Gastroenterology Coding Alert

Is your practice at risk of these problems?

You might think that most HIPAA breaches are always accidental, but one digestive care office found that this isn't the case in every instance.

An employee of a North Carolina gastroenterology office allegedly confessed to police last month that she shared the personal information of about 100 patients with fraud suspects. The data included Social Security numbers, names, and birth dates of patients, and was said to have been shared with someone who is under federal investigation for identify theft.

The digestive health practice had to notify the patients who were potentially involved in the incident and is setting up steps so such issues don't happen in the future.

To help avoid breaches - and your chances of being called on the carpet for those questions - consider these common causes for breaches and how to avoid them.

Breach Scenario #1: Theft

Protected Health Information (PHI) and electronic Protected Health Information (ePHI) are commonly adulterated when provider and/or partner technology, information, or paperwork is stolen. This could mean anything from an office break-in, where actual hardware or physical files and property are taken, to lost or lifted portables that were snatched from employees' cars or elsewhere and then compromised.

Remember:  Employees steal PHI and ePHI too, recording patient data for their own personal gain. When this kind of HIPAA breach happens, patients' records are often exposed and sold for profit. Theft is the easiest HIPAA violation to deal with and overcome. A good place to start is with the encryption of all your electronic devices, especially those used by visiting staff.

Scrutinize and educate:  Performing a comprehensive background check on all your employees and business associates before hiring needs to be mandatory for added security. However, vetting processes aren't perfect and employees are tempted by the easy access to patient information and financial data for numerous nefarious reasons - and in those cases, strict disciplinary guidelines should be imposed.

Breach Scenario #2: Unauthorized Access, Disclosure

This culprit is a frequent contributor to breaches and can easily be remedied with proper staff education. It often arises when providers and employees let policies slip when transferring PHI and ePHI to third parties like claims and collections companies, outside billers, and insurance carriers.

This could be a detailed phone message or fax about a patient to an unauthorized individual or business associate or emailing patient information to insurers for claims, but it also covers something as simple as displaying patient information on an agency or employee social media page. The combination of what can be related, who has access to it, and where the PHI/ePHI can officially go is the focus of this breach.

Train and retain: Constantly re-educating staff about your compliance practices and ensuring that they understand the importance of both agency and patient security is essential. Another crucial detail is having an ironclad business associate agreement that protects you against partners who aren't always reliable.

Tip: When you go about enlisting outside resources, look for "sophisticated vendors that have very advanced HIPAA programs because smaller firms don't know what the HIPAA rules are," advises attorney Abby Pendleton ofThe Health Law Partners in the Southfield, Michigan office.

Breach Scenario #3: Cyberattacks

Unfortunately, more often than not, providers think they are prepared but are actually technically vulnerable. From social engineering schemes like phishing and spoofing to malicious attacks involving malware and spyware, health­care's cybersecurity is on the top of everyone's watchlist. And that's why it's essential to follow the golden rule of HIPAA compliance: assess, analyze, and manage.

Federal help: This is where the Office of the National Coordinator for Health Information Technology (ONC) risk assessment tool comes in handy. The ONC site assists providers in the initial stages of HIPAA compliance planning and points you toward the best methods for addressing security.

Reminder: Hackers are a step ahead of providers, says attorney Clinton Mikel of The Health Law Partners. "If the OCR investigates and finds over 500 individuals were affected, the first thing they will look for is the security risk analysis."

Exceptions: Since most breaches are accidental and relatively benign, guidelines for exceptions to the rule are available for providers to follow if an infraction is suspected. Here are a few examples:

• An employee might "unintentionally" give the wrong patient data to a clinician, but the person realizes the error and doesn't use or access the PHI or ePHI.
• Authorized workers might unwittingly transfer ePHI to another "covered entity," but that worker sees the mistake and deletes the information.
• Authorized personnel believe that the PHI could not be conveyed to another source - for instance, patient data was mailed but is returned unopened due to a wrong address.

The bottom line: Make sure you have processes and programs in place to ensure that your staff members don't commit any privacy breaches at your practice.