Avoid stiff penalties that could hurt your practice. When you take files out of the office, you run the risk of exposing your patients’ protected health information. And with possible civil monetary penalties up to $1.5 million per breach, it’s smart business to practice compliance whether your in the office, at home, or on the run. Review: Quite simply, “a [HIPAA] breach is an improper or unauthorized use, disclosure, or access of protected health information (PHI),” explains Cyndee Weston, CPC, CMC, CMRS, executive director of the American Medical Billing Association (AMBA) in Davis, Okla. Federal input: HHS defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the … [PHI].” The Feds presume all impermissible uses or disclosure of PHI to be breaches “unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment.” For more details, read the Breach Notification Rule at: www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?language=es. HIPAA Breaches Aren’t All Business-Related Though most breaches occur within the realm of a medical practice’s business operations, some PHI violations bleed into providers’ personal, and in some cases political, worlds. Consider this: According to Weston, when a physician shares a patient’s medical history with a friend or family member that the patient has not authorized to access his medical records or information, it might be a breach. This will depend entirely on the situation, but everyone in the practice should mind what they disclose about patients’ PHI outside of the office just to be safe. Handle Remote Access Carefully You don’t necessarily need to stop bringing work home, but you should definitely establish a policy on taking charts, computers, and other items that have PHI on them to any remote workplace. Unless handled very carefully, you could violate HIPAA and face penalties even if you just misplace one superbill in your home. If you or your staff must take charts or other data, electronic devices, or any ambiguous materials that might contain PHI from the office, it’s a good idea to implement a log-out system. That way, you’ll know where each patient’s information is, and there’s some accountability should a breach occur. Construct guidelines: Implement policies that require all practice personnel to safeguard any patient information when they remove it from the office, since the HIPAA laws protect the patient’s privacy no matter where the chart happens to be. It’s a good idea to use passwords with multi-factor authentication on mobile devices, laptops, and at-home desktop computers. Also, ensure that staff utilize encryption software for the charts reviewed remotely online. Tip: Enlist a reputable healthcare attorney or compliance consultant to ensure that all staff members are up-to-date and fully understand HIPAA — both at home and at the office. Resource: If you’re wondering what constitutes PHI, look at this list of 18 HIPAA identifiers at http://cphs.berkeley.edu/hipaa/hipaa18.html.