Mutual Matters

HIPAA: Key Areas Where Problems Occur

Posted by Bill Kanich, MD on Jan 5, 2017 12:30:00 PM

MMIC_physician_computer.jpg

In 2015, the Department of Health and Human Services (HHS) released its latest report concerning HIPAA breaches, security and breach notification compliance, and breaches of unsecured protected health information[1].  According to the report, the majority of covered entities audited, particularly smaller entities, continued to show HIPAA deficiencies with regard to privacy, security, and breach notification.

Privacy Rule Concerns

Improper notice of privacy practices - HHS found that patients were either not receiving a Notice of Privacy Practices (NPP) or the notice was deficient. The Final Rule made some changes in how practices can use or disclose a patient’s Protected Health Information (PHI). As a result, this required updates to your NPP.  

Timeliness and cost of providing medical records - Under HIPAA, a provider must provide access to the medical and billing information, upon request and as soon as possible, but no later than 30 days after the request. Copies must be provided in the format requested by the patient, if the provider has the capacity to do so. For most situations, this means that if you have electronic medical records (EMRs), and they request a digital copy (such as a PDF), you must do so if your  current system has that capability. When providing records to a patient, a provider may only charge a “reasonable, cost-based” amount for copies. Charging a per-page copy fee to a patient, typical when paper records were copied, may no longer be considered reasonable or cost-based with EMRs. You may not deny a patient a copy of their medical records because of unpaid charges for services received. Additionally, in some cases, you may not charge a fee for searching and retrieving medical records. Refer to your state-specific laws related to copying fees. 

Discover more key problem areas with HIPAA and how to avoid them by clicking below. 

More HIPAA Concerns

[1]U.S. Department of Health and Human Services, Office for Civil Rights. (2014). Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012. Washington, DC.

Topics: Hospital Management, Healthcare Industry, Practice Management, Legal and Regulatory