can't just sit around and talk about the interesting patient that came in this morning.
Brian: Right. And as tempting as that may be, you're right. It's a violation and then there's repercussions of that.
Brian: That being said, when somebody is found guilty of a HIPAA violation, what kind of penalties are we looking at, and in particular can you go to jail for that?
Loretta: The short answer is yes, you can go to jail for a HIPAA violation, but there are really two different sides to this. There are civil monetary penalties, which are really assessed to the covered entity, and those are for things like if someone committed a HIPAA violation at a practice, the Office of Civil Rights would look at that and go, "Did the practice do what they were supposed to do? Did they train the employee?" Was it malicious intent or was it just a lack of training?
If they determine okay, it's on the covered entity, then those penalties range anywhere from $100 to $1.5 million per violation per year in which they occur. Now there are criminal penalties associated with HIPAA violations. There's basically three categories. The top category is basically being curious or gossiping about patient information and that can lead to one year in jail.
Brian: That was the, "We're sitting around talking about the interesting patient that just came in the office?"
Loretta: Or, we're looking up ex-boyfriend's new girlfriend's record to see what's going on and maybe we don't even talk about it, but we looked at it and we had no work related reason. Those get worse for example, if you lie to obtain protected health information, that can lead to up to five years in jail and up to $100,000 in penalties. Again, this is criminal for the individual, not for the practice. The way the practice is going to protect themselves is, they are going to prove that they've trained the staff.
Brian: I gotcha.
Loretta: Finally, the largest penalty is if you are intending malicious harm or personal gain, and this can lead up to $250,000 in fines and up to 10 years in jail. The other piece that you don't think about is, these are criminal penalties, which means you have to hire a criminal defense attorney. So even if you don't end up paying those penalties, you're going to pay a large chunk of money just in defense fees.
Brian: One of the things that I have heard about over the last maybe couple of years now that I never even really thought about when it came to that, was these rogue employees. They have learned the value on the black market of some of this stuff and they're going out and getting it and then disseminating it out, but it seems like they often get caught. Most often they do get caught, because like you said, there's things in place in the practice, that catches them. But then, you still have to go through as a practice, all of these requirements I guess by the government, for telling them and finding out how many records. And all of that has to be done, it's kind of based on how many compromises you've had, as to the regulations you have to go through?
Loretta: Well it is. For breach notification, breach notification was added with the high tech act and finalized on 2013. Basically, that requires ... Even one. If there is one unauthorized use or disclosure of patient information, you have an obligation to notify the patient in writing, within 60 days of discovering the incident and then you have to report that to the Office of Civil Rights on an annual basis. But if you have a breach that affects 500 or more of your patients, you have to notify the patients within 60 days, the government within 60 days and the local media within 60 days.
It is always a good idea if you suspect that you have had a breach, you need to contact us. Either contact me, contact claims, but we definitely want to help walk you through that.
Brian: Once you get to that stage of a breach, you're going to need assistance.
Brian: To get through that process. That is not something that is going to be simple and that you can ... It's not like filing your own taxes here. You're going to need some assistance in dealing with that.
Brian: Let me ask you this, what can a practice charge a patient for copies of their medical records? Can they charge?
Loretta: Uh huh.
Brian: If so ... I don't know that I've ever been charged for a copy of mine, but can they do that?
Loretta: This is a hot topic right now. Again, the Office of Civil Rights issued some guidance on this back in 2016, and we've been doing it wrong for a while, just to be perfectly honest.
Loretta: The privacy rule has not changed. It's always been the same, and the privacy rules allows, permits covered entities to charge a reasonable cost based fee for copies of records to the patient. But what's happened over the years is, each state has state guidelines that have dollar amounts assessed to the per page fee that can be charged. But a lot of our records now are electronic, so the per page rate doesn't really make sense.
What had happened, is there were a lot of patients that were complaining to the government about not being able to access the records and then being charged a ton of money for records. Think about a hospital record. My mother-in-law was in the hospital not too long ago and she had over ... I think she had about 150 pages of records. The hospital was still charging by the page, even though they were giving a CD. That doesn't make sense. So the guidance issued by HHS, really outlined what you can and can't charge.
Ultimately, the government would prefer that you not charge your patients for copies of their medical records. But if you are going to charge, you have to calculate your cost. In most cases, and from what I've looked at, none of our policyholders state's fee guidelines would be considered reasonable and cost based. They're all going to be higher that what the government would allow.
To help practices with this, we actually recorded a presentation that's on our website that really digs into this, because it is pretty detailed on how to calculate these charges. But if you're still using the state guidelines to charge your patients, you probably need to stop and look at it differently.
Brian: There is so much information to be obtained just about HIPAA, and I would imagine there are certain practices out there and administrators and probably even physicians, that could easily lose sleep at night just thinking about HIPAA stuff. We could delve so much deeper into these issues.
If we have people out there that are at a loss, they have some very specific issues that they're needing to address and have some assistance with, they can reach out to you, correct?
Loretta: Oh absolutely. 90% of my job is probably spent helping practices with HIPAA related issues. Call if they have a question. Don't spend a lot of time trying to research it, because more than likely I've answered it before multiple times. So, definitely utilize the resources that we have available.
Brian: Because very often, you do feel like when you've had something come up, that you're on an island. "I'm the only person that's ever had this question." More than likely, not the case, right?
Brian: They can certainly reach out to you, reach out to SVMIC and get them in contact with you. We're going to provide a lot of information that we've kind of discussed as resources at SVMIC attached to this podcast in the show notes.
Loretta, I can't thank you enough for being with us today and discussing this incredibly important topic.
Loretta: Well, I enjoyed it Brian. Thank you for having me.
Speaker 1: Thank you for listening to this episode of Your Practice Made Perfect with your host, Brian Fortenberry. Listen to more episodes, subscribe to the podcast and find show notes at svmic.com/podcast.
The contents of this podcast are intended for information purposes only and do not constitute legal advice. Policyholders are urged to consult with their personal attorney for legal advice, as specifically the requirements may vary from state to state and change over time.
Loretta Duncan is a Senior Medical Practice Consultant at SVMIC. She has been with SVMIC since 2008, but has worked in the healthcare industry for the last 20 years. Prior to SVMIC, she served as the Director of Practice Management for the Arkansas Medical Society and as a clinic administrator for an orthopaedic practice. Loretta has provided assistance to physician practices with HIPAA compliance since 2002. Loretta is a board-certified Fellow in the American College of Medical Practice Executives and is currently pursuing a Master of Science in Health Law and Policy from the Cumberland School of Law in Birmingham, Alabama.
Brian Fortenberry is Assistant Vice President of Underwriting at SVMIC where he assists in evaluating risk for the company and assisting policyholders with underwriting issues. He has been involved with medical professional liability insurance since 2007. Prior to his work at SVMIC, Brian worked in the clinical side of medicine and in broadcast media.