HIPAA Violations Can Effect Real People and Can Have Real Costs

Posted on Aug 5, 2010 in Records Management News

Wendy Git­tle­son
GRM on AUGUST 4, 2010

Two med­ical offices in Cal­i­for­nia are under fire and liable for large penal­ties for breaches of patients’ pri­vacy. In both cases, patient names, addresses, Social Secu­rity num­bers and dates of birth have been left where they could be found by any passerby.

The first inci­dent occurred May 31, in Chino Hills, CA. A sheriff’s deputy found hun­dreds of med­ical files in a trash bin. The files came from a husband/wife pediatrician/OB-GYN team. They said the records were acci­den­tally dis­carded dur­ing a move.

The sec­ond hap­pened July 14th in Barstow, CA. A passerby noticed sev­eral boxes of med­ical records out­side of a dentist’s office. Accord­ing to the staff, the records had been out­side for a month! The Sheriff’s Depart­ment seized the records for destruction.

These sce­nar­ios are prob­a­bly more com­mon than peo­ple would like to think. HIPAA was put in place to help ensure patients’ pri­vacy with strict penal­ties. These two offices will be most likely be sub­ject to fines from $2,500 to $50,000 and pos­si­bly more. Even beyond fines, expos­ing patient records can cost a doc­tor patients or even their practice.

Small offices might see them­selves at a dis­ad­van­tage. They typ­i­cally have fewer resources for train­ing and for HIPAA com­pli­ance. EMRs and large scale scan­ning can seem cost pro­hib­i­tive to some.

There are very low-tech ways to pro­tect patients’ pri­vacy. This may seem obvi­ous, but make sure that you have full chain of cus­tody track­ing. This can be done with an in office fil­ing sys­tem or bet­ter yet, take the records off­site to a rec­og­nized records ven­dor. A good ven­dor will have bar­code track­ing tech­nol­ogy and a good web based inven­tory sys­tem that will give your office man­ager an exact loca­tion of every record. Plus, ven­dors are also sub­ject to the Busi­ness Asso­ciate rules in HIPAA.

If you move or plan on aban­don­ing an office, do not leave the records behind. Check with your state’s med­ical board. If the records can be dis­posed of, prop­erly shred them and obtain a Cer­tifi­cate of Destruc­tion. If not, the med­ical board can give you proper pro­ce­dures. Remem­ber, even after a prac­tice is closed, lia­bil­ity will remain.

Keep care­ful tabs on when records can be shred­ded and do it! Patients’ iden­tity can­not be stolen if the records don’t exist. If there are records that have his­tor­i­cal or research value, redact the per­sonal infor­ma­tion. His­tor­i­cal records don’t need names, addresses or Social Secu­rity numbers.

HIPAA and HIPAA HITECH can be con­fus­ing. GRM Doc­u­ment Man­age­ment will soon be announc­ing a Webi­nar to help sim­plify the reg­u­la­tions and to help even small offices develop action plans. Watch for the offi­cial date within the week. If you would like to receive an invi­ta­tion to the free Webi­nar, please com­ment with your email address. Your com­ment can remain con­fi­den­tial if you wish. Please also feel free to post ques­tions to this blog about HIPAA and HITECH.

Read more: http://www.linkedin.com/news?viewArticle=&articleID=164687391&gid=1170287&type=member&item=26336487&articleURL=http://www.grmdocumentstorage.com/blog/%3Fp%3D91&urlhash=Ul_R&goback=.gde_1170287_member_26336487

Com­pli­ments of File­Man Research

Read More