Providers of medical records services that assist attorneys in personal injury, workers’ compensation, medical malpractice and other cases are required to maintain HIPAA compliance. This means that they have to be extra cautious about safeguarding the security and confidentiality of the sensitive healthcare data they handle. Compliance is crucial because law firms and attorneys that need to handle PHI from “covered entities” are considered business associates under HIPAA and must stay compliant with HIPAA’s strict data security and privacy standards. A covered entity is a healthcare provider, a health insurance plan or a healthcare clearing house that in their normal activities, create, maintain, or transmit Protected Health Information (PHI).
Patient privacy and cybersecurity are critical concerns under the Health Insurance Portability and Accountability Act (HIPAA), which requires health data to be highly protected. Apart from confidential data loss through hacking, data can also be lost via unencrypted messages, unmonitored/unlocked server room doors, lost devices and so on. If an organization fails to maintain HIPAA compliance, it could face substantial fines. Even if there is no breach of PHI, lack of compliance can result in criminal charges or even civil action lawsuits being filed. To evaluate compliance, the U.S. Department of Health and Human Services (HHS) and the HHS Office for Civil Rights (OCR) conduct HIPAA audits periodically.
HIPAA was introduced with certain important objectives such as the following.
- Protect the privacy of patients
- Improve healthcare
- Improve health insurance portability
- Require entities to make medical records available to patients upon request
- Make sure that patients are notified if there has been a health data breach
Before going on to the ways in which a medical record review company can ensure HIPAA compliance, let us look at what PHI involves. PHI comprises any personally identifiable health information that is transmitted or stored electronically, on paper, or verbally. This could be data about a person related to his/her past, present, or future health; medical treatments; as well as payment information that can identify the person. Examples are as follows:
- Social security number
- Dates of birth, death, or dates on which treatment was provided, or other dates associated with patient care
- Contact information
- Photographs and digital images
- Medical record numbers
- Health plan beneficiary number
- Fingerprints and voice recordings
- Other forms of distinctive identification or account number
Covered entities and their business associates that have access to PHI are required to ensure that reliable technical, physical, and administrative safeguards are in place and adhered to; that they comply with the HIPAA Privacy Rule to protect the integrity of PHI; and that if a breach of PHI occurs, they follow the procedure in the HIPAA Breach Notification Rule.
Now let us consider how HIPAA compliance can be ensured.
- Create strong privacy and security policies: These policies must be well-documented, communicated to all organizational staff, and kept regularly updated. The staff must be trained on HIPAA policies during orientation and then once a year. It is best to have them attest in writing that they understand all HIPAA policies and procedures.
- Have someone in charge of overseeing HIPAA compliance: This HIPAA security officer can ensure that all policies and procedures are in place to prevent, detect, and respond to any PHI data breaches. Besides, he/she can establish safeguards required by the Security Rule and perform risk assessments to determine how effective they are. These safeguards are:
- Administrative safeguards – Security management processes must be documented, security personnel designated, and an information access management system adopted. The workforce must be given security training. All security protocols must be evaluated periodically.
- Physical safeguards – Control who has access to the physical facilities where PHI is stored. All workstations and devices that store or transmit PHI must be secured.
- Technical safeguards – Have access controls to secure PHI in the EHR and other databases so that staff see only the information they are authorized to see. The sensitive data must be encrypted during transit and when it is at rest. Audit controls must be there for all hardware and software that transmit or manage PHI to make sure they meet HIPAA network requirements. Integrity controls are also vital to ensure the data is not improperly deleted or edited.
- Conduct risk assessments and self-audits regularly: Annual audits of all administrative, technical, and physical safeguards can help identify compliance gaps if any.
- Have rigorous procedures in place for handling medical records: A medical record review company should have effective procedures to handle the medical records from the moment they are received till they leave the office. All medical records will be handled safely and securely without risk of data breach or mishandling.
- Document all HIPAA compliance efforts: It is important to document all privacy and security policies, self-audits, risk assessments, remediation plans, staff training sessions and so on.
Just as for covered entities, HIPAA compliance is critical for attorneys and the medical review company assisting them. This is essential not only to safeguard sensitive patient data but also to protect the bottom line. So, when entrusted with patient records, whether electronic or paper-based, providers of medical records services attach highest priority to HIPAA compliance. They ensure that all HIPAA regulations are closely followed, and stay updated with any changes in regulations that are introduced.
Now, with the COVID-19 pandemic around, it must also be considered in the cybersecurity, physical security and compliance aspects of an organization that could be affected. Now, remote work has become the norm and PHI is being handled from more locations as well as from people’s homes and personal devices. Taking this into consideration, the HHS CSC decided to suspend HIPAA-related fines and penalties for the time being, and the change may or may not be permanent. Organizations must in any case review all existing procedures and policies and find out whether their protective measures can be made more robust. Increased staff training and education about guarding PHI is also vital and work-from-home best practices must be followed.