2016 HIPAA Audits Part 6: HIPAA Crash
by Donna Koger, 5.12.16
Don't Let It Hit You on the Way Out
We’ll bet you don’t want to end up like the Massachusetts Ear Group who has to pay $1.5 million to resolve HIPAA regulation charges. Unfortunately, this is yet another reminder for practices, providers, clearinghouses and business associates of the necessity of proper steps to secure electronic protected health information and protect themselves by complying fully with HIPAA regulations.
HIPAA Heats Up
OCR (Office of Civil Rights) is now posting on their website names and specific information on Health Providers and other HIPAA covered entities, reporting “breaches” of unsecured protected health information (UPHI) under new rules added by the HITECH Act. It is believed the posting of breach information for the public will heighten enforcement and public sensitivities about medical privacy safeguards.
The HITECH Act amended HIPAA to require Covered Entities (CEs) to provide notification to affected individuals, OCR and others when breaches occur. Don’t end up on the website – follow established common procedures that can protect you and your practice or business.
What Do HIPAA Rules Require?
According to HHS, “The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. See 45 CFR 164.530(c).”
What About the Disposal of PHI?
- Implement reasonable safeguards to limit prohibited uses and disclosures of PHI, including the disposal of such information. Failing to implement safeguards to protect PHI in connection with disposal could result in disclosures of PHI.
- Ensure your workforce receives training on and follows the disposal policies and procedures of the covered entity as appropriate for each workforce member.
- Covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. However, the Privacy and Security Rules do not require a particular disposal method. It is up to the individual entities to determine their best method for disposal of PHI.
Proper Disposal Methods (per HHS)
- For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
- Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
- For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
For more information on proper disposal of electronic PHI, see the HHS HIPAA Security Series 3: Security Standards – Physical Safeguards. For practical information on how to handle sanitization of PHI throughout the information life cycle, consult NIST SP 800-88, Guidelines for Media Sanitization.
Find more complimentary resources in our HIPAA Resource Center.
Part 1: What's on the Horizon?
Part 2: Into the Breach
Part 3: PHI Identifiers
Part 4: 10 Steps to Compliance
Part 5: Where's Your PHI Data?
Donna Koger is currently the HIPAA Compliance Officer and materials developer for software training and support at Smoky Mountain Information Systems, home of PIMSY EHR. Ms. Koger is also a regular contributor to the PIMSY EHR Blog.