Home Health & Hospice Week

HIPAA:

Avoid Paper Record Pitfalls In Shoring Up HIPAA Compliance

Watch out: Privacy violation investigations are no longer limited to complaints.

You may be sure that you've dotted all of your i's and crossed all of your t's, but if you miss even a small piece of the privacy puzzle, you can compromise your entire organization. Take a look at these two reminders to ensure that you're starting 2010 with your privacy program on the right foot:

1. Don't Let Paper Get Lost in the Shuffle.

You may think of patient privacy exclusively in terms of protecting electronic patient data, but paper files are just as likely to be compromised. "With the advent of the HITECH changes, breaches occurring with paper records will be treated the same way as electronic data," says Gregory Michaels, manager of security and compliance solutions at BluePrint Healthcare IT in Cranbury, N.J. Congress passed the HITECH Act as part of the stimulus bill legislation in February 2009. It adds requirements when breaches occur, among other provisions.

Paper records "have the same value in terms of the information contained in them," Michaels advises. "We're still looking at a long time before paper is eliminated, so make sure any PHI stored on paper ... is secure."

Even before the HITECH Act came into existence, providers were always advised to handle PHI securely -- whether it was on paper or stored electronically.

"It has been the case for a long time, and it's still the case, that health care providers should not throw PHI into the trash," says attorney Michelle Wilcox DeBarge, with Wiggin and Dana in Hartford, Conn. "Proper disposal practices should be in place (for instance, shredding)," she says. "And now under HITECH, the breach notification requirements don't just apply to breaches of electronic information -- oral or paper disclosures fall under the Act as well," she advises.

2. Know That Patients Are Aware. You've asked patients to sign a HIPAA privacy form, now they're content, right? Not necessarily. "The HITECH Act imposed an affirmative obligation on the government agency overseeing the HIPAA program to investigate compliance breaches," DeBarge explains. "Previously it was driven by complaints only, but they now have an obligation to affirmatively audit and monitor."

Plus: The government has been hiring people to ensure compliance and will be providing education programs to the public, "and we're expecting a lot of awareness, and for patients to be asking more questions about the use of their private health information going forward," says Peter Courtway, chief information officer for Danbury Health Systems in Connecticut.

"There is also a provision under HITECH that will allow individuals who have been harmed by a breach to have a share in the proceeds of the penalties," DeBarge says. "We don't have the details yet, but this is another reason that patients will have incentive to pay attention."