Recently, the medical records of hundreds of patients were trashed outside of a medical office building in New York City. The records belonged to patients of two gastroenterologists. The Protected Health Information (PHI) that were exposed included names and social security numbers of these patients. The gastroenterologists were moving to a new nearby office. They had left the patient charts at their old office to be retrieved by a shredding company. They had placed the blame on their cleaning people for throwing the records out. The doctors adamantly deny that they had improperly disposed the records. They also said that they have “policies and procedures in place regarding the safeguarding and/or disposal of their patients’ protected health information.” An effective policy and procedure could have prevented such a breach from happening.
Safeguarding Medical Records
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. There were major regulations issued after that. First, in 2003 (the Privacy Rule), then in 2005 (the Security Rule), and then in 2013 (the HITECH Act). The Privacy Rule governs the use and release of PHI. Both the covered entities (providers are covered entities) and business associates (like third-party billing companies) have a duty to protect PHI in every form (written, electronic, verbal). PHI is patient data that includes both the diagnostic or treatment information and identifiable patient information. The below is a listing of the PHI Identifiers.
- All geographic information below the state level:
- Street address
- Zip code (or equivalent geocode)
- Dates that are directly related to an individual:
- Birth date
- Admission date
- Service date
- Discharge date
- Date of death
- Telephone Numbers
- Fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers (license plates/serial numbers)
- Device identifiers and serial numbers
- Web Universal Resources Locators (URL’s)
- Internet Protocol (IP) address numbers
- Biometric identifiers including finger and voice prints
- Full-face photographic images and any comparable images.
- Any other unique identifying number, characteristic or code.
PHI must remain confidential. Verbal communications should be private. Written records must be locked away. Electronic PHI (ePHI) must be stored and transmitted using secure systems. Since health data is highly valued by criminals (health data sells for 10 to 20 times more than credit card data), it is incumbent upon us to ensure the safety of PHI.
Hard copies of medical records should never be left out in the open when it is not in use. At the end of each of our workday, our internal policy directs our staff to lock away any documents that contain PHI. In addition to securing our paper records, our goal is to decrease its volume as much as possible. Consequently, we convert most of our documents to electronic form and then also safeguard them. We secure our network by such things as a firewall so that it can monitor our network traffic. Our servers are secured by a locked room. Our laptops and computers have full disk encryption, a technology that protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized users.
As a part of our commitment, we follow the core principal of the Privacy Rule, which is the “minimum necessary” rule. This rule applies to covered entities, business associates, and to the subcontractors of the business associates. The tenet of minimum necessary is that information should only be shared for a legitimate purpose. For example, providers should only access patient data if they are involved in the patient’s care. Business associates should only access PHI if it is necessary to their services. Consequently, actions such as the viewing of information from curiosity is prohibited.
Business Associate Agreements (BAA) are also mandated by HIPAA regulations. A BAA is a written arrangement that specifies the responsibilities of the covered entity and the business associate when it comes to PHI. The BAA must describe permitted and required PHI uses for the business associate and that the business associate will not use or further disclose the PHI other than as permitted or required by the contract or as required by law. Like covered entities, business associates must also ensure HIPAA compliance or they can be held liable.
Medicare currently requires that we retain patient records for seven (7) years from the date of its creation or the date of when it was last in effect, whichever is later. If a patient is a minor, the State of Nevada requires that the records be retained until the patient turns twenty-three (23) old and have already passed the 7-year timeframe. Please check the regulations for your particular state as it may vary from Nevada’s.
Physician Revenue Navigators is a premier company that provides revenue management for healthcare entities. The protection of the patient’s PHI is of the utmost importance to us. Contact us to learn more about how we can serve you while complying to HIPAA regulations.