You could call it “The case of the $150,000 thumb drive.”
A Massachusetts dermatology practice recently paid that penalty for committing multiple violations of the Health Insurance Portability and Accountability Act (HIPAA)’s privacy and security rules. The Department of Health and Human Services (HHS) levied the hefty fine after one of the practice’s unencrypted thumb drives—containing thousands of patient medical records—was stolen from a staffer’s car.
Are you breathing a sigh of relief because you’re not running a medical practice? Well, don’t exhale just yet: In 2013, modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules (often called the Omnibus Rule) expanded the law’s range to include non-medical small businesses that must also now closely follow those mandates. The penalty for noncompliance ranges from $100 to $50,000 per violation.
Because of the changes, small accounting firms, law practices and insurance brokers (HHS calls these “business associates”) must become compliance sticklers—which means getting serious about organizing their records.
Four Steps to Avoid the HIPAA Hurt
Not surprisingly, HIPAA compliance means following a laundry list of HHS directives. These include having written policies and procedures available that address safeguarding medical records and educating and training employees.
However, as the dermatology practice learned, a large part of compliance comes down to:
- Knowing where your records are
- Having absolute certainty they are secure
- Being able to retrieve them quickly
Does it seem daunting to track every email (and attachment), piece of paper and important bit of information that knocks on your network’s door? Help ensure that HHS keeps its hands off of your hard-earned revenues with these critical first steps.
Step #1: Get an assist. By working with a trusted vendor, you can store all your records in one central and secure location. Any staff that handles your documents must pass through a safeguarded vetting process.
Step #2: Establish easier, faster retrievals. Tagging, indexing and classifying records makes it simple to immediately pull up the documents you need, when you need them. Even better, employ metatags to allow only pre-approved staffers access to certain documents. This level of control also helps with the new HIPAA requirement to document and account for any disclosure of a patient’s medical records.
Step #3: Erase the difference between paper and e-documents. One of the big challenges of HIPAA compliance arises when you have separate troves of paper records and electronic documents. Work with an experienced partner to put electronic and paper records under one searchable and secure umbrella.
Step #4: Shred what you don’t need; scan the rest. One of the big pushes in healthcare is to get away from physical medical records. But making the jump from paper to electronic documents can be fraught with HIPAA compliance risk if approached carelessly. Think about it:
- What happens to your paper records after scanning? Do they just go in a dumpster?
- Who is ultimately responsible for those reams of paper chock full of sensitive patient information?
Bottom line: Devise a plan that ensures expired paper documents get shredded and that new electronic records are secure.
Finally, you won’t find this nugget of advice among any of HHS’s tips on meeting the demands of HIPAA: Don’t keep medical records on a thumb drive—and don’t let your employees keep records in their cars.