One of the most overlooked security flaws in a practice is the waste-paper basket.  If your office is not currently using a shredder, then please, by all means, at the end of the day take a look through your waste paper baskets, especially at the front desk.  You may find an abundance of PHI in there.  You may think that this is a bit paranoid, to go through the trash, or “who wants my trash anyway?”.  Case in point, last month in Philadelphia there was a crew that was working with insiders in an HMO and they were sending patient PHI out the door in the trash.  Their accomplices would then go through the trash and remove the PHI.  Their next step was to take the papers back to an apartment that was set up with some very elaborate devices for making forged credit cards and documents.  This crew would then open charge cards, make mortgages and even purchase automobiles all with the forged documents.

The bottom line is that the HMO is going to see serious liability on this because they have an obligation to have policies and procedures in place to prevent this kind of activity.

Putting a shredder in the office is an inexpensive way to protect discarded PHI.  When purchasing a shredder always look for a cross-cut or chip style.  The straight strip type of shredders just don’t provide enough security -  you would be surprised how easily a strip-cut document could be reassembled.  Shredders also have a duty cycle rating in pages.  Look for one that is at least 50% greater than the amount of paper you currently generate.  Shredders have a relatively long life so you want one that will be able to handle long-term growth in your office.  One model that I have found to work well is the Fellowes PS80C.  It is a real workhorse and ideal for a small-to-medium office. There are some very high-end commercial units out there, but they would just be overkill for most offices.

Another solution is the use of a shredding service.  There are several national companies that provide this service.  They provide a trash can inside a locked cabinet.  The papers get deposited through a slot in the top and stay secure until pick up.  The shredder companies send a truck to your location and shred everything right there and give you a certificate stating that everything was shredded.

When you first implement a shredding policy in the office, a good idea to help break old habits of just throwing PHI in the regular trash is to remove all trash cans from the immediate work areas and relocate them in a back area. The idea is to just make it more difficult to get to the trash so that the employees will make a point of going to the shredder first and dispose of all their paperwork.  Once this becomes the new habit, you can then reintroduce the regular trash cans.  Also make sure that violations of your shredding policy carry consequences.  It is important that everyone in the office take shredding seriously because lapses can come back to haunt you.

Now that we have crossed another HIPAA milestone, Privacy, we need to turn our attention to the next phase, Security.  While the privacy requirements lend themselves well to boilerplate policies and procedures requiring only minor adjustments for your practice, Security will be a horse of a different color.  The security requirements are very specific to your practice.   Writing policies and procedures to deal with security issues in your practice will require much more thought and effort, and we should start addressing these new requirements now.

With privacy, most offices only had to take their existing way of doing business and put it in writing, print up their NPP, display it in the waiting room, post it on their web site and hand them out to the patients; done.  Security, on the other hand, will require much more.  In the next few articles I will cover some areas of concern and how to address them.

Security is going to get into areas that most practices have never thought of and don't even have a foundation to work from.  Security will deal with the physical facility, the computer system, computer-user procedures and practice contingency plans, among others.

While many have accomplished the privacy portion of HIPAA without conducting a Gap Analysis, with the security portion a gap analysis will be essential for the following reason: Privacy compliance required little or no expenditure in order to be compliant.  Security, however, may require investing quite a bit of money in software, hardware and facilities upgrades.  By conducting a Gap analysis you can identify areas needing attention and then work out a long-term plan to address these issues.  The key to compliance here is that you are pro-active; you have identified and are working toward mitigating the problem areas.  That being said, you are still responsible if there is a breach in your security.  The difference is in the amount of your liability.  If you have identified problem areas and have a plan to address them you are in much better shape than if you are caught with a security breach and you have no idea that there is a problem and no plan in place to address it.  Again we come back to our favorite HIPAA slogan: MITIGATION.  HIPAA is all about making reasonable efforts to reduce the risk of having PHI falling into the wrong hands.

Just the Sort of HIPAA Help We Don't Need!
 (Volume 28)

Hello Gayle,

Janlori Goldman forwarded this to me.  This is just thekind of thing we warn doctors about, that it is the patients who will do the enforcement and that they are being encouraged to do it.  The scary part is, just think how confused most offices are about the HIPAA laws and they are required to be knowledgeable about the rules and regulations.  Now imagine the general public, who know very little or, worse yet, think they do know their "new" rights, and they are going to be filing complaints left and right.

Just another reminder that practices need to keep cross their "T"s and dot their "I"s.

Thanks,
-Ray

 For immediate release
 PRESS RELEASE
 Tuesday, April 8, 2003
 
 
HEALTH PRIVACY PROJECT LAUNCHES
PRIVACY COMPLAINT MONITORING INITIATIVE
 
HPP to monitor HHS enforcement of New Medical Privacy Law
 
 Today the Health Privacy Project (HPP) announces the launch of its HIPAA privacy complaint monitoring initiative. With this initiative HPP will monitor the oversight and enforcement of the HIPAA privacy rule by the Department of Health and Human Services' Office for Civil Rights (OCR), to ensure that patients' privacy rights are enforced effectively. HPP has posted a model complaint form
http://www.healthprivacy.org/usr_doc/Privacy_Complaint_Form.pdf on its website and is asking the public to provide HPP with copies of complaints submitted to OCR. OCR has yet to post an online complaint form, even though most health care providers and health plans are required to comply with the new privacy law by April 14, 2003.
 
 Under the rule, individuals do not have a private right to action.
Instead, the law provides that individuals must direct their complaints to HHS' Office for Civil Rights. HHS has the authority to impose civil and criminal penalties if covered entities are determined to be in violation of HIPAA. HHS officials have said that enforcement would largely be driven by complaints and that "voluntary compliance is the most effective way to [protect personal health information]," signaling to many in the health care industry that HHS does not intend to vigorously enforce the law. HPP will track the number and types of complaints and will monitor how effectively the Office of Civil Rights investigates and resolves complaints.
 
 "We want to ensure that patient's rights will be safeguarded and that the Office for Civil Rights lives up to its responsibility to enforce the HIPAA privacy rule vigorously. Given that HIPAA does not give people the right to sue, individuals must rely on the Bush administration to represent their interests," said Janlori Goldman, Director of the Health Privacy Project. "Our monitoring initiative is intended to ensure that consumers' voices are heard."
 
 The HIPAA privacy rule - the first major federal law to protect the privacy of peoples' medical records-- grants consumers a number of significant new rights, although in less sweeping form than most patient advocates pressed for. Among other changes, as of April 14:
 * people will receive a "notice of information practices" from their providers and plans explaining their new rights and how their information will be used;
 * patients must be given access to their medical
 records upon request;
 * health care providers and plans are barred from
 disclosing identifiable health information to employers;
 * psychotherapy notes are given special, heightened
 protections before they can be shared with providers;
 * hospitals must give patients the chance to opt-out
 of having both their name and health status publicly available in the hospital's directory; and
 * law enforcement must present some form of legal
 process before they can obtain access to health information.
 
 * * *
The Health Privacy Project is a non-partisan non-profit 501 c 3
organization dedicated to protecting privacy in the health care arena, with the goal of promoting increased access to care and improved quality of care. The Project also staffs the Consumer Coalition for Health Privacy, a diverse network of over 100 consumer, disability rights, patient, labor and health care provider organizations engaged in the national and local debate on health privacy.
 
 As of April 14, 2003, most health care providers, hospitals, health plans and their business associates must be in compliance with the HIPAA medical privacy regulations (http://www.hhs.gov/ocr/hipaa/privacy.html).
 The law, which was finalized at the end of the Clinton administration and allowed to go into effect nearly two years ago by President Bush, will have a major impact on both consumers as well as health care organizations.
 
 New federal privacy rights will be available to health care consumers; although in less sweeping form than most patient advocates pressed for; and providers and health plans will have to adopt a set of rules and safeguards that promise to bring a large measure of uniformity, predictability; as well as short term burden ; to the collection and use of patients' medical information. Although it remains to be seen whether and how vigorously HHS' Office for Civil Rights will oversee and enforce the privacy regulation, there is no doubt that after April 14, certain key changes should be visible and in place.
 
 Those changes include:
 
 * Anyone entering a doctor's office, hospital, or
applying to a health plan for benefits must be given a "Notice of
Information Practices" that states the new rights mandated by the law, and explains how the "covered entity" intends to use and disclose the individual's health information. The regulation requires that a good faith effort be made to get people to acknowledge they have received the notice by signing it. The signing of the notice - a requirement put in place after the Bush administration removed the consent requirement from the Clinton version - is intended to increase the likelihood that people will actually receive and read the notice. It would be a good idea for the health care industry to post these notices on a Web site so that consumers could review them in advance.
 
 * People must be given access to their medical
 records. Although most states grant people this right, state laws are inconsistent and not well-enforced. The federal law requires that people be able to see, copy and supplement their records. Health care organizations must comply with the request within 30 days, and a reasonable fee may be charged. The new access rule may spur health care organizations to develop secure systems for people to access their records online, saving time and money for all involved.
 
 * Health care providers and plans will be barred
 from disclosing identifiable health information to employers. Also, employers acting in their capacity as health plans or providers (in the context of a self-insured company, for instance) are directly covered by the rules. However, because employers are not directly covered by the rule when not wearing the hat of a covered health plan or provider, information they collect as part of an Employee Assistance Program, or through a pre- or post-employment physical, is outside the scope of the privacy law.
 
 * Psychotherapy notes will be given special,
heightened protections, and mental health providers will be able to refuse to disclose their notes to health plans without first obtaining a patient's voluntary authorization. Health plans may not condition the delivery of benefits or enrollment on obtaining authorization from an individual.
 
 * Hospitals must give patients the chance to opt-out
of both having their name and health status publicly available in the hospital's directory, as well as allowing patients to limit the hospital from sharing medical information with family members. The presumption continues to be that certain limited information about hospital patients will be shared with the public and family members, but people will now have the right to bar those disclosures.
 
 * In most cases, law enforcement officials will have
to present some form of legal process (warrant, subpoena or summons) before a covered entity can disclose protected health information to them. This new requirement fills a void where no such federal safeguard existed before. But virtually all health care stakeholders argued for tougher limits on law enforcement's access to medical records.
 
 * Medical information must be more securely
collected, shared and stored by health care providers, plans and information clearinghouses, which must put in place appropriately scaled technical and administrative safeguards.
 
 * HHS' Office for Civil Rights will receive
complaints from individuals who believe their rights under the
regulation have been violated. HHS has the authority to impose civil and criminal penalties if covered entities are determined to be in violation of HIPAA. HHS officials recently have said that they believe "voluntary compliance" with the law is ideal, signaling to many in the health care industry that HHS does not intend to vigorously enforce the law. Given that HIPAA does not give people the right to sue, individuals must rely on the Bush administration to represent their interests.
 
 * State laws that are more stringent than the privacy regulation will continue to stand. However, just this week HHS announced it would review requests from state officials to allow certain state laws that are "contrary" to the regulation to remain in place, where the state can show that it is impossible to implement both the state and federal law.
 
 * The regulation includes a much wider range of responsibilities for covered entities to follow, such as designating a privacy officer and training employees to adhere to the rule.
 
 One of the major shortcomings of the privacy rule is still that the marketing of health-related products and services is legal, without any notice to consumers that the letters from their pharmacy may be an advertisement paid for by a drug company, and with no right for consumers to opt-out of getting these ads.
 
 HIPAA privacy: Myths vs. reality
 
 Even after a 24-month implementation phase, misinformation and confusion about some of the rule's core provisions abound. For instance, some doctors and hospital officials claim that the privacy regulation prohibits providers from communicating with patients by e-mail. The truth is that the regulation anticipates-and truly encourages-e-mail between practitioners and patients, provided a secure network is used and the messages are encrypted. In fact, the rule expressly allows patients to request "alternative means" of communicating.
 
 Other voices maintain that hospitals will be barred from giving out patient information to the public, thus keeping friends and family from reaching their loved ones. Again, the regulation established the opposite legal presumption. The hospital may continue to share information about patients (both location and health status, as well as more detailed information with family), unless the patient has specifically asked that such information not be shared.
 
 Similar misreadings appear to be common and include such myths as "the privacy rule will impede efforts to prevent and respond to a bioterrorist attack,"-legal scholars and authors of the regulation have concluded otherwise; and "clinical research will be jeopardized because covered entities will be reluctant to share data." Nothing in the rule supports such skittishness, and HHS should issue guidance reassuring the research community and covered entities.
 
 HHS Initiatives Needed
 
 A number of initiatives must get underway immediately to ensure that the regulation is put in place, without being unnecessarily over- or under-interpreted. First, HHS must play a more aggressive role in publishing guidance, responding to questions and publishing clarifications to HIPAA. They should make all of this available online. HHS also must reach out to health care organizations and consumers to publicize the scope of the law and offer technical assistance on implementation. And, HHS must be vigilant in overseeing, monitoring and enforcing the rule.
 Complaints should be made publicly available, investigated and resolved. The only way to eventually achieve significant voluntary compliance is for HHS to insist; through its own actions; that full compliance is expected, and that failure to do so will have true consequences.
 
For more information, contact:
 Janlori Goldman, Director
 Health Privacy Project
 202-721 5632
 http://www.healthprivacy.org

The above notice was provided by Raymond F. Posa, MBA
Technology Advisor to the American Academy of Podiatric Practice Management
President, R. Francis Associates

YOUR HIPAA CHECK LIST
 (Volume 27)

Now that the magic date of April 14, 2003 has arrived, let’s review where you should be in your compliance effort right now.

1) You must have named a Privacy Officer

2) Your Privacy Officer must be fully versed in the requirements of HIPAA

3) You must have your Privacy policies written

4) You must have a Notice of Privacy Practices (NPP) written

5) You must have the NPP posted in an easily accessible area of your office

6) You must be handing out a copy of your NPP to all your patients and have them sign a form acknowledging receipt of the NPP

7) You must conduct formal training of your staff on your Privacy policies and document the training

A word of caution: I have been seeing and hearing of practices copying pages from “canned” manuals.  This is NOT sufficient to meet the requirements set forth in HIPAA.  To anyone who is using the APMA HIPAA privacy manual, please read the very first page carefully.  It clearly states “The Manual should be a tool to assist doctors of podiatric medicine in complying with the Standards for Privacy…”.  The implication is that this is your starting point; it is not the finished product for your compliance effort.  The Manual also goes on to state: “Simply possessing the Manual does not make you compliant with the regulations.”

You need to do an audit of your practice and have a set of custom policies written.  Your privacy officer can take a sample policy and customize it for your practice or have a HIPAA consulting firm come in to assist your privacy officer with the policies.  Since the privacy officer is required to be fully versed in the requirements of HIPAA, it might be money well spent to have the privacy officer spend some one-on-one time with a consultant and master the fine points of HIPAA. 

HIPAA:  Who Will Enforce It?
(Volume 22)

October 2002 came and went with only about 33% compliance to the EDI compliance mandate.  April 14, 2003, is coming and the feeling among physicians is a wait-and-see attitude regarding HIPAA.  Are they really going to enforce these rules?  Are they really going to bother with the small practices?  How are they going to inspect all of the small practices?

Actually, HHS has been advertising and is going to be relying on patients for enforcement.  There has been an effort afoot to educate patients about their “new” rights and how to file complaints.  This is coupled with attorneys aggressively advertising for clients who have been “harmed” by a breach of their new privacy rights.

To date, there have been several court cases that affirmed the right of the patient to not have their PHI sold to a third-party entity without their written permission.  One case involved the unsolicited mailing of prescription samples accompanied by a marketing letter to a Florida resident.  In another example, a major pharmacy chain settled a case in Florida in which customers' signatures were used for third-party marketing without proper customer notification.

In the months to come we will see many such cases of individual privacy violations.  The best medicine for this is prevention.  The cost involved in having a good Policy and Procedure Manual written and reviewed by an attorney will be much less than needing to have an attorney defend you.

Again, just a reminder that April 14, 2003, is more than just the Notice of Privacy requirement due date.   There has to be a full Policy and Procedure Manual in place to back up the Notice of Privacy.