The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Clinical and Economic Health (HITECH) are the two major regulations that determine how compliance is conducted in the healthcare industry. HITECH has increased the enforcement of HIPAA’s somewhat dated data security provisions. HITECH has also promoted the use of electronic health records by providing funding to healthcare providers through the Office of the National Coordinator at the Dept. of Health & Human Services (HHS), and through Medicare and Medicaid incentives. It is all part of a larger push that was started in 2010, to allow for secure data sharing and privacy protection among providers, insurers, and patients.
The shift from paper-based record keeping to digital records has been happening across all industries, but there has been a real focus and effort in US healthcare to develop a health information technology system that all medical offices can access. From the Rand Corporation in 2009; “After 15 years, the nationwide adoption of electronic medical records and of networking among health care providers could save more than $77 billion each year in terms of efficiency alone.” The savings would come from eliminating losses due to waste and the costs associated with lost or leaked patient information.
However, after seven years, paper forms remain and many medical offices have had difficulty adopting this paperless system, especially individual providers. In 2016, 62% of physicians had demonstrated meaningful use of the health information technology system, known as Certified Health IT, according to the Office of the National Coordinator for Health Information Technology. “Meaningful Use” is a standard for measuring how effectively healthcare providers are implementing Certified Health IT. There are three stages of implementation that can be categorized as demonstrating meaningful use. Hospitals have had much greater overall success adopting Certified Health IT than individual providers. When HITECH was passed in 2010 the goal was that everyone would have an electronic health record by 2015. If all the medical offices in the country can deploy Certified Health IT and implement the standards associated with it, they would reduce their paper output greatly and streamline many of their compliance issues. However, it’s still unlikely that most offices would be able to go entirely paperless, at least not anytime soon. Since this is the case, medical offices still need to follow the HIPPA Privacy Rule the old fashion way, which is to say the way it was issued back in 1996 by the HHS. In other words, they must shred or destroy all confidential information.
Below is a list of 10 things healthcare providers and patients should keep in mind regarding compliance and the proper maintenance and disposal of patient information:
- Medical identity theft is Real.
It occurs when someone uses another’s name and insurance information to receive medical treatment or prescriptions. It also happens in-house with dishonest healthcare workers taking or selling confidential patient information (FTC).
- Medical identity theft is usually part of a larger identity theft scheme.
It doesn’t take much to assume someone’s identity, especially when so many private forms are automated. There is a lot of information in a person’s medical file beyond health and insurance, like social security numbers, addresses, and banking information.
- There are Mandatory Fines for HIPAA Violations.
If a healthcare provider is found to have not properly destroyed a patient’s information before discarding it, they are going to have to pay a fine, ranging between $10,000.00 and $50,000.00 if the error is not corrected in a timely manner (hawleytroxwell.com).
- Penalty limits for improper disposal of private patient information were raised 600% in 2010.
With the implementation of HITECH, the penalty limit increased from $25,000.00 to $1,500,000.00 in cases of willful neglect (properphidisposal.com).
- There are different rules for patient record retention for individual healthcare providers and hospitals.
Individual healthcare providers have to keep patient files for seven years after a patient’s last visit before destroying it. If the patient dies, they can get rid of it in three years. Hospitals must keep them on file for 25 years after a patient’s discharge. They can destroy them sooner than that if they microfilm or digitize them properly (OLR Research Report).
- Each state has different laws related to how much medical providers can charge for supplying copies of medical records.
Most providers follow what would be reasonable rates for the clerical work, copying and postage. Again, the rates that can be charged for these records vary depending on whether the records are coming from an individual provider or from a hospital (nosscr.org).
- Healthcare providers have to produce a patient’s medical records if asked, even if the patients haven’t paid for the health services they received.
Even if there is an outstanding balance medical providers have to mail the records by law within 30 days (hhs.gov).
- Mental health professionals’ patient notes are to be kept separate from medical and billing records.
They are not allowed to make disclosures about psychotherapy notes without the patient’s consent or unless responding to a subpoena (apa.org).
- Mental Health professionals are not necessarily beholden to HIPAA and the amount of time they are required to maintain patient records varies state-by-state.
For example, Illinois has no record keeping law, while Pennsylvania psychologists are required to keep patient files for 5 years after last contact. (apapractiecentral.org).
- What exactly in these medical records are healthcare providers responsible for?
What healthcare providers are responsible for is called Protected Health Information. This refers to individually identifiable health information any of which can be transmitted by or maintained in any form or medium, whether electronic or paper. Simply put, healthcare providers are responsible for anything that can identify a patient (law.cornell.edu).
[clickToTweet tweet=”Paperless Patient Care and Compliance” quote=”Paperless Patient Care and Compliance” theme=”style3″]