Welcome to the Lounge!

The AHDI Lounge is an exchange blog for dialogue and discussion around trends, drivers, and challenges facing the healthcare documentation profession and a place for AHDI members to address these issues. It's just a spot for busy MTs, editors, educators, students, managers, and service owners to chat about the profession. So grab a latte and join us!

About AHDI

AHDI (Association for Healthcare Documentation Integrity) is the world's largest professional society representing the healthcare documentation sector. Our purpose is to set standards for education and practice in the field of health data capture that ensure the highest level of accuracy, privacy, and security for the US healthcare system.

Phoenix Cardiac Surgery: HIPAA The Hard Way

Posted on Friday, April 20, 2012 No Comments
Labels: , , ,
From managemypractice.com comes a very worthwhile article entitled, "What Can We Learn About HIPAA From Phoenix Cardiac Surgery?" The piece was written in response to the revelation this week that Phoenix Cardiac Surgery in Arizona had agreed to pay a $100,000 fine for HIPAA violations. What I find particularly significant about this incident is that the specific breach--posting the names of patients in a publicly accessible web-based calendar--was merely representative of an overall failure on the part of the medical practice to grasp the need for a comprehensive HIPAA compliance plan. The fine wasn't just about posting patient names online, as the article points out:

“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”

OCRs investigation also revealed the following issues:
  • Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
  • Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  • Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
  • Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.
I find the last phrase of the quote from Leon Rodriguez extremely telling: "OCR expects full compliance no matter the size of a covered entity." (Keep in mind that since HITECH was passed in 2009, you can substitute "business associate" for "covered entity" because BAs are now just as liable as CEs under HIPAA.) The dates of the HIPAA violations referred to in the settlement documents--2005 to 2009--lead me to believe the investigation into Phoenix Cardiac Surgery was the result of a complaint being filed rather than as a part of OCR's recent HIPAA enforcement push. And while it's true that our industry doesn't deal directly with patients for the most part, that doesn't mean we're insulated from their scrutiny. For example, unencrypted dictation or transcription files stored on FTP sites could potentially be discovered and indexed by search engines, so that a patient Googling their own name might find their medical records displayed for all the world to see. 

I would highly recommend taking the time to read the settlement documents linked above to get a good overview of what OCR is looking for with regard to HIPAA compliance. In a nutshell, the Corrective Action Plan agreed to by Phoenix Cardiac Surgery consists of the following:

  • Develop, maintain, distribute, and implement written policies and procedures addressing HIPAA compliance.
  • Carry out a risk assessment.
  • Create and implement a risk management plan based on the risk assessment.
  • Identify a security official who will be responsible for HIPAA compliance.
  • Obtain written Business Associate Agreements (BAAs).
  • Institute and document technical safeguards to protect PHI on electronic systems and across electronic networks, specifically including PHI on mobile devices.
  • Institute and document workforce training on HIPAA compliance.
  • Review workforce training annually and update as appropriate.
  • Report all violations of HIPAA policies and procedures to OCR within 30 days. 
I'm sure the folks at Phoenix Cardiac Surgery are decent, hardworking healthcare professionals who had no intention of putting their patients' information at risk. But in this brave new world of identity theft and aggressive HIPAA enforcement, the absence of malice isn't enough. This is yet one more wake-up call to even small operators and independent contractors in our sector that we'd better get our house in order.

Jay Vance, CMT, CHP
AHDI Lounge Administrator/Moderator
Director, District 1
AHDI National Leadership Board

0 comments:

Post a Comment

Post a Comment



Subscribe to: Post Comments (Atom)
 
Free Hit Counter