Privacy and security are two words we hear every day, all day long. While these terms usually refer to online and cyber data, as medical professionals, we should also be keeping privacy and security top of mind as we record the health history and medical information of our patients.
The Health Information Portability & Accountability Act (HIPAA) is a group of federal regulations that all physician offices, hospitals, providers, and medical caregivers are now required to meet, as of April 14, 2003. HIPAA requires the completion of specific paperwork, including a parent signature that patients and their families have received a copy of the Notice of Privacy Practices.
Correctly releasing – or not releasing – pediatric and adolescent patient medical and personal health information can be complex. Your office is not just dealing with your patient, but with parents, legal guardians, schools, authorities and more. When records are handled incorrectly, the complexities of pediatric and adolescent HIPAA violations can rack up enormous penalties quickly. The good news is, that with these seven guidelines, you can avoid common HIPAA pitfalls related to minor patients.
Keep Your HIPAA Privacy and Security Compliance Manuals Updated
Every new change to HIPAA requires changes to your practice’s Privacy and Security Compliance Manual. Practices that do not regularly update their HIPAA manuals need to do so immediately. Your practice should adapt the sample policies and procedures to align with your specific staffing, technology use, and office operations. After these policies are updated in your manual, you must incorporate those policies, procedures, and training into your practice’s daily operation.
Here are a few of the most recent and relevant HIPAA changes that require changes to your manual.
Pediatric Practices Must:
- Update all Business Associate agreements to account for the new data breach provisions and penalties.
- Update Notice of Privacy Policies to address patient rights in accessing their medical records and be notified of data breaches.
- Revise policies and procedures for providing patients access to medical records.
Get the HITECH Update
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 strengthened the privacy provisions of HIPAA and expanded its applicability to Business Associates of Covered Entities. There are now more detailed reporting requirements and patient notification rules that Covered Entities must follow when breaches of patient protected health information occur. What’s a Covered Entity? See our third tip.
Be Sure Covered Entities Are In The Know
Your practice is a Covered Entity and so must meet all of the requirements under HIPAA. However, you also have Business Associates that fall under the Covered Entity umbrella – billing, collections, medical record storage and more – that are also bound by HIPAA Privacy Act, even when they contract with more than one practice. Make sure your Covered Entities are abiding by the same HIPAA best practices as you.
Breaches of Protected Health Information Are Now More Serious
HIPAA has toughened the notification laws regarding protected health information data. Breaches do not require more extensive public notifications when data is lost, breached or stolen. Fines are now larger. Covered entities must have written policies and procedures regarding breach notification in writing, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.
Be Extra Cautious with Parental Access
Parental access to a child’s protected health information can be complex. Pediatricians and staff must understand these complications, take the steps needed to incorporate HIPAA policies and procedures in day-to-day operations and the ramifications to the practice if they are not followed.
Under HIPAA, there are three instances when a parent would not be the minor child’s personal representative. These are:
- When the minor themselves have consented to care and the consent of the parent is not required under State or other applicable law
- When the minor obtains care at the direction of a court or a person appointed by the court
- When, and to the extent that, the parent agrees that the minor child and the health care provider may have a confidential relationship.
Understand HIPAA and HITECH Enforcement Changes
Modifications to the Enforcement Rule include:
- Higher penalties and mandates for formal investigations of violations due to willful neglect
- A revised penalty structure with four categories of violations that reflect increasing levels of culpability and four corresponding tiers of the penalty amount
- A significant increase in the minimum penalty amount for each violation
- A maximum penalty amount of $1.5 million annually, depending on whether the Covered Entity or business associate knew of the violation of the HIPAA or practiced willful, uncorrected neglect
Proper Destruction of Protected Health Information Is Critical
Destruction of patient health information by your practice must be done in compliance with federal and state law and should follow your practice’s proper written retention schedule and destruction policy. Records involved in any open investigation, audit, or litigation must not be destroyed until the legal case has been closed.
Commonly accepted destruction methods are:
- Burning, shredding, pulping, or pulverizing for paper records.
- Pulverizing for microfilm or microfiche, laserdiscs, document imaging applications.
- Magnetic degaussing for computerized data.
- Shredding or cutting for DVDs.
- Demagnetizing magnetic tapes.
Your offices should document the destruction of health records and include:
- Date of destruction
- Method of destruction
- Description of the disposed of records
- Inclusive dates
- A statement that the records were destroyed in the normal course of business
- The signatures of the individuals supervising and witnessing the destruction
Your medical practice may hire a Business Associate like a shredding company to dispose of confidential health information, but that is not required.
While HIPAA has been in force for nearly a decade, its complexity, its rapid and regular changes, and the constant advancement of technology can make it one of the most confusing regulations you must comply with. And, if you are ever found in violation of HIPAA or HITECH, it can also be one of the most expensive, especially when treating pediatric and adolescent patients.
Follow these seven points to minimize your risk of getting hit with massive penalties for HIPAA and HITECH violations.