The case of Parkview Health Systems Inc. underscores the importance of proper file transfers, especially relative to the sale of a practice.

Parkview health systems Incorporated, a community based health deliver group, has cooperated with the Office of Civil Rights ( the enforcement agency for HIPAA privacy rules) in paying an $800,000 fine, agreeing to a corrective action plan, review of their policies and procedures and re-training of their workforce due to a breach reported by a retiring physician.

It appears they were assisting this physician in the process of relocating their patients, as well as potentially purchasing the doctors’ practice,  when employees of Parkview left boxes containing approximately 6000 patient files, in 71 cardboard boxes, on the doctors driveway, when the doctor was not home.

As a HIPAA covered entity Parkview is required to safeguard such records and failed to do so.

It is highly advised to take all reasonable precautions when transporting or transferring paper records.

It is not unusual to hear doctors say they believe HIPAA only applies to ‘insurance practices’ or ‘electronically stored data’ or clinics with over a certain number of employees.

All of these are false statements and physicians are encouraged to know the laws and become compliant, as the risk is just too great to ignore.

About: For more information on this topic or other HIPAA compliance questions, please contact Dr. Ty Talcott, CHPSE, at HIPAA Compliance Services –  a company dedicated to protecting healthcare professionals by producing simplified “how to” step-by-step training materials and procedures to assist doctors and clinic support personnel with establishing, maintaining and updating their HIPAA compliance program.

www.hipaacomplianceservices.com                   admin@HIPAAcomplianceservices.com                    214-437-7559

Doctors are to beware thinking there is a ‘safe harbor’, relative to HIPAA compliance, simply because they have completed a Risk Analysis. The Risk Analysis applies to HIPAA security rules, is only one piece of a very large puzzle and cannot be handled with a checklist format (per the law)!

When Dr. Ty Talcott, an attendee of the conference, was asked for comment relative to the importance of a risk analysis, he replied;

“ When you ask a carpenter to build you a new house and only hand him a hammer you have given him a critical tool that he cannot build the house without, however, he still can’t build the house in the absence of all other tools and materials needed. The Risk Analysis is like that hammer. You have to have one to build a HIPAA SECURITY RULES compliance program, but you still must have much more, such as, compliant forms, multiple audits completed, specific policies and procedures written and agreed to by staff [typically takes about 80 pages in a standard chiropractic office], an appointed compliance officer with appropriate documentation, all of the PRIVACY RULES in place- including OMNIBUS rule updates from 2013- with the new Notice of Patient Privacy Policy going to each and every new patient- with a signed acknowledgment from those patients, contingency plans -including emergency mode operations- and the list goes on.”

Due to the recent widespread publicity surrounding audits, requiring doctors to submit their risk analysis to CMS, some doctors have come to believe that once you perform this analysis you are “OK” relative to HIPAA—this is a dangerous thought process.

A concern of conference attendees is the rapid flood of different Risk Analysis documents this has brought to market from a diverse group  of equipment manufacturers and other health care vendors, etc…many times these are in a ‘check list format’ and the HIPAA law clearly states that while checklists might be a helpful tool to collect your personal data, they ARE NOT ADEQUATE OR ACCEPTABLE as a risk analysis…at times the implication is that one must have a particular companies’ Risk Analysis to be compliant and one company in Texas has been purported to state, on webinars, that you had to have your staff trained and certified via THEIR training process or you would be fined in the event of a HIPAA audit, relative to state law that supersedes HIPAA. They even implied such at their website by quoting the law and then adding verbiage- not in the law– where it appears you have to have “certified training”. However, there is no official CERTIFYING agency and no such requirement under the law (this was also a topic of discussion at the conference). The practices’ compliance officer has to document (certify) their staff has attended training , but there is no requirement relative to who performs such training. BEWARE.

Interestingly, it was the Office of Civil Rights (OCR) that had top billing (along with NIST) at the Washington D.C. HIPAA conference. OCR is the agency that enforces the HIPAA PRIVACY rules- which are separate from the security rules.

About: For more information on this topic or other HIPAA compliance questions, please contact Dr. Ty Talcott, CHPSE, at HIPAA Compliance Services –  a company dedicated to protecting healthcare professionals by producing simplified “how to” step-by-step training materials and procedures to assist doctors and clinic support personnel with establishing, maintaining and updating their HIPAA compliance program.

Winter 2014: theft from a clinic, of an unencrypted thumb drive, leading to a breach of patient health information, may have actually avoided fines-however-a $150,000 fine was issued by Health and Human Services, the Office of Civil Rights (the enforcement agency for HIPAA privacy rules) , because the clinic did not have a written policy for breach notification to individuals and government agencies.

This lack of policy, combined with a lack of documentation to show that staff had been trained and agreed to abide by such policy, resulted in a massive fine-the first of its kind- showing that enforcement will now occur relative to a lack of policies in a clinic/healthcare office!

There are approximately 35 to 50 written security policies (depending on how they might be combined together) that the typical chiropractic office is required to have in place relative to HIPAA. Since CMS (the agency charged with enforcing HIPAA security rules-as well as Medicare law) states that the majority of compliance with security rules ‘lies in having appropriate written, documented, trained and agreed to security policies’, it is critical to have those in place.

If you have been lagging behind in this regard, it is time to get caught up as enforcement in all areas of compliance has increased in leaps and bounds over the last two years and shows no signs of slowing!

About: For more information on this topic or other HIPAA compliance questions, please contact Dr. Ty Talcott, CHPSE, at HIPAA Compliance Services –  a company dedicated to protecting healthcare professionals by producing simplified “how to” step-by-step training materials and procedures to assist doctors and clinic support personnel with establishing, maintaining and updating their HIPAA compliance program.

Actions included revocation of billing privileges, implementation of prepayment reviews, referral to law enforcement and suspension of payments.

CMS states they discovered/prevented more than $210,000,000.00  of improper Medicare ‘fee for service’ payments with their new ‘state of the art’ fraud prevention system. This equates to double that of last year and proves to them the efficacy of increasing utilization in the future.

One highly publicized case, known to many chiropractors, was a group practice identified as a ‘high risk for inappropriate billing’. They were surprised by an unannounced site visit that showed the aides were not qualified to deliver services.

They removed the doctor from the Medicare program and prevented $700,000 of Medicare payment from being honored.

Most actions against chiropractors are relative to the physician not releasing the patient from active care when active care can no longer be justified via appropriate documentation. Remember, patients are to be issued an ABN form and released from active care when such can no longer be documented to Medicare’s standard. This standard has nothing to do with a chiropractic definition of “maintenance care”.

All practitioners are required to understand the proper use of an ABN form and audit such, with an appropriate audit tool, annually-at a minimum. Action steps should be taken to remedy deficiencies.

About: For more information on proper use of ABN forms/audits or HIPAA compliance questions, please contact Dr. Ty Talcott, CHPSE, at HIPAA Compliance Services –  a company dedicated to protecting healthcare professionals by producing simplified “how to” step-by-step training materials and procedures to assist doctors and clinic support personnel with establishing, maintaining and updating their HIPAA compliance program.

 Laptops must be physically anchored!

April 2014, the Office of Civil Rights announced stolen laptops resulted in $1.9 million in settlements.

Laptops stolen from inside facilities and automobiles, resulted in $1.9 million of collected HIPAA fines over the last few months.

It is not enough to have the PHI on your laptop computer protected, you must have the laptop physically secured while inside a building or locked in the trunk of an automobile! There are special laptop ‘clamps’ the anchor laptops to a stationary surface.

One physical therapy center had identified the threat in their risk analysis and had failed to correct it over an extended period of time resulting in substantial additional fines.

These actions also resulted in requirements for covered entities (emphasis on health care practices) to perform NEW risk analysis and submit NEW risk management plans, thus underlining the importance of performing and documenting  a HIPAA compliant risk analysis in all clinics.

It is highly advised that all clinics immediately perform a risk analysis, that meets the HIPAA standards, to avoid several new and old threats that exist due to compliance law.

About: For more information on this topic or other HIPAA compliance questions, please contact Dr. Ty Talcott, CHPSE, at HIPAA Compliance Services –  a company dedicated to protecting healthcare professionals by producing simplified “how to” step-by-step training materials and procedures to enable clinic support personnel to implement and manage a HIPAA compliance program.

Office of Civil Rights statistical study shows only two of 61 clinics have met minimum HIPAA compliance standards.

Indicates government audits will produce major revenue through the issuance of fines.

The new HIPAA threats (as of January 2014), meaningful use/attestation checks being ‘taken back’, revoked or not issued, “willful neglect” being enforced, the passing of Omnibus rules deadlines, increased regulatory enforcement and Medicare announcing funding to investigate chiropractors’ billing practices under criminal fraud statutes are all catching doctors off guard.

With the new vigorous enforcement of “willful neglect” (defined by HIPAA as; “that which the doctor knew or should have known, and did not do.”) most doctors are at risk for a minimum of a $50,000 -$250,000 nonnegotiable fine (the fines can go to $1.5 million in some instances). Recently these fines have been producing large revenues for the government.

Massive breaches of supposedly secured identity and patient health information-such as the one that occurred relative to Target stores at Christmas time and more recently Google and others, have the public in an outrage and the government scrambling to use every agency it has to protect private information! It is advised that physicians take all steps possible to become compliant.

About: For more information on this topic or other HIPAA compliance questions, please contact Dr. Ty Talcott, CHPSE, at HIPAA Compliance Services – a company dedicated to protecting healthcare professionals by producing simplified “how to” step-by-step training materials and procedures to assist doctors and clinic support personnel with establishing, maintaining and updating their HIPAA compliance program. 

We have taken on the mission to help associations get critical HIPAA/Medicare compliance information to their members. I have provided a few suggestions below.

One thing we have done, to that end, was have an article published that appears on the front page of the Texas Chiropractic Association Journal. You can view the article, that includes information relative to HIPAA compliance fines, at

http://journal.chirotexas.org/

Recently, we were teaching HIPAA compliance for license renewal at the Minnesota Chiropractic Association, we discovered how little chiropractors know about our profession being TARGETED THIS YEAR and what they need to do to protect themselves from HIPAA compliance fines … most clinics are not even doing minimal requirements, that have existed for years, much less have an awareness of 2011/2012 changes.

HIPAA compliance fines and prosecution are now a very high level threat to the chiropractic profession. Even the talk of eliminating chiropractors altogether from Medicare has appeared on the front pages of our industry magazines, etc..…. failure to do all we can to protect the profession will have a tremendous negative impact upon the doctors and those who provide services to chiropractors- including their associations!

These issues need to be aggressively addressed NOW!

If you are an association reading this—One thing I would highly recommend is that you review our brand new association support and member discount program at

https://www.hipaacomplianceservices.com/?page_id=272

under the tab State Association Program.

It is a FREE service and all we need is your permission to list your association as a participant and your members will get a discount on HIPAA training materials and 10% of any purchase they make will go to your association. Everyone wins!