Powers Pyles Sutter & Verville Principal Jim Pyles was interviewed for “PREVENTING FINANCIAL FRAUD: What providers need to know about the laws governing financial exploitation and the controls needed to inhibit its growth,” a Relias Learning publication.
“You can lock your door to protect physical records, and if someone steals them there’s a limited distribution that can occur,” said Pyles. “With electronic records, they can exist in an infinite number of places and can be stolen from anywhere in the world. The potential for this type of fraud is exponentially greater.”
Pyles notes, “Providers aren’t doing enough to safeguard their systems. The HIPAA/HITECH rules are incredibly complex and conflicting. Many providers don’t have policies and procedures in place and have not done a risk analysis or training. All a patient has to do is find you didn’t comply with one of these rules and sue you under the state negligence laws.” Here are a few things providers can do to safeguard their residents’ healthcare information, according to Pyles:
1. Make a good faith effort to be in compliance with all HIPAA standards. It may be difficult to be in complete compliance with all 80 HIPAA privacy and security rules, but it is possible to make a good faith effort. One of these rules requires the designation of a chief privacy office responsible for reviewing the list of standards like a checklist to make sure the facility or agency is either in compliance or taking steps towards compliance. Documenting this will provide a defense against negligence in the case of an alleged violation. Review the guidelines put out by the Office of Civil Rights to help.
2. Buy cyber insurance. When doing so, make sure it does not have broad exemptions that would render it null and void. Companies will not insure those who have not made a good faith effort to be in compliance with HIPAA.
3. Policies and procedures. Conduct periodic training on policies and procedures to make sure all staff is up to date.
4. Review business associates and agreements. Make sure all business associates and agreements comply with HIPAA as well. This could be a medical billing vendor, pharmacy or a law firm that handles resident complaints. Any organizations you share electronic health information with must also comply.
For more information about protecting medical records, contact Jim Pyles at 202-466-6550 or jim.pyles@pssv.com.