William Maruca of HIPAA, HITECH & HIT knows what it means for both patients and health care providers to keep records safe.
In this interview, Maruca discusses patient confidentiality, keeping records safe and private, and trends in the medical billing industry.
In what ways do electronic health records present a risk to patient confidentiality?
Electronic health records can be accessed, copied and transferred instantaneously with a click of a mouse. People often forget that the HIPAA statute was intended, among other things, to increase the use of EHR via standardization of electronic transactions. Congress and the Department of Health and Human Services recognized that electronic records are more susceptible to unauthorized access, use and disclosure; and established the HIPAA privacy and security rules to protect those records.
Another risk factor is the fact that in most large organizations, anyone who has a password can access any medical record in the organization’s system, despite “minimum necessary” policies that prohibit staff from snooping in records they have no legitimate reason to access. This has led to some serious consequences for the snoopers and their employers.
How does Fox Rothschild work to uphold patient confidentiality?
As a law firm, we are sometimes acting as a healthcare client’s business associate; like for example when we represent a client in a third-party payor audit, medical staff hearing or licensure action that involves patient records. We take our business associate responsibilities very seriously, and take steps to protect and secure all data we receive from clients.
When advising healthcare clients, we emphasize their obligations both as covered entities and as business associates to meet the HIPAA privacy and security standards. One important recommendation is to encrypt all electronic protected health information (ePHI), especially when transferring it via email, cloud storage or FTP sites or saving it to mobile devices.
The loss of properly-encrypted PHI may not be a HIPAA breach even if a device is lost or stolen, or an email or electronic file is sent to the wrong recipient.
What should patients look for in terms of protecting their own records?
Patients should carefully review the Notice of Privacy Practices (NPP) they receive from each covered entity. Such notices are frequently ignored, but they contain important information about when and how a covered entity will use and share an individual’s PHI. Patients should also be aware that they can request certain restrictions on a covered entity’s use of their PHI.
Covered entities are not required to agree to those restrictions except when a patient has paid for services entirely out-of-pocket. Patients can also ask for a list or accounting of the times the covered entity has shared their health information for the past six years, who it was shared with, and why; except for those about treatment, payment, health care operations, and certain other disclosures (such as any disclosures the patient asked the Covered Entity to make).
In what ways do you help healthcare providers stay abreast of current laws regarding healthcare records?
We publish a blog which covers Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records.
We also contribute to trade publications and speak and write for professional associations on health privacy and security issues. We have assisted clients in developing and updating HIPAA policies and forms, counseled them with regard to breach analysis and reporting, and assisted them in meeting their compliance obligations. We regularly write and/or review business associate agreements on behalf of both Covered Entities and Business Associates to ensure that our clients understand and agree with their rights and responsibilities.
What trends do you see happening in the medical billing industry, and how does Fox Rothschild address these changes or trends?
Among the trends we see are:
- Increased audit activity by third-party payors, both governmental and private.
- “Meaningful use” audits to substantiate qualification for HITECH Act incentive payments.
- Slow but steady motion toward various pay-for-performance (P4P) models and away from pure fee-for-service.
- Continued integration of practice management and medical record systems.
- Risks associated with “cloned notes” and automatic insertion of repetitive narratives in medical records via EHR systems.
How does strategic counsel help clients with their medical billing or healthcare privacy issues?
This is what we do. We represent medical providers, billing/management companies and other business associates, employers and other health plan sponsors. Our goal is to guide our clients to full compliance and assist them in handling a crisis when something unanticipated happens as is often the case. Adopting and implementing current, robust policies and procedures, particularly with regard to encryption, will prevent many such situations and reduce their impact when they do occur.
Please provide any additional information pertinent to the field of health care privacy that you would like readers to know.
Government enforcement of HIPAA privacy and security standards is on the increase. At the same time, state courts are beginning to apply HIPAA standards to private lawsuits, even though HIPAA itself does not authorize such suits. On November 11, 2013, the Connecticut Supreme Court ruled in the case of Byrne v. Avery Center for Obstetrics and Gynecology, P.C. that (i) an action for negligence arising from a health care provider’s breach of patient privacy is not preempted by the HIPAA statute and regulations, which do not permit a private right of action to be brought by an individual under HIPAA, and (ii) HIPAA regulations may well inform the applicable standard of care in certain circumstances. See our blog here
This raises the already considerable stakes for HIPAA noncompliance. It is critical that all healthcare providers, other covered entities and business associates make privacy and security a top priority.