Being Framed for a HIPAA Violation: What to Do
You work hard to provide your patients with the best care possible, but it can be difficult to ensure everything is done right. Rules are constantly changing, technology is always improving, but at what cost? You want to treat your patients, but you find yourself spending more time pushing paperwork than seeing people. When you think you can't take it anymore, the phone rings. Now you are facing a HIPAA violation. What do you do next? Keep reading to find out.
HIPAA Training Protects You and Your Staff
HIPAA is the backbone of healthcare practice. A company that finds itself in violation faces penalties and unwanted publicity. An employee accused of a HIPAA violation may face jail time. It is important to get to the bottom of the complaint immediately. Develop a strict policy within your practice of handling these complaints. A growing trend among law enforcement is criminally prosecuting HIPAA violations. This can mean prison time rather than fines for those who breach HIPAA policy. Along with this trend toward prosecution, another issue has cropped up. Framing nurses as retaliation for some real or imagined slight has resulted in cases brought to federal court. Being framed as part of a HIPAA scheme can devastate your practice. The target is not the only one affected. A court case pulls your entire practice into the mess. While you can't do anything to prevent ill-intentioned individuals set on creating chaos, there are ways you can protect yourself and your employees from this disgrace. Wondering what is HIPAA training and if it will keep you safe? The answer is yes. HIPAA policy is complex, and not all parts of it are intuitive. HIPAA training and frequent refreshers should be part of the schedule. This ensures every member of your staff knows their role in maintaining patient confidentiality.
Handling a HIPAA Violation
You must have a policy for dealing with potential HIPAA violations. Deciding how you handle the issue once it occurs will not look good if the matter makes its way to court. Have an existing policy in place and documents that support every process used by your practice are important. This documentation is the key to winning the battle against a fraudulent whistleblower. There are a few key steps to take when you receive news of a potential violation. If there is any evidence to suggest a patient's privacy was breached, you need to act quickly. Reporting and correcting the issue within 30 days allow you to reduce or even avoid penalties. The longer you wait, the more difficult it is to deny responsibility. Once the Office of Civil Rights becomes involved, you can expect a few different outcomes. If compliance issues are found, OCR recommends penalties for the issues. This can range from simply fixing the problem, to substantial fines. While criminal charges are the most extreme result, your practice and staff may also face civil penalties. If criminal charges are warranted, the case is transferred to the Department of Justice.
Investigate the Issue
The minute you receive notification that someone in your practice may have breached HIPAA policy, open a full investigation. A neutral fact-finding mission is the first step. Documentation is important in the event the matter escalates. Any evidence of wrongdoing by your staff requires mitigation on your part. This means determining areas where your internal policy failed and taking steps to prevent it from happening again. Additional compliance training and rewriting office policies are two ways to mitigate damage.
What do you do if your investigation finds no evidence of wrong-doing? It isn't unheard of for individuals to make false HIPAA violation claims against individuals as a form of retaliation. With the increase in criminal prosecutions of HIPAA violations, employees who experience issues in their domestic life may find themselves the target of a HIPAA fraud scheme. If one of your employees is the victim of such a claim, you need to take action quickly. Regardless of how out of character the claim seems, treat it as you would any other potential violation. The HIPAA violation notice may come from outside. A notice of investigation from the federal Office for Civil Rights may alert you to the problem. Take the matter seriously. Comply with the investigation, but be ready to document your case as well.
Protecting Your Employees
The best way to protect yourself and your employees from false HIPAA violations is to keep all training up to date. A well-trained staff is confident in their record-keeping and compliance standards. They are in a much better position to defend themselves against false claims. Understanding the most common HIPAA violations and how to protect your company from them is important as well. While there are many ways to violate this policy, there are a few violations that repeatedly crop up.
Denying Patients Access to Health Records
HIPAA allows patients the right to their medical records. They are permitted to view them at-will and receive copies of them if desired. The ruling is a way to support patient's rights, allowing them to review their medical history, check for errors, and share them with other medical providers. Denying patients access to their records is a violation of HIPAA. While outright refusal is one way to violate the policy, charging above-market rates for copies of the records or dragging your feet at providing the documentation are violations as well. Having an efficient front-office staff is important here. It allows you to provide patient records for review and provide copies in a reasonable time frame. An office that takes longer than 30 days to produce medical records violates HIPAA policy.
Failure to Guard Patient's Privacy
This is the violation most think of when considering HIPAA. It occurs when patient records are accessible and someone reads through them for reasons other than providing treatment or determining payment. Employees who look through medical records are opening your practice up to tremendous liability. Have a system in place that restricts access to medical records and records who accesses the files. This not only protects your patients' privacy but also protects employees from unjustified allegations.
Failing to Check Compliance From Vendors
You are not only responsible for the compliance of your office, you must also ensure that the companies you work with are compliant as well. Before entering into an agreement that provides vendors with patient health information, ensure that the agreement is HIPAA-compliant.
Lack of Control
Electronic health records have made providing quality care for patients much easier. Digital access does have drawbacks. You are responsible for guarding this information, and to do so, you must do more than locking the file room at the end of the day. Data breaches are often unavoidable, and there are measures in place to protect healthcare facilities from excessive penalties due to data failures beyond their control. Those protections do not extend to carelessness. It is expected that you make a good faith effort to secure electronic health records. This means using a secure system and keeping it up to date, as well as limiting the number of people who have access to the information stored in the EHRs. Encrypting data significantly boosts the security of your electronic health records. While encryption is not currently required for HIPAA-compliance, its value should not be overlooked.
Just like you cannot ignore a patient's record request, you cannot ignore signs of a HIPAA violation. Start your investigation immediately, whether you believe the violation occurred in-house or through a data breach. If you pass the 60-day mark without reporting a breach, you face additional violations and penalties. Exceeding the reporting timeline for HIPAA violations is one of the most common violations that occur.
Work With the Office for Civil Rights
Whether you believe there may be some truth to the accusation of HIPAA violation or you are certain the claim is being used as retaliation, the Office of Health and Human Service's Office for Civil Rights is doing its job by investigating. If you are confident in the HIPAA training you provide your staff and the documentation processes you have in place, you should feel confident that you will emerge unscathed from the investigation. False claims may land the complainant in the crosshairs of an investigation as well. Filing a false complaint is a crime, and if medical records were released as a way to support the false claim, the complainant may have violated HIPAA policy when filing the complaint. The most effective protection you can provide your practice and your staff from fraudulent HIPAA complaints is regular training. Having well-trained staff and solid documentation processes in place allows you to provide the evidence needed to present your case.