Ophthalmology and Optometry Coding Alert

HIPAA Help Desk:

Boost Your Practice’s Ability To Bypass HIPAA Blunders

Published on Mon Sep 25, 2023

Find out how to best fend off breaches and cybersecurity incidents.

From privacy violations at the reception desk to email phishing ploys to lost unencrypted mobile devices — the opportunity for you and your fellow employees to bring censure and penalty down upon your eye care practice grows exponentially as healthcare changes and evolves.

Consider this: Most violations are caused by staff who accidentally expose protected health information (PHI) or electronic PHI (ePHI) due to a poor understanding of HIPAA — which is why training and keeping staff up to date on HIPAA is essential.

Other proactive measures you should take include monthly check-ups and an annual audit of your policies and procedures. Refine your HIPAA program as needed, experts say. Not sure where to begin? Start by adding these seven actions to your HIPAA checklist:

1. Explain HIPAA and What It Entails

Ensure everyone in your organization, from managers to your frontline staff, is trained on privacy. They should be able to articulate in simple terms what HIPAA is and what it aims to protect. Educating your staff on the nuances of HIPAA is not only essential to protect your patients and business, but also required under the Privacy Rule. Employee training is critical. In addition to the comprehensive training required by HIPAA, making sure employees consistently know their resources and first points of contact goes a long way.

Covered entities (CEs), such as medical practices, should keep in mind that there are two parts to HIPAA, says Melissa Dill, managing director for Crowe, a healthcare consulting practice in Indianapolis, Indiana. “There’s the Privacy Rule, which tends to be more focused on the non-electronic and access aspects of an individual’s protected health information [PHI]; and then there’s a Security Rule, which focuses on the electronic management of that individual’s information.”

2. Identify Your Practice HIPAA Officer

You absolutely need a dedicated HIPAA security officer. No matter the size or scope of your practice, if patients’ ePHI is being held or transferred at your office, the HIPAA Security Rule mandates the assignment. “A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures,” notes the Administrative Safeguards section of the HIPAA Security Rule.

It’s vital that everyone in your practice knows who the HIPAA compliance officer is. Otherwise, they won’t know where to turn with potential privacy and security breaches that staff may cause, encounter, or report during the day.

Remember: Your HIPAA security officer will act as the liaison between the HHS Office for Civil Rights (OCR) and your legal team should a data breach occur. They must know your HIPAA compliance plan and speak to any issues that arise.

3. Set Specific PHI-Access Limits

At the end of your training, your staffers should know their level of PHI access. This knowledge will enable them to conduct “self-audits” regarding their use of — or exposure to — PHI.

4. Know Where To Get a Copy of Your Privacy Notice

You and your coworkers should know where to locate or obtain a copy of your notice of privacy practices. Anyone in the office should be able to point to the handout and make a copy available to a patient.

5. Discuss Privacy Violations, What To Do When You See Them

When it comes to the Privacy Rule, violations vary in intensity, from minor violations to serious ones. They can include common issues like “simple things such as physicians’ handwritten notes being left somewhere where they can be seen by individuals who don’t have a need to see those notes, things being printed out and left on a printer for others to see, or an individual calling an office and wanting information and perhaps not being the patient, but being a patient’s parent, daughter, or child who does not have permission to access such records,” Dill notes.

“Those sorts of things that you don’t necessarily think of as an issue are the easy things to have a compliance issue or a violation,” according to Dill. Complacency is a threat to any HIPAA-compliant entity. Therefore, you and your entire staff must know your office protocols for reporting potential privacy and security violations or the accidental or inappropriate disclosure of PHI and ePHI.

6. Put the Patient First

HIPAA wasn’t meant to direct patient care. It was created to direct CEs on how to keep patients’ information secure.

Make sure everyone in the office understands that HIPAA allows the disclosure of health information for treatment purposes. In addition, HIPAA does not require a business associate agreement (BAA) in order for a provider to share health information for the purpose of treating a patient. So, if another physician on your patient’s care team needs information about the patient to treat them, it’s okay to share that information, and a BAA is not required between your practice and the other physician’s practice.

Keep in mind: HIPAA also allows the sharing of patient PHI for payment (third-party payer) and healthcare operations (consultant) purposes. Note that a BAA may be needed for some aspects of payment/operations sharing — for example, with a billing company that works for the practice or with a consultant that is doing an audit — to ensure that the BA safeguards the PHI as the practice would.

7. Consider Creating a Script

There’s nothing wrong with preparing responses in anticipation of certain patient questions about HIPAA. For example, when patients come into your office, your employees can use a script to present them with your notice of privacy practices and to answer common questions they may have regarding the form. You should tailor your scripts to your office’s most frequently asked questions and your staff members’ comfort levels.

For instance, if a patient asks about their privacy rights, you can hand them the form and say, “Your rights are set forth clearly in the notice of privacy practices. After you review the notice, I would be happy to have our HIPAA compliance officer discuss them further with you.”

Important: The HIPAA Privacy and Security Rules offer organizations guidance on how best to set up policies and implement procedures to assess risks, protect PHI/ePHI, and circumvent violations. The rules advise not only on the provisions of the federal law, but also provide practices with guidelines to assist with HIPAA compliance planning.

“Your staff are your greatest asset, but can also be your biggest weakness,” maintains Brand Barney, HCISPP, CISSP, CISA, PCI-QSA, security consultant at Coalfire in Mont Vernon, New Hampshire. “[HIPAA] security awareness training doesn’t have to be a once-a-year event or happen only when there’s a new hire. Make sure your staff understands that they must reasonably and appropriately restrict access to only those persons/entities with a need for access to PHI and systems.”