Urology Coding Alert

Avoid a HIPAA Violation--Review the Basics and Stick to Them

Guest Columnist: Suzan Hvizdash, BS, CPC, CPC-EMS, CPC-EDS

Just because you're handing out privacy notices doesn't mean you can stop there

Everyone is trying to stay HIPAA-compliant. Whom can we talk to and what can we say regarding a patient's condition? Do we need something in writing from the patient? Whom can we talk to without patient consent?

Start at the Beginning

To answer these questions, let's briefly review what HIPAA is and why Congress created it.

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It addresses three significant areas pertinent to the healthcare community:

1. Insurance portability: This allows individuals to maintain health insurance coverage when switching from one health plan to another, usually because of a change in employment.

For example, Mary has interstitial cystitis and needs periodic treatments. She is looking for a new job but is hesitant to change because she may be without insurance for a period of time. HIPAA was created to help avoid this type of situation.

Prior to HIPAA, the new employer's insurance could enact a pre-existing condition clause for an established period of time. Now, under HIPAA, if Mary was covered under her previous employer's insurance for at least the time frame of the pre-existing condition clause, she would not be subjected to a pre-existing clause with her subsequent employer's health plan. In other words, her insurance would be effective for any condition as soon as she qualified as a new employee.

2. Administrative simplification: This portion of the act requires healthcare providers and insurance plans to standardize the processes they use for exchanging electronic information. This is where the policy that all payers must recognize the same code set developed.

3. Privacy and security: This final piece of the act affecting healthcare deals with the way in which patient's medical information is stored.

Charts, electronic records and other forms of patient's medical information should be stored in a secured and protected area. This could include, but certainly isn't limited to, the physical paper charts and where they are stored, electronic charts and how they are electronically signed and password-protected, and electronic repositories and the monitoring of access to them.

HIPAA was passed to establish guidelines and national standards for handling the confidentiality of our patient's most valuable information. We are now legally charged with protecting this information through HIPAA.

Examine HIPAA's Daily Impact

So, with that in mind, how does HIPAA affect our day-to-day processes in the medical office? Keep in mind that the office could be a home health agency housed in an office building, an insurance company, a doctor's office or clinic, a hospital floor, an emergency department, or any other area where we have some type of patient contact.

We need to protect the patient's information as well as their health and well-being. But how?

Implement these 10 easy steps in your office to make sure you're complying with the law:

1. Pay attention to those around you when discussing a patient. You don't want to discuss a patient's condition while riding an elevator in your office building.
2. If you need to talk with a patient, make certain you are in a closed-off area of the office to avoid unnecessary exposure.
3. Keep file cabinets, doors, desks, file rooms, etc., closed and locked.
4. Limit access to file rooms, electronic records, etc., to only those people who need the access to perform their job tasks.
5. Verify that repair and maintenance workers are scheduled to do work when they arrive in your area.
6. Escort visitors around the office. Take them to where they need to be and make certain they will have an escort back when their tasks are complete.
7. Don't be afraid to approach someone you don't recognize and question them about their reason for being in the area. Help them find where they need to be, and make certain they are not left alone.
8. Lock your computer when leaving your work area and password-protect it to avoid unauthorized exposure to protected health information (PHI).
9. Never leave a photocopier unattended when making copies of PHI.
10. Make certain your office shreds documents appropriately, and you are not throwing PHI in the general wastebaskets.

Compliance Isn't Complete Yet

Although HIPAA has been in place since 2003 and the majority of all affected companies are compliant, we haven't yet hit 100 percent. How can this be? As a regulation set forth and administered by the government, it doesn't yet have an audit system in place to monitor HIPAA compliance or effectiveness on the whole.

HIPAA compliance is complaint-driven. Thousands of complaints have been sent to the U.S. Department of Health and Human Services (HHS). The government reviews the complaints, but the organizations that are in violation usually resolve or settle the problem with the complaining party before the investigation starts. Government officials have actually pursued only a handful of these complaints.

The penalties for violations can be from $100 to $25,000 per incident, per year, etc., depending on the exact violation, the magnitude of the offense, and possibly whether the violation has since been corrected.

If HHS determines the HIPAA violation to be a criminal offense, it will prosecute under a separate government agency entirely. If the violation showed that the offending organization didn't know that it made the breach, it might not be subject to the penalties.

With so many variables, how should a healthcare entity respond to this regulation? How should it be implemented? What about overseeing the progress and effectiveness of it? How should the company handle a complaint when it presents?

There are a lot of tools, regulations and protocols that could be helpful, but there are still very many unanswered questions and situations regarding the HIPAA regulation. Keeping current with the news, the Federal Register, newsletters and other sources is the only way an office can stay on top of this far-reaching regulation.

Suzan Hvizdash, BS, CPC, CPC-EMS, CPC-EDS, is responsible for teaching more than 200 staff/faculty on the intricacies and importance of compliance with current documentation requirements, as the physician educator for the department of surgery at the University of Pittsburgh Medical Center.

Other Articles in this issue of

Urology Coding Alert

View All