Pathology/Lab Coding Alert

Latest HIPAA report highlights how practices let PHI fall through the cracks.

If your lab is still using the same privacy protection protocols as it did when HIPAA was first enacted in 2003, you could be putting your practice in grave danger. Why? Because the types of breaches, and the ways they’re happening, have evolved over time. So you must, too.

The Department of Health and Human Services Office of Civil Right (OCR), which oversees the HIPAA program, noted that it has received over 346,824 HIPAA complaints over the years, and resolved 99% of them. (https://www.hhs.gov/hipaa/ for-professionals/compliance-enforcement/data/enforcement-highlights/index.html). However, what may be surprising is that the number of complaints received continues to rise each year.

Despite continuing educational opportunities and news about recent enforcements, OCR fielded more complaints than ever in 2021, the most recent year for which data is available. That year, OCR handled 34,077 complaints in all, up from 25,912 in 2018 (https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/ data/complaints-received-by-calendar-year/index.html).

The OCR shared the most common HIPAA compliance issues in its latest report, and some of them may surprise you. From accidentally letting protected health information (PHI) fall into the wrong hands to failing to give patients their records, practices appear to be violating the law at every turn.

Read on to find out the most common issues, along with tips on how your pathology practice or laboratory can avoid them.

Impermissible Uses and Disclosures of PHI

Using or disclosing PHI without a permissible reason is the most frequently reported HIPAA violation, the OCR notes.

Example: In 2021, an employee of a New Jersey hospital accessed the PHI of 13,000 patients who had been seen in the laboratory. The employee then shared some of the information she accessed with a third party.

Avoid this issue: Put safeguards into place that allow only the appropriate employees to have access to PHI. Not all staff members in a healthcare setting should be able to look at details of patient records, and if you don’t know how to put such safeguards into place, work with your software developer to ensure they are there.

In addition, you should maintain frequent staff training on how protected health information should be safeguarded. The staff should know that they can be seen accessing data and that they will be identified every time they review a record. All of your security training activities should be recorded and dated so you have documentation of these events. This will be helpful to share if you are ever the subject of a HIPAA audit.

Lack of PHI Safeguards

In some cases, labs are found to be out of HIPAA compliance not because they deliberately shared PHI, but because they didn’t put enough safeguards into place to keep the PHI from being exposed. This may happen if your emails aren’t encrypted, you have a fax machine in the patient facing area, or you don’t require passwords on personal devices of employees, even when those staff members have access to PHI.

Example: In 2018, a pathology laboratory employee’s laptop was stolen, which exposed the PHI of patients and their financial guarantors. The laptop wasn’t encrypted and included names, addresses, medical treatment history, Social Security numbers and more.

Avoid this issue: Perform frequent risk analyses at your practice and identify all areas where PHI could be accessed improperly, then put new systems into place to protect those areas. For instance, you may find that you need to remove a “reason for visit” line item from your paper sign-in sheets, you might have to move your front desk’s printer from an area where patients might see it, or you may realize you haven’t yet required passwords on all personal mobile devices belonging to your practice.

Lack of Patient Access to PHI

If a patient or their designated representative wants their medical records, you have 30 days to respond, according to the HIPAA law. If you can’t meet that threshold, you must request a 30-day extension. And if you don’t give patients their records in a timely manner, you could face big HIPAA penalties and fines.

Example: In January 2023, a Georgia laboratory agreed to pay $16,500 to resolve allegations that it did not give a deceased man’s medical records to his daughter, who was his designated personal representative, in a timely manner. Although the lab finally shared the records seven months after the request, that violated the HIPAA requirement to share records in a timely manner.