Safeguard Paper Documents for HIPAA
In a time when HIPAA is often associated with guarding electronic medical records, physicians would be remiss if they forgot paper documentation.
Imagine you have in your office a single piece of paper that details your complete financial situation, including your net worth. You would likely want that information locked safely away. Now imagine you have a file on a patient who has a urinary tract infection. Those documents should be treated similarly.
“You should be doing it with any condition, whether it's HIV or a boo-boo on my toe. It it doesn't matter, guard it all,” said Kenneth Goodman, director of the bioethics program at the University of Miami.
In a time when HIPAA is often associated with guarding electronic medical records, physicians would be remiss if they forgot paper documentation. Physical safeguards should be considered for things inside the office.
Basic safeguardsAs with much of HIPAA, there is no specific guideline for office safeguards. Instead, it states offices have “physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.”
What providers have to do is look at their individual practices, find potential areas of risk, and put controls in place to avoid leaks. Although most practices may be safe from breaches, Goodman warns not to be too “cavalier” about the issue.
“There is something true today that was not there 20 years ago,” he said. “Every patient record has a black-market value.”
There are some low-hanging fruit that almost all providers can think about when securing information. First, Goodman recommends having good locks on the office and doors. Password-protected locks are also a good option.
“I'm amazed at how many people save money on locks,” he said. “If someone can break in with a screwdriver, you don't have strong enough locks.”
Michelle Caswell, senior director of legal and compliance at Clearwater Compliance, said facility access can include keycard access to locked doors, visitor badges, and locking charts in a room that is accessible only to those who need to get to them. If an employee is terminated, locks should be changed.
When charts and other papers are ready to leave the office, disposal should be considered carefully, said Emily Wein, a principal at Ober Kaler's health law group. Protected papers shouldn't be left where they can be confused with trash.
“There are occurrences where protected health information got put in the wrong place,” she said. “People dumpster dive around doctor's offices looking for prescription information.”
There should be a clear disposal protocol at each step, including include shredding. One option is to have an outside organization come in periodically for a commercial-grade shred.
Workstation security is also something to be considered. Many of these tactics are relatively simple, like putting screen savers on computers, Caswell said.
Other options include instructing office staff to log out when they move away from the computer and setting electronic medical record settings to log off when inactive for a certain amount of time. This could be 10 or 15 minutes, depending upon the environment.
Many of the breaches that occur do so because “someone did something careless or stupid,” not by people meaning to steal or divulge information, Goodman said.
“It happens by people losing papers – leaving them out, dropping them,” he said. “They should instead transport the paper records the same way they would transport a bunch of money.
The main way to combat these errors is through education and follow-through, Goodman said. Offices have to create good practices and remind people now and again what those practices entail.
Preventing something like snooping is difficult, particularly in small offices where people need access to most of the information. Caswell said the best way to avoid this is to train staff. They shouldn't be talking to friends about patients. If they don't need to be in a file, don't look at it. Don't take pictures of information with a cell phone.
Once protocols are created, they need to be enforced. This can be done through occasional audits. The electronic medical records of 10 to 15 patients can be chosen randomly to see who was looking at the records and if they had authorization to be in the file.
Goodman likens these policies to any other in the office. If an employee is caught stealing office supplies, would he or she be fired? Warned once, then fired if caught repeating the error? Sit everyone down and tell them the rules along with the consequences. “The caveat is making sure policies aren't just there in form,” Caswell said.