How Does the HIPAA Privacy Rule Apply to Paper Medical Records?

24
Sep
2019
2714 Views

When the HIPAA Privacy Rule was established in 2003, it was intended to deal with privacy surrounding digital records; therefore, specific language surrounding the management of paper records is vague. While most practitioners are moving toward electronic records, many historical records remain in hard copy format. Both ways are susceptible to breaches and must be handled with care. According to a recent study conducted by HIPAA Journal,

“Between 2009 and 2018 there have been 2,546 healthcare data breaches involving more than 500 records. Those breaches have resulted in the theft/exposure of 189,945,874 healthcare records. That equates to more than 59% of the population of the United States. Healthcare data breaches are now being reported at a rate of more than one per day.”

While, most breaches have been caused by hacking/IT incidents, unauthorized access/disclosure incidents are not far behind. In 2018, the report states that there were 158 hacking/IT-related breaches v. 143 breaches due to unauthorized access. Gail Bisbee, RN, BSN, i-SIGMA’s HIPAA Subject Matter Expert, recently shared her expertise with SRS to help our clients gain clarity on this complex yet extremely important subject.

What is HIPAA, and why was it created?

The acronym HIPAA stands for The Health Insurance Portability and Accountability Act. It was adopted by the US Congress in 1996.

HIPAA was created to achieve the following goals:

  • Allow for transfer and sharing of patient data to ensure continuity of care across the spectrum of health care providers;
  • Reduce health care fraud and abuse;
  • Mandate industry-wide standards for health care information on electronic billing and other processes; and
  • Require the protection and confidential handling of protected health information.

What is an EMR or EHR?

EMR is the acronym for Electronic Medical Record. EHR, which stands for Electronic Health Record, is typically used by software companies. However, both mean the same thing and are used interchangeably.

What is the HIPAA Privacy Rule, and how does it pertain to hard copy records?

The HIPAA Privacy Rule was enacted in 2003 with the goal of establishing national standards for record keeping and, ultimately, pushing medical practitioners toward electronic medical records. The idea was that EMRs provide better continuity of care and are easier for patients to transfer information to different healthcare providers. The Privacy Rule applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.

Originally, the goal was to have complete adoption of EMR by 2020. That will not happen. What has evolved, then, is the same standards of reasonable and customary applications for electronic records are being applied to hard copy documents.

Do healthcare providers still use paper records? 

Yes. We estimate that 95% of practitioners will have startedthe conversion to electronic records. However, many patients have both hard copy and electronic records. Some practitioners who are close to retiring or closing a practice may never make the transition given the cost to convert to an electronic medical record system.

What standards should healthcare providers adhere to regarding physical records? What entities dictate these standards?

 Standards for management of records (in both physical and electronic formats) are dictated on a state level. Retention schedules also vary by the type of medical service or patient. Pediatric records, for example, have a much longer retention records than typical adult healthcare records.

These standards are enforced through the various accreditation bodies for healthcare providers. The sensitive nature of information held in medical record mandates high privacy standards. The Privacy Act simply strengthens the safeguards surrounding the records’ confidential information.

What constitutes a breach, and what are the penalties (fines, etc.) associated with non-compliance?

Unlike hospital accrediting bodies, HIPAA does not engage in any sort of audits, surprise or planned. Typically, a patient who reports his/her information has been exposed or a detected hack will initiate a complaint and investigation.

According to the U.S. Department of Health and Human Services, since 2003, the Office for Civil Rights (OCR) has investigated and resolved over 27,109 cases involving HIPAA-covered entities and their business associates.

When a breach is confirmed or there is a failure to notify of a breach, especially if the violation involves gross and willful negligence, severe fines are levied. The largest fine came in 2016 when OCR required Advocate Health Group to pay $5.5 million to settle multiple breaches.

Bottom line: if the records aren’t breached, nothing happens.However, providers shouldn’t let this fact lull them into a false sense of security. Accrediting bodies such as the American Hospital Association do engage in audits (both scheduled and surprised), and penalties for non-compliance include losing licensure and losing ability to file claims to be paid.

Information from accrediting bodies and regarding HIPAA violations are a matter of public record and can be found online.

How does this come into play with old records waiting to meet their retention or closing medical practices?

While abandonment itself isn’t a breach, unauthorized access (and loss) isa reportable breach. According to HIPAA Journal, unauthorized access is the second biggest cause of breaches. Therefore, legacy custodians inadvertently holding PHI need to be careful, as they are liable for any fines associated with breaches. For example, if a physician passes away and a breach occurs, the estate would be liable for any penalties or fines[1].

What burdens does juggling two systems create for healthcare providers and staff members? 

Based on what we have seen, the burden today is less than it was three years ago, because most practitioners have moved their current records to electronic. Many, however, do still maintain historic hard copy records for the duration of the retention period. Therefore, there is a financial component of storing hard copy and maintaining a cloud/EMR system. That financial hurdle is sometimes more difficult for smaller practices or physicians who are nearing retirement.

What are the risks to patient care when straddling paper and electronic records? How does this impact patient care?

Risks to or impacts on patient care come into play in more complex cases where lots of physicians and healthcare facilities are involved. The more records there are and the more types of records there are, the easier it is for something important to fall through the cracks. Many times, caregivers feel they must act as an advocate for the patient and keep their own records to ensure appropriate care is given and histories are accurately reported. The article “Paper Trails: Living and Dying With Fragmented Medical Records” illustrates the risks of these complex cases and really highlights ways those in the Record Management Industry can help.

What kinds of support do healthcare providers need to bridge the divide between hardcopy and digital?

Many healthcare providers feel that by adopting an EMR for their current records, they have checked the box, and they default to a “set it and forget it” mentality with historic records. This is a dangerous approach and could lead to a costly breach.

While the regulatory environment creates a lot of red tape for providers and those who handle EMRs, the intention – protecting patients’ sensitive data – is ultimately a good thing.  However, the undeniable truth is that it places additional work on already-overburdened professionals. Our industry is well-poised to bridge this gap to relieve the stresses on healthcare providers, lessen their liabilities, and improve patient care.

Christopher Powell Jones, SRS Chief Problem Solver, has walked many healthcare clients through similar situations. He adds:

Many healthcare providers assume that a document management company will simply scan all historic records, which would be prohibitively expensive and, ultimately, unnecessary. Instead, document management companies should present creative, cost-effective solutions that solve the issues at hand, even uncover certain risks that are not immediately apparent. For instance:

  • Keeping historical records longer than their retention requirement not only takes up valuable space and costs money to store, it also makes them discoverable in a lawsuit.
  • Slides, x-rays, and microfilm, microfiche all contain PHI and must be treated the same as an EHR.
  • If paper records are not properly stored and easily accessible to provide patient care when needed, it could constitute negligence and open a practice up to a lawsuit.
  • Exposing loved ones to penalties or fines via the estate if a breach occurs involving historic records after a physician passes away.
  • Storing records onsite in non-secure space, with uncontrolled access not only opens them up to breaches, but it exposes them during natural disasters, such as a hurricane. If damaged or destroyed, the practice would be responsible for recreating every record, an extremely costly and time-consuming task.
  • The inefficiency of managing records in small volumes onsite even if the space is relatively secure. From the time spent unnecessarily scanning or using a desktop shredder to the financial cost of storing it onsite, the main issue is that it’s a management problem not a storage one.

Understanding the struggles and hurdles nurses, doctors, physical therapists, etc. face and mitigating them allows healthcare providers to focus on patient care instead of getting bogged down in administrative tasks. Those in the record management industry need to cure the illness faced by healthcare practitioners instead of simply treating the symptoms. When this occurs and a true partnership is formed,the compliance and efficiencies created result in higher quality patient care and a better working environment.

[1] Any fines would be determined by damages or risks associated with a documented breach and/if willful negligence has occurred

 

LEAVE A COMMENT

  1. d clutter

    Such an amazing blog and thanks for sharing it.

    • Jo Walthall

      So glad you are enjoying it!

Our Latest Consulting Insights

Retention policies

Are You Ready to Become an Expert on Retention Policies?

Retention. For many, just the word itself induces a slight feeling of panic. Retention policies are complex, standards are unclear, and breaches come with serious costs. Whether you’re creating, implementing, or enforcing a retention policy, it’s a big job.   Thus, the reason for this series. […]

Read More

Document shredding

How Scheduled Shredding Helps Tifton Area Businesses Stay Compliant

No matter the industry, all business owners know that their records management practices must adhere to compliance requirements specific to their industry. Compliance requirements dictate how records are stored and for how long, making them an important factor in all records management plans. Partnering with […]

Read More

Earth day, long leaf pines, invest in our earth

Secure Records Solutions Commitment to Sustainability

At Secure Records Solutions, we understand our clients care about the sustainability of the solutions we provide. For us, sustainability is not a catch phrase. It’s an expression of who we are. Every day we work to improve the lives of others, while providing sustainable […]

Read More

Outsourcing Document Management Keeps Car Retailers FTC Compliant

How Outsourcing Document Management Keeps Car Retailers FTC Compliant

Automotive industry retailers know that staying in compliance with Federal Trade Commission Guidelines is a key feature of doing business. One of the most important steps to ensuring constant compliance with FTC guidelines is employing an effective document management system.   Automotive industry retailers, whether in […]

Read More

Puzzles and problem solving

Puzzles and First Principles

As originally published by Partner & COO Christopher Powell Jones: Since I was young, I’ve always loved solving problems. I prefer attempting the impossible, addressing the unanswerable, and slaying dragons to eating dessert. When I was little, my mother asked me what I wanted to […]

Read More

The papers stacked waiting to be scanned. Desktop scanner. In-house scanner. Document scanning.

Are You Still Using a Desktop Scanner?

Desktop scanners are like most pieces of everyday office equipment: If you’re thinking about them at all, it’s probably because you’re dissatisfied with their performance. While it’s true that desktop scanners can be useful and even thrive in the right applications, a growing business can […]

Read More

Fortune 500 company employees walking

Do Fortune 500 Companies Outsource Their Document Management?

For businesses everywhere, a tried-and-true strategy for inciting growth is by emulating the greats. Companies like those who make up the Forbes 500 set the standards in the industry for best practices, and we can all learn something from their successful habits.   When it comes […]

Read More

Happy Holidays From Secure Records Solutions

Happy Holidays from Secure Records Solutions

Dear Friends, There is a consistent crisp in the air, and I’m starting to see holiday window displays go up. I have more excuses than usual to gather with friends. These signals bring to mind warm memories of the past, while ushering in a busy […]

Read More