It's only natural, then, that HIPAA compliance would overlap with processes that run throughout your practice, including some of its more business-aspects. While most physicians and practices are intuitively aware of this fact, it's worth exploring some of the specific ways HIPAA compliance and your business intersect, as well as some strategies to avoid potentially costly compliance breaches.
Protected health information (PHI) and electronic protected health information (ePHI) broadly refers to 18 forms of individually identifiable healthcare information, according to the HIPAA Journal. These include, but are not limited to, names, geographic identifiers more specific than a state, phone numbers, email addresses, medical record numbers, health insurance beneficiary numbers and other information that is routinely involved in medical billing and coding.
A basic medical record or lab result obviously qualify as PHI, because they contain at least some of this information. But, so would an email to a patient reminding them of an upcoming appointment or any other matter related to patient care. This is significant for the simple reason that an email containing PHI (which could literally just include a patient's name) sent to the incorrect email address is a breach of HIPAA compliance. In 2014, for instance, a New York health insurance subcontractor accidentally sent claims denial letters to the wrong patients, which required notifications of hundreds of individuals, the federal government and local media.
There's ultimately no way around collecting and handling PHI when providing healthcare; however, there are ways to avoid a potential HIPAA breach. For one, practices can attempt to circumvent information entry errors that can result in errant communications – and spare themselves the tedium of trying to interpret poor handwriting – by digitally registering patients through a modern practice management solution. This can occur online via a patient portal, prior to the patient setting foot in the office, or in the waiting room on a tablet or computer kiosk. Either way, the onus is on the practice to securely collect accurate patient information at the outset of the relationship.
HIPAA also restricts when practices, payers and other parties can view certain medical information. Specifically, healthcare entities cannot view any patient medical information that is unrelated to legitimate treatment, payment or business operations (TPO). MB&CC provided the example of a worker's compensation claim for a broken finger. Needlessly including that patient's history of heart disease is technically an infringement of HIPAA. While it may seem harmless, this rule exists to protect how patient data is used, and a violation could precipitate penalties. Fees for milder accidental infractions can reach as high as $50,000 per violation. Penalties for knowingly violating HIPAA regulations can reach up to $1.5 million per category, according to The HIPAA Journal.
It's also worth pointing out that HIPAA is the reason medical billing and coding functions the way it does in the U.S. Upon its passage, HIPAA also enacted the "Administrative Simplification" rule, which forced Health and Human Services (HHS) to create national standards for electronic healthcare transactions. This included the establishment of guidelines for the code sets now used in medical billing and coding, which led to the formalization of the ICD, CPT and HCPCS codes that we know and widely use today. Additionally, HIPAA established the ASC X12 005010 (HIPAA 5010) format for all electronic claims. The most basic and most common type of healthcare transaction is, unsurprisingly, the healthcare claim used by billers (your practice) to request reimbursement from payers
On the IT side of your business, any and all PHI, including billing information, clinical data, emails between patients and doctors, and other protected information involved in the healthcare lifecycle, must be protected. Additionally, practices must implement formal data backup and disaster recovery plans. These are just a few of many requirements associated with ePHI and digital healthcare technology.
And, many practices are finding that building and securely maintaining complex onsite resources are particularly daunting and, instead, are increasingly opting for cloud-based EHR and PM solutions, thus shifting the heavy lifting of IT security to more experienced and appropriately-equipped partners.
Clearly, every system that PHI touches in transit through its revenue journey must be HIPAA compliant. But it's not just the technology: simple errors made by front-desk personnel, as well as back-of-house medical billers and coders, can incur steep HIPAA fines. Everything from improper disposal of medical records to employee gossip about PHI is grounds for an investigation… and penalties.
To significantly curb the risk of a HIPAA compliance breach in your revenue lifecycle, make sure your front desk staff, billers and coders are well-versed in healthcare regulations, or at least that they're adhering to a disciplined set of practices in day-to-day operations that mitigate the risk of potential HIPAA infractions. Even better, enable them with new, electronic solutions that can further reduce the risks and increase the accuracies of the PHI they handle.
Dedicated health IT expertise is an invaluable asset to your practice in general since it tends to foster efficiencies that lead to more accurate data, faster workflows, cleaner claims and, ultimately, revenue improvements. And, where HIPAA is concerned, PHI due diligence is more than good business: It's the law.
For whole-practice solutions and services – from EHR and PM, to billing and collections – that are optimized to protect your PHI and your practice, contact the whole-practice experts at AllMeds today!