HEAD OFF Front Desk HIPAA · Inside this execuive report, Head Of HIPAA Front Desk Nightmares,...

Protec t Yoursel f and Your Prac t ice f rom

Fal l ing Vic t im to the M ost Common

HIPAA Violat ions

HIPAA

Front Desk

NIGHTMARES

HEAD OFF

TRAININGL E A D E R

HEALTHCARE

© Healthcare Training Leader. Head Off Front Desk HIPAA Nightmares Executive Report 2019

is published by Healthcare Training Leader, a division of Must Have Info, Inc. Reproduction or

further distribution by any means, beyond the paid customer, is strictly forbidden without written

consent of Training Leader, including photocopying and digital, electronic, and/or Web distribu-

tion, dissemination, storage, or retrieval.

Expert Report Contributor: Jay Hodes, President, Colington Consulting

President/Publisher: Samantha Saldukas • Vice President: Lacy Gaskins

Editor: Margaret A. Kavanagh

© Healthcare Training Leader All Rights Reserved. 2019

2277 Trade Center Way, Suite 101, Naples, FL 34109

Phone: 800-767-1181 • Fax: 800-767-9706

E-mail: [email protected] • Web: www.hctrainingleader.com

This report is an independent publication of Healthcare Training Leader. It is not endorsed nor

has it any official connection with any other organization, insurance carrier, vendor, association,

government agency or company. Reasonable attempts have been made to provide accurate

content. However, of necessity, cited examples and advice given in a national report such as this

must be general in nature and may not apply to a particular case or state. Neither the publisher,

editors, board members, contributors, nor consultants warrant or guarantee that the information

contained herein on compliance will be applicable or appropriate in any particular situation.

Head Off Front Desk HIPAA Nightmares

Published by Healthcare Training Leader, 800-767-1181, www.hctrainingleader.comi

mailto:[email protected]

http://www.hctrainingleader.com


About Your

Expert Contributor

Jay Hodes President, Colington Consulting

HIPAA Compliance Services

As the former Assistant Inspector General for Investi-

gations at the U.S. Department of Health and Human Services, Jay is a leading expert in HIPAA and regulatory compliance.

Jay is President of Colington Consulting, a company that provides HIPAA consult-ing services to healthcare professionals across the country. He prides himself on breaking down the complexities of HIPAA to help practices comply more easily and effectively. Jay has more than 30 years of combined experience in risk assess-

ments, regulatory compliance, policy and procedures assessments, and federal law enforcement management.

Jay is a member of the American Institute of Healthcare Compliance, Health Care Compliance Association, Healthcare Information & Management Systems Society, American Society for Industrial Security, the Practice Management Association of Northern Virginia, Health Technology Forum-Washington, D.C., and the Health and Medical Technology Innovation Roundtable at George Mason University.

Jay is a much sought-after speaker and expert regarding HIPAA compliance and patient privacy. He has published more than 60 educational articles regarding HIPAA compliance in national newsletters and magazines. He also regularly speaks at industry events to help practices understand and improve their HIPAA compliance.

Head Off Front Desk HIPAA Nightmares Published by Healthcare Training Leader, 800-767-1181, www.hctrainingleader.com

ii


Letter From the Expert

Dear colleague,

With record amounts of penalties being imposed for HIPAA violations, making sure your front desk staff understands what can get your practice into trouble is more important than ever.

How your front desk team handles its everyday duties, interacts with your patients, and protects their privacy could be grounds for a complaint to be made against your practice. This can drive a HIPAA investigation, leading to a mandate of corrective actions and the possibility of hefty penalties and fines for you to pay.

Inside this executive report, Head Off HIPAA Front Desk Nightmares, you’ll find a wealth of easy-to-implement tactics you can use to protect your practice from HIPAA violations generated at your front desk. The actionable tactics and tools inside will help you identify front desk HIPAA violations before they turn into big problems. Our goal in producing this report is to help you keep your patients happy, your office compliant, and you out of hot water with state and federal enforcement agencies.

By utilizing this report, you’ll be able to protect yourself, your employees and your practice without spending weeks — or months — sifting through the regula-

tions yourself.

Thank you for your order, and we hope you find this report useful in protecting your practice.

Best regards,

Jay Hodes


Published by Healthcare Training Leader, 800-767-1181, www.hctrainingleader.comiii


About Your Expert Contributor �� ii

Letter From the Expert �� iii

Your Best Defense Against HIPAA Violations �� 1

Remedy: Get Ready, Get Prepared �� 3

Protect Against Health Information Danger Zones �� 5

18 HIPAA Privacy Danger Zones to Watch For�� 7

Prevention Halts Costly Check-In Violations �� 9

Check-In Role Play Training Scenarios �� 11

Sign-In Sheet Security Solutions That Work �� 15

Avoid Top Notice of Privacy Practices Pitfalls �� 21

Create and Use Your NPP Correctly �� 21

Notice of Privacy Policy Compliance Checklist �� 25

Help Your Release of Information Form Protect You �� 27

Beyond the Authorization Disclosure Form Itself �� 28

Release Form Training Scenario �� 30

How to Avoid Payment Opt-Out Complications �� 33

Sidestep Patient Communication Problems �� 35

Voicemail/Non-Patient Communication �� 35

Avoid Faxing Missteps �� 39

Keeping Email PHI Secure �� 42

Protecting Other Types of Electronic Devices �� 43

Encryption Checklist �� 44

Steer Clear of Social Networking Compliance Traps �� 45

Plug Up Dangerous Information Privacy Leaks �� 47

Overheard Conversations �� 47

Table of Contents


iv


Protect Your Computer Screen ��50

Don’t Let Investigators Find More than Trash in Your Garbage ��52

Don’t Be Shamed by Your Wall of Fame ��54

Stick with the Minimum Necessary to Get the Job Done ��54

Permitted vs� Authorized Uses and Disclosures ��56

Cut Your Liability for Business Associate HIPAA Blunder ��57

Business Associate Agreements (BAAs) ��58

Differentiating Vendor Types ��58

BA Management Tips ��59

Business Associate Type Examples ��60

Protect Yourself Against a Costly Data Breach ��61

Get Started Identifying Risks ��62

Head Off HIPAA Front Desk Nightmares Checklist ��67

Front Desk HIPAA Forms and Checklists Library �� L-1

Table of Contents �� L-1

Data Encryption Checklist ��L-2

Sample Portable Asset Inventory Tracking Sheet ��L-4

Destruction of Patient PHI Policy ��L-5

Sample HIPAA Release of Information Authorization Form ��L-6

Sample Privacy Policy ��L-8

Sample Request to Opt-Out of Using Contracted Insurance ��L-11

Sample Notice of Privacy Practices ��L-12

Sample 2-Up Sign-in Card ��L-18

Sample Front Desk Secure Station Checklist ��L-19

Sample Use of Social Media Policy ��L-20

Sample Authorized Disclosure Consent Form ��L-23

Sample Business Associate Agreement ��L-24

Sample Front Desk Risk Assessment Checklist ��L-29

Sample Workstation Use Policy ��L-30

Sample Mobile Device Policy for Acceptable Use ��L-32Sample Employee Confidentiality Agreement ��L-35


Published by Healthcare Training Leader, 800-767-1181, www.hctrainingleader.comv


Sample Disaster Recovery Plan (DRP) ��L-36

Sample Contingency Plan Form ��L-40

Sample Media Disposal and Re-Use Policy ��L-46

Resources �� L-49

HIPAA-Related Acronyms and Definitions �� L-51

Index �� Index-I


vi


Your Best Defense

Against HIPAA

Violations

Your practice, just like any other, can be investigated for a Health Insurance

Portability and Accountability Act (HIPAA) violation. Don’t make the mistake of thinking this can’t happen to you. It doesn’t matter how many providers you have, the number of patients you treat, your specialty, or where you are located. If you don’t have the proper safeguards in place and a patient’s Protected Health

Information (PHI) breach occurs at your front desk, there is a good chance you will be the subject of an investigation. Period.

In a nutshell, HIPAA safeguards your patients’ sensitive information that you are charged with protecting. Many practices don’t realize that your front desk can be a serious HIPAA liability. Due to the front desk’s direct contact with patients and personal patient information, HIPAA errors at your front desk can get you investigated, and that can be a nightmare.

If a HIPAA violation is identified during an investigation, you can face stiff penalties and fines, unwanted negative press that tarnishes your reputation, and even criminal charges. In addition, if your error affects a large number of your patients, you can be hit with lawsuits filed by your patients for breaches of their personal information.

So, why would an investigator want to investigate YOUR practice?

The simple answer is that a violation occurred, and it was reported. Patient complaints are the number one driver of HIPAA audits, and it takes just one patient to be unhappy and to make a complaint for you to get audited. If this happens, the Health and Human Services’ (HHS) Office for Civil Rights (OCR), the agency that enforces HIPAA, will review your compliance program and check for deficiencies. The result could range from recommended corrective actions


Published by Healthcare Training Leader, 800-767-1181, www.hctrainingleader.com1


to penalties and even criminal prosecution. Specifically, being found guilty of a HIPAA violation can lead to a variety of punishments, including:

• Fines of $100 to $50,000 per violation

• Maximum penalties of $1.5 million for each violation (penalties exceed that amount in some cases)

• Personal liability for both you and your staff (many staff members will not realize that they can be fined personally, too)

• Civil penalties and enormous legal fees (if you are taken to court)

According to a 2019 OCR press release, the agency warned that they had,

“... an all-time record year in Health Insur-ance Portability and Accountability Act (HIPAA) enforcement activity. In 2018, OCR settled cases granted summary judgments in cases totaling $28.7 million from enforcement actions. This total surpassed the previous record of $23.5 million from 2016 by 22 percent.”

Think about it: If the OCR is collecting this kind of money annually from HIPAA violations, you can bet they’ll be stepping up their investigations. This means there is still is a high level of continued enforcement, and not having the proper safeguards in place is one of your highest risk areas.

The good news is that by making the changes recommended in this report, you can improve your overall patient satisfaction and greatly reduce your chances of being investigated for a front desk HIPAA violation. In fact, with a little effort, your front desk staff can be your best defense against HIPAA violations, investigations, and penalties.

More HIPAA Violation Consequences

Should you be found guilty of a HIPAA violation, you and EVERY MEMBER OF YOUR STAFF can

be individually held accountable for their part. The name of your practice can be published in a database of violators online for everyone (including prospective patients) to see. Depending on the severity of the violation, there is a chance you could also be investigated by your State Attorney General’s office.

Head Off Front Desk HIPAA Nightmares Published by Healthcare Training Leader, 800-767-1181 , www.hctrainingleader.com

2


Remedy: Get Ready, Get Prepared

The best way to avoid an audit related to a HIPAA error or breach occurring at your front desk — and the violations and penalties that can result — is to BE PREPARED. The actions outlined in this report will provide you with the steps necessary to prepare and protect yourself and your practice by removing the HIPAA danger zones lurking at your front desk. The good news is that it isn’t difficult to take these security measures — but they do require your commit-ment. Here are just a few of the proven front desk HIPAA protection strategies you’ll receive from this report:

• Better identify your front desk HIPAA violation danger zones.

• Uncover critical areas where potential breaches of PHI can exist in your check-in and check-out processes before they get you into trouble.

• Train your entire team to head off the most common front desk HIPAA

phone risks.

• Help your front desk more clearly identify those vendors who are consid-

ered Business Associates (BA).

• Make sure your team knows which BA must sign a Business Associate

Agreement (BAA) and which ones don’t.

• Conduct a Security Risk Assessment of your reception area and related processes to identify hidden risk factors that could land you in HIPAA hot water.

• Develop and implement comprehensive HIPAA policies and procedures

at your front desk and your practice that will stand up to government scrutiny.

• And much more …

Unless the release of your patients’ PHI is essential to their care, the situations that justify communicating data without a patient’s authorization are limited. Although this is true for your entire practice, your front desk is especial-ly at risk. All staff in your reception area need to remember that confidentiality




starts when they say, “Hello,” to a patient for the first time and continues even after a patient is deceased.

All of your patients have the right to confidential care. HIPAA is designed to give your patients confidence that you will keep their PHI secure. And, as you know, stiff penalties punish violators and help ensure your compliance.

Even though most practices that are found guilty of HIPAA violations don’t intentionally do something wrong, it’s typically the lack of internal controls that gets them in trouble. The two largest categories of HIPAA violations include the following:

1. Hacking and IT incidents (41%): Such as ransomware attacks, network intrusions, and not securing data backups.

2. Unauthorized access and disclosures (41%): This includes not terminating network access when employees leave or are fired and impermissible disclosures of patients’ PHI by staff members.

It’s impossible for you to head off every possible breach of your patients’ PHI. However, focusing on tightening your management controls at your front desk can significantly reduce your exposure and improve your HIPAA compliance. Your implementation of strong HIPAA controls and training is what the OCR looks for during an investigation. The absence of these controls and related trainings at your front desk can put your practice at serious risk.


4


Protect Against

Health Information

Danger Zones

So, how do you get started protecting your front desk from HIPAA violations?

You begin by making sure that your entire front desk team knows your key HIPAA danger zones inside and out. This allows your staff to identify potential HIPAA problem areas before they become a problem.

OCR has made it very clear that ignorance is NO EXCUSE and is not a defense against related consequences.

The bottom line is, you must protect EVERY piece of information that can identify your patients. That means having a very thorough understanding of what OCR investigators will search for when they are in your practice looking for viola-

tions. There are two important terms to keep in mind:

1. Protected Health Information (PHI): The HIPAA Privacy Rule protects all “individually identifiable health information” held or transmitted by a Covered Entity (this is a fancy term for your practice) or its Business As-

sociates (vendors with access to your PHI in any form or media, whether electronic, paper, or oral). The Privacy Rule calls this information Protect-ed Health Information or PHI.

2. Individually Identifiable Health Information (IIHI): Includes common identifiers such as a patient’s name, address, birth date, or Social Security Number. Information and demographic data that relates to:

– the individual’s past, present or future physical or mental health or condition,




– the provision of healthcare to the individual, or the past, present, or future payment for the provision of healthcare to the individual, and

– that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.

TIP: To comply with HIPAA regulations, you must designate someone at your office to be the HIPAA Security and Privacy Official. The same person can serve as both and it certainly can be a collateral duty. Also, it gives everyone in your office someone they can go to should they have HIPAA-related questions, problems, or complaints.

There are 18 types of IIHI danger zones. It is imperative that your front desk staff know this list and always watches out for situations that will lead to a breach. However, with so many different pieces of information, adequately protecting them all can be a significant challenge.

NOTE: See a complete list of all 18 types of IIHI on the adjacent page.

The trick to implementing HIPAA protection strategies at your front desk is to group the danger zones around normal tasks. Doing this will allow you and your front desk staff to spot potential risk areas and take corrective action faster and easier than ever before.

To group your practice’s front desk HIPAA danger zones, start by listing all areas where your patients’ IIHI can be breached. Then, separate the items into categories.

Here is an example of what a partial list might look like:

Check-in Release forms Patient communicationSign-in sheet Specificity Leaving appt. messagesLocation Approval Pictures of patients on the wallOverhearing


6


18 HIPAA Privacy Danger Zones to Watch For

Make HIPAA front desk compliance easier by laminating and posting this list where your entire front desk staff can see it. It’s imperative that your whole team be on the lookout for each of these privacy danger zones and reports them immediately if they occur.

1. Patient names

2. Address all geographic subdivisions smaller than state, including street address, city county, and zip code.

3. All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89).

4. Telephone numbers

5. Fax numbers

6. Email addresses

7. Social Security numbers

8. Medical record numbers

9. Health plan beneficiary numbers

10. Account numbers

11. Certificate/license numbers

12. Vehicle identifiers and serial numbers, including license plate numbers

13. Device identifiers and serial numbers

14. Web Universal Resource Locators (URLs)

15. Internet Protocol (IP) address numbers

16. Biometric identifiers, including finger and voice prints

17. Full-face photographic images and any comparable images

18. Any other unique identifying number, characteristic, or code




NOTES__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________


8


Prevention Halts

Costly Check-In

Violations

Each time one of your patients checks in, his or her personal information has an increased potential of being seen or overheard by someone else in your reception area. However, being aware of this increased risk and setting up preventive actions means you can head off HIPAA violations at check-in before they occur.

DANGER ZONES: Most medical practice reception check-in areas are located in or close to patient waiting rooms. Accordingly, because of the increased traffic in these locations, the chances of your front desk staff committing a HIPAA violation skyrocket. Your front desk team may be handing out or receiving patient paperwork, answering patient questions, talking on the phone, completing patient documents, or discussing a patient with a staff member. If any of these things lead to someone who isn’t authorized hearing or seeing your patients’ PHI, you’ve committed a potentially costly HIPAA violation.

This commonly includes data such as new patient or updated patient informa-

tion, insurance verification, reasons for the visit, referrals, etc. Your front desk staff must gather all of this information, provide instructions about what will happen next, and do so in a way that is HIPAA-compliant. Otherwise, you risk significant violation consequences for your practice.

SOLUTIONS: It’s important that your front desk staff receive very specific training of exactly how you’d like them to respond to HIPAA issues. Just letting them figure things out on their own increases your risk exponentially. The ONLY way for you to be sure that your reception team is handling patient communications and




interactions correctly is to train them and follow up to ensure they are utilizing the training accurately.

A great way to train your staff is through role-playing. Here are steps to help you run through the process:

1. Staff involvement: Get together with your front desk team and encourage them to come up with potential HIPAA-breach scenarios based on their experiences at your practice. You may need to “seed” the conversation, so come prepared with some examples you can use to get people talking.

2. Grouping: Separate your team into groups for the role-playing exercises. The size of the group depends on the size of your teams. Give each group time to run through their HIPAA scenarios. During this time they should discuss how they believe the situation should be handled. One at a time, have each group role-play their scenarios in front of other groups.

3. Team critique: Once each individual scenario has been acted out and is complete, let the front desk staff that have watched the role-play discuss their thoughts. The goal is to get your team to comment on whether they believe the situation was HIPAA-compliant, what the actors did well, and what they must improve in the future. Use the role-play critique as the foundation for a discussion with your entire group about how to ensure they are compliant with HIPAA regulations.

4. Recognition: Finally, regardless of whether the skits are compliant, take time to compliment your team and their involvement in the process. You want them to walk away with a positive impression of the process.

IMPORTANT: Don’t fall into the trap of only training new front desk team members on HIPAA compliance. You should train with your entire team (new and old staff) several times a year. This will keep the topic of front desk HIPAA compliance fresh and on everyone’s radar.

It is imperative (and required) that you document these and other HIPAA trainings. Each time you complete a training session, add an entry onto a training


10


log. At a minimum, you should document the date and time of the training, specifically what was covered, who attended, and the results. If desired, as added proof of the training, you can choose to have all participants (even you) sign the sheets stating that they attended and what was discussed.

Once completed, your HIPAA compliance training log should be kept in a binder that you can easily access should you fall prey to a HIPAA investigation. This provides HIPAA investigators evidence that you are regularly working to keep your front team compliant and your patients’ PHI protected.

Below, you’ll find an example of a common front desk check-in role-play scenario associated with a specific HIPAA risk area and how to handle it. Use this as a foundation to develop your own role-play scenarios with your team.

Check-In Role Play Training Scenarios

Below you’ll find a scenario and two different situations associated with it. This scenario is going to be the basis for a role-playing exercise for your front desk team. The goal is to get them thinking and talking about HIPAA.

How you structure your role playing will depend on the size of your team. If you have a large number of front desk staff, it might be best to ask for volunteers. The remainder of your staff can watch. However, if you have a small front desk team, divide them into two groups and give each group a different situation to role play.

Once you’ve decided how you are going to structure the role-playing, sit down with your entire team and read through the scenario below. Then, break up your team based on the structure you decide upon, and give them 5 minutes to discuss how they’re going to conduct their role-play.

After both role-play situations have been acted out, sit down with your entire team and get their thoughts on what HIPAA risks they have seen. Then ask them for their comments, using the risk areas they’ve identified as a guide for additional role play and conversation.




Front Desk Role-Play Scenario:

The front desk staff at a busy practice are charged with confirming the accuracy of each patient’s information on file. Not having accurate information in your file can be a problem and pose a possible HIPAA violation. For example, if you depend on the information from the patient file and it is incorrect, you could end up leaving a phone message at the wrong number or mailing personal informa-

tion to the wrong address.

While the front desk team is responsible for updating patient information, their supervisor has not given them clear instructions on how specifically to do this. Accordingly, to accomplish their goal, the staff decide to ask each patient as they check in, “Has anything changed?”

SITUATION #1: A patient who has not been to your office in nearly a year responds to the above question by saying, “Nope. Everything’s the same since last time.”

Result: Although your patient said that everything is accurate, and nothing has changed, in their file this may not be the case. The problem is that the question asked is entirely too broad and unfocused to ensure an accurate response. Your patient might not have moved in the last year, but he or she could have a new insurance number. Or, what if he or she moved right after the last appointment with you and thought he or she had given you the new address?

SITUATION #2: A patient responds to your inquiry about personal information by loudly reciting name, new employer, new health insurance carrier, and the insurance policy number to your front desk person, who then enters this information into your computer system. Your reception area is full of patients in addition to the one checking in.

Result: The patient recites multiple pieces of personal information out loud at your front desk, so everyone in the waiting room can hear. This could easily be considered a HIPAA violation.


12


SOLUTIONS: There are a variety of ways these situations could have been handled to prevent the disclosure of patient PHI. Use these talking points as you discuss this role-play exercise with your staff:

a. Set standards: In the scenarios above, the staff were not instructed how to specifically ask for updated information. Instead, they used their best judgment. But each person may have a different view of the correct way to handle the issue. Setting standards is the only way to ensure compliance.

b. Be specific: When providing guidelines to your front desk team, be specific. For example, instead of the team choosing to ask, “Has anything changed?” coach them on how and why it is important to be specific. Instead they could ask, “We need to verify that we have your current information on file. May I make a copy of your driver’s license and insurance ID card to update our records?” If the patient claims that the information is the same as last time, you can say, “We like to check just to be sure, so our records are up to date.” Your front desk team can also explain that it’s their responsibility to check each time. Asking to get a copy of their license and insurance card can also make sure that your patients don’t say their personal information out loud or forget that they didn’t update their information.

c. Printouts: Your front desk staff can also be coached into providing each patient with a printout of their information you have on file (along with a clipboard and pen). Then, encourage your team to ask them to update anything that has changed. Once again, this stops the patient from giving his or her information to you verbally and allows them to review all of the information while waiting for the appointment.

WARNING: Keep a close eye on these printouts. If your patient leaves the information at the reception desk, face up, and another patient ends up reading it, you’ll have another potential violation.

Bottom line, you must clearly train your staff on how you want them to handle potential breaches. Otherwise, you won’t know if your patient PHI is protected.




NOTES__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________


14


Sign-In Sheet

Security Solutions

That Work

If you use a sign-in sheet during your check-in process, it can cause significant risk to your patients’ PHI. Whether your sign-in document is paper or electronic, sign-in sheets are HIPAA disasters waiting to happen — if not handled properly.

The biggest issue is that your sign-in sheet can make it easy for patients to see each other’s information. In many instances, everyone who signs in on a paper sheet can see whatever previous patients have written on the sheet,as well. This can also be a problem for electronic sign-ins. If your electronic sign-in is

not in a private area, other patients may see personal information as it is typed in.

Another risk is asking your patients to include additional information on your sign-in sheet, such as the physician’s name or the reason for the visit. Although it may seem like no big deal and it make your life a little easier, when checking patients in, it could open you up to an additional set of HIPAA breaches.

WARNING: If you are found guilty of a HIPAA violation based on your sign-in

sheet, it may be applied to ALL of your patients. You could get hit with a separate privacy breach for each patient that has signed in over a period of days or weeks. That means a separate penalty for each, too. These fines can add up to HUGE monetary penalties, which could cripple your practice.

Here are several solutions to help you improve your sign-in sheet processes to reduce your chances of disclosing patient PHI:

– Digital: Although digital sign-in sheets won’t completely eliminate your risk, they can be a simple way of significantly reducing it.




Electronic Health Record (EHR) software systems increasingly include digital

sign-in sheets. Some of these systems have patient kiosks or iPads as options. Again, these don’t completely mitigate your liability, but they certainly can help. For example, if your sign-in kiosk is in a high-traffic area, visitors could look over a patient’s shoulder and read his or her private information. To avoid these issues, kiosks should be placed in a private corner of your waiting room, or in a separate room. This will help make patients’ PHI less visible to other people coming into your practice. Kiosks can also help cut down on the time your front desk staff spends with patients during check-in, freeing them up for other duties.

– Sign-in cards: When your patients arrive, try having them fill out an indi-vidual sign-in card instead of a sign-in sheet at your front check-in area. Sign-in cards are inexpensive to make and help remove the chance of a breach of patient information — if they are managed correctly. For exam-

ple, handing out sign-in cards can be extremely dangerous to your HIPAA compliance if you don’t keep track of them. These cards will most likely

Sample Patient Sign-in Card

Thank You for Choosing ABC Family MedicineTo help ensure the privacy of your personal information, please complete this card

and hand it to someone at our front desk. Please print your information.

Name:_________________________________________________________

Date:____________________

Time of Arrival: ___________ [ ] am [ ] pm

Time of Appointment: ______ [ ] am [ ] pm

You are Here to See: (Provider name):_________________________________

If you’ve changed your address or insurance within the last year, please include your driver’s license and insurance card when you hand in this completed card.

IMPORTANT: Please do NOT leave your completed card unattended at the desk. If no one is at the desk when you try to hand it in, someone will be back soon to accept it from you personally.


16


contain PHI and you need to properly safeguard them until they can be shredded.

To create your sign-in cards, try using brightly colored card stock (avail-able from any office supply store) to make them easy to spot. Then, in a program such as Microsoft Word, set up your cards so that several print on one sheet of paper. A sample card appears in the box on the previous page to help you design your own.

SAMPLE FORM: You can find a 2-up Sign-In Sample Card on page L-18 in the HIPAA Forms and Tools Library at the back of the book.

Once your sign-in cards are complete, put them in a pile at your front desk, and be sure to include a sign next to them that says something like:

“Welcome to our practice. To help us get you in to see the doctor quickly, please take a card and fill it out. Once completed, please hand it to some-one at our front desk. If you have any questions, please let us know. Thank You. (IMPORTANT: Do not leave your completed card unattended.)”

Your sign-in cards can contain as little or as much information as you’d like. The great thing is that you don’t have to worry about patient privacy. Once your patient returns the card to a member of your staff, the information can be entered directly into your computer. Then the card should be immediately shredded.

Another option to collect patient sign-in cards is to have a secure box at your check-in desk. This reduces the chance that a patient will leave a completed sign-in card face up at your reception desk for all to see. However, be sure that the box is emptied out regularly. It would be a customer service disaster to leave completed cards in the box for any length of time. Also, to prevent patients from seeing the information in the box, it should be secured, and NOT be see-through.

WARNING: Sign-in cards certainly reduce your risk, but only if your front desk team is trained to use them correctly. They can still be a HIPAA disaster if your patients hand in their completed card to someone at your front desk and they leave it face-up on their desk for everyone to see. It’s even worse if your front desk is unattended while completed cards accumulate. You must foresee all




possible breaches before you put any new process in place. Remember, it is

ultimately your responsibility — not your patients’ — to keep their information protected while they are in your care.

– Paper: If you choose to continue using a paper sign-in sheet, think care-

fully about what information you ask patients to fill in. Keep in mind that what’s “safe” on your sign-in sheet can vary depending on your type of practice. For example:

• Same specialty, multiple physicians: If you have several doctors in your office that basically all provide the same services, it is probably OK to ask the patient on the sign-up sheet which physician he or she is scheduled to see. In this situation, knowing that a patient is seeing Dr. Smith as opposed to Dr. Jones doesn’t indicate the reason for the patient’s visit.

• Multiple specialties, multiple physicians: If you have several doc-

tors at your office in different specialties, it may be a HIPAA breach to ask your patients to name the doctor they are there to see on the sign-in sheet. For example, your practice has a family practitioner, a psychologist, and an internist. Patient A, while signing in, notes that his appointment is with your psychologist. Patient B, while signing in, sees the doctor’s name listed on the sign-in sheet by Patient A and now knows that he is seeking mental health treatment. Patient B also happens to know Patient A’s wife and mentions it to her, although Pa-

tient A did not want his wife to know. You’ve just violated Patient A’s right to confidentiality. This is only one simple scenario of how easy it is to violate HIPAA guidelines.

If you must know the name of the specific doctor your patient is scheduled to see, there are some workarounds for your paper sign-in sheet. You can still request this information as long as you remove it quickly — BEFORE the next patient signs in and sees it. For example, you can quickly cover the unwanted information from the sign-in sheet with a sticker or a marker.


18


IMPORTANT: When removing information from your sign-in sheet, make sure that it’s not visible to anyone else. For example, if patients sign in with a black pen and you try to remove the information by covering it with a purple marker, other patients can probably still read what’s under the marker ink. Don’t assume that a permanent marker will actually make the information unreadable. Test it to be sure.

Some offices solve this problem by using a sheet of stickers as their sign-in

sheet. Instead of crossing entries out with a pen, the front desk staff peels off each sticker once patient information is added. Then, the sticker is affixed to the patient’s record. The sign-in sheet “empties” as stickers are peeled off. This only works to protect you from HIPAA violations if the stickers are pulled off BEFORE the next patient signs in and put somewhere that is not visible by others. If you use this method, don’t forget to remind staff NOT to throw the stickers in the trash. That would be a clear HIPAA violations. You can purchase pre-printed sign-in sheet stickers, or make them yourself by purchasing printer-ready labels and printing your sign-in text on them.

Finally, avoid putting IIHI (Individually Identifiable Health Information) that

can be collected in other ways on your sign-in documents (regardless of the method). For example, don’t ask for birth dates, addresses, or health insurance identification numbers. Leaving this information on the front desk counter for other patients to see is a clear HIPAA violation. You can easily obtain this informa-

tion more securely by having patients’ complete forms with direct questions. You also can have your staff member that brings the patient back to the exam room collect the information in a more confidential setting.




NOTES__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________


20


Avoid Top

Notice of Privacy

Practices Pitfalls

HIPAA guarantees a variety of patient rights — one of these includes a patient’s right to know how you’re going to use his or her PHI (Protected Health

Information). This is why HIPAA requires you to describe your office’s privacy practices in writing in an easy-to-read format. This is called a Notice of Privacy Practices (NPP). This is a required document that you ask your patients to sign. Don’t take HIPAA guidelines lightly. They state that you must “do your best” to get the patient to sign an acknowledgment that indicates he or she has:

– received a copy of your Notice of Privacy Practices,

– been made aware if a copy is posted in your waiting area, or

– been informed that a copy is available on your practice’s website.

As part of any breach investigation, the Office for Civil Rights (OCR) will request a copy of your NPP to review. The OCR will want to make sure your notice contains the required content. They will also inquire as to your process of making the notice available to your patients. Remember, your patients are NOT required to sign an NPP, but getting their signature can be helpful. Ultimately, you must create some way for your patients to acknowledge that a copy of your NPP was made available for them to review.

Create and Use Your NPP Correctly

In order to ensure HIPAA compliance at your front desk, it is essential that you know what you should and should not include in your NPP. It is also import-ant that your front desk staff have a solid understanding of your NPP so they can




answer patients questions. Here are several items that are essential to include in your notice to make it HIPAA-compliant and to help you avoid getting hit with a violation:

• Rights: Your patients’ rights must be clearly spelled out on your notice. For example, patients have a right to their medical record. They can cor-rect errors on their record and file a complaint if they feel their privacy rights have been violated.

• Choice: Patient choices must also be clearly listed. For example, patients can choose whether to share information with family and friends about their condition, etc.

• Use: You are required to tell your patients how you will use their informa-

tion. For example, you may need to use your patients’ private information to treat them, to bill them, and to comply with healthcare laws. Although these are all legitimate ways to use patients’ confidential information, you must include them on your Notice of Privacy Practices policy.

• Date and sign: Although your patients are not required to sign your NPP, there must be a place for your patients to date and sign the notice. Their signature simply indicates their acknowledgment of the document. A signed and dated statement gives you unambiguous proof of each patient’s instructions regarding their private information.

• Change: Your patients have the right to change the instructions on how you are authorized to utilize their information. To indicate such a change, you should have them complete another NPP document with their new preferences. Also, be sure to void the previous notice, or there may be confusion, which could lead to misuse of their information.

SAMPLE FORM: You can find a HIPAA-compliant sample NPP form on page L-12 in the HIPAA Forms and Tools Library at the back of the report. CMS also reports that consumers preferred their Notice in a booklet form. Here is an example of an editable NPP laid out in a booklet https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/npp_booklet_hc_provider.pdf.


22

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/npp_booklet_hc_provider.pdf

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/npp_booklet_hc_provider.pdf


Even if you have a perfect notice that passes an investigator’s scrutiny, you can still be found guilty of a violation if you don’t use the document correctly. Here are several specific points to consider that will help you utilize your NPP properly:

• New patients: Be sure that all new patient packets contain a complete copy of your NPP.

• Availability: Be sure to post a copy of your notice where your patients can easily see it. A frame on the wall by your front desk or at your check-in counter are good options. Also, keep several copies behind your front desk in case a patient requests one.

• Signature: Make a “good faith” effort to get your NPP acknowledged by getting a patient to sign the document. Their signature indicates they have read it, understand it and acknowledge it.

• Refusal to sign: “Good faith” means you have explained the form to your patients and asked them to sign the document to acknowledge it. They may refuse to sign for any number of reasons. However, their refusal

shouldn’t result in denied services. There are several important items you should document in the patient’s record throughout this process:

– Your exact efforts to get them to sign and their denial.

– All reasons given for not wanting to sign.

– Any questions asked related to the notice.

– Finally, have your staff sign and date the document as a formal record of your patients’ refusal to sign the acknowledgment.

• Language: In some areas of the country, it’s not unusual to have several different language groups represented. If this is true in your area, you are required to make your NPP available in as many language options as appropriate. You can have your Notice translated by a reputable service. Even patients with a good command of English may feel more comfort-able having their medical rights and choices available in the language spo-

ken in their homes. Realistically, you can’t have every possible language




available, but preparing privacy notices for the predominant languages of your patient population is a small price to pay to avoid a HIPAA violation.

• Media: You need to make similar accommodations for patients who are hearing- or vision-impaired. If a portion of your patients read Braille, you need to have Braille forms. Some offices that handle visually impaired patients on a regular basis have a recording of their NPP available with headphones. If the patient listens to the notice, you should document the date and time, and whether they signed an acknowledgment form. Regardless of whether your patients are listening, reading or using Braille, your privacy notice has to be understandable and accessible.

WARNING: HIPAA guidelines put the burden on YOU to ensure your patients understand their privacy rights. So, if you have to spend money to translate your NPP into Spanish, Braille, or have an audio recording made, it’s certain to be less expensive than paying a $50,000 fine for a HIPAA violation.

Who can Sign an NPP?

If you have the wrong person sign your NPP acknowledgment form, you are documenting a violation for an investigator to find. Here’s the list of who can

actually give authorization and acknowledge receipt of your privacy Notice:

• All patients who are competent adults.

• The legal parent(s) of a minor child who isn’t emancipated can sign for that child.

• An emancipated minor. The definition of an “emancipated minor” differs from state to state. Some still require parental involvement in healthcare decisions, while others give full privacy rights to the child. You need to know your state requirements to avoid getting into trouble. Go to the National Association of Insurance Commissioners website at www.naic.org/state_web_map.htm and click on your state for more information.


24

http://www.naic.org/state_web_map.htm



• The designated representative or next of kin of a seriously ill or comatose patient can sign for that patient, as long as you have the appropriate doc-

umentation of their status.

• The legal guardian of an incompetent patient may sign — be sure to keep documentation of their status on file.

• The legal executor or administrator of the estate of a deceased person may sign, but again, get written proof of their authority, and keep it on file.

Notice of Privacy Policy Compliance Checklist

Use this checklist to help you determine if your NPP is compliant with HIPAA guidelines. Ask yourself these questions. Any question that you answer with a “No” should be reviewed and improved upon.

Notice of Privacy Policy Compliance Checklist

Is your NPP reviewed and updated yearly? If so, who is responsible?

YES

NO

If yes, do you have one person responsible? YES

NODo you remind your patients at least every three years that they have access to their information?

YES

NO


NODoes your entire front desk staff know where your NPP forms/file are located?

YES

NO

Does your entire front desk staff understand the form well enough to explain it to patients should they need to?

YES

NO

Do you have a process in place if a patient wants to revoke their authorization?

YES

NO


NO




NOTES__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________


26


Help Your

Release of Information

Form Protect You

Your process for releasing a patient’s Protected Health Information (PHI) to another medical office, lawyer, family member, or even to patients themselves can be a complex and confusing process. Without clear rules for your front desk, it will be easy for them to provide patient records incorrectly and land your practice under a HIPAA investigator’s scrutiny.

The Health and Human Services (HHS) website reports that “Impermissi-ble Uses & Disclosures” is the top HIPAA violation they investigate. Accordingly, having a firm handle on your information release process is essential to your practice’s HIPAA compliance.

However, having your patients sign a simple Authorized Disclosure Form, with a line for the patient’s name, the recipient’s address, and a signature does NOT completely protect you against a HIPAA violation. Unfortunately, protecting yourself isn’t that easy.

It is NOT required that you have a signed Authorization Disclosure Form every time you release a patient’s private information. That would be too easy. Instead, HIPAA guidelines tell you when you DO NOT need to get a patient’s signed release (you can if you want to, but it is not required).

NOTE: Other than the below circumstances, HIPAA requires you to have a signed Authorization Disclosure Form on file before you release private patient information.

1. To the individual (unless required for access or accounting of disclosures)

2. Treatment, payment, and healthcare operations




3. Opportunity to agree or object

4. Incident to an otherwise permitted use and disclosure

5. Public interest and benefit activities

6. Limited data set for the purposes of research, public health, or healthcare operations.

Covered entities may rely on professional ethics and best judgments in decid-

ing which of these permissive uses and disclosures to make.

However, simply having a signed Authorization Disclosure Form is not enough. Your release must have specific language in it to keep you safe from a violation. Here are the key elements you must include on your release of information document to help protect yourself from a violation:

• The date your patient made the request.

• Who specifically the patients authorize their personal information released to — this is usually the patients themselves or another doctor’s office.

• What specific personal information is the patient giving you permission to share? Along with the signature, this is actually the most important part of the form. This is where you are most likely to get tripped up. Your form needs to specify if the release is for the whole record or treatment during a specific time or for a specific procedure or test.

SAMPLE FORM: You’ll find a sample Authorized Disclosure form to help you create your own document on page L-23 in the HIPAA Forms and Tools Library at the back of this report.

Beyond the Authorization Disclosure Form Itself

Once your patient has completed and signed a release form, there are several additional items you and your front desk staff must master to protect your practice from a HIPAA violation:


28


1. Documentation: It’s important that you keep everything documented in the patient’s record. Should you get investigated, it is your only way to prove what information your patient authorized and to whom you are allowed to release it to.

Also, it’s imperative that you and your front desk staff clearly document the specifics of the information you released:

• to whom it was sent

• how it was sent

• that only patient authorized information was released

Having this information on file can significantly improve the outcome should you get charged with a HIPAA violation. It also allows you to answer any questions your patients might have related to the issue.

NOTE: The guidelines related to who can sign an Authorized Disclosure Form are the same as who can sign an Notice of Privacy Protection (NPP). Accordingly, see page 24 for a specific list.

2. Training: Beyond documentation, training is also incredibly important. Unless you train your front desk team how to accurately utilize an Authorization Disclosure Form, and follow up to make sure they are using it correctly, you are still at serious risk of violation.

Your team needs to know exactly what is required on the release form, who can sign it, and what they are allowed to do without having a super-visor’s authorization first (based on your practice’s rules). Having your actual release form correct is simply not enough.

3. Term of authorization: A patients’ right to privacy doesn’t end with their

death. Don’t let your front desk staff make the mistake of assuming that once a patient dies, his or her next of kin automatically has authority to access their personal information.

Family members may come to your front desk staff believing they au-

tomatically have the right to access their loved one’s records. Tell your reception team NOT TO ALLOW IT without the correct legal paperwork indicating that they have authorization. When an individual dies, the




person that represents the deceased is usually the executor or administrator of their estate (or will). However, it can also be a person who is legally authorized by a court or by a state law to act on the behalf of the deceased individual’s estate.

If there is ever any dispute or confusion over a family member’s right to access patient records, train your staff to get their supervisor or your practice’s designated HIPAA Security and Privacy Officer involved before disclosing any information.

There is so much risk surrounding releasing unauthorized patient information, some experts recommend requiring approval from a manager or provider for EVERY such request to minimize their liability.

Release Form Training Scenario

Use the scenario below as a tool to help you train your front desk team on when and when not to release patient information correctly:

SCENARIO Long-time patient Joan Smith is running late for her appointment. She is obviously rushed when she checks in. Several patients, including Ms. Smith, arrive at your front desk to check in at the same time. Ms. Smith notifies Pam at your front desk that she is moving out of town. She asks Pam to transfer all of her medical records to her new doctor. Pam knows Ms. Smith well, and verbally agrees. Because the front desk is so busy, Pam jots down Ms. Smith’s name and her new doctor’s name and address on a sticky note. She places the sticky note on her desk by her mouse (in plain view) so she doesn’t forget.

Later the same day, Pam gives the sticky note to their records clerk and asks her to transfer Ms. Smith’s records (DOB: 1964) to the doctor indicated. No other information is provided. What the records clerk doesn’t know is that the practice has two unrelated patients with the same first and last name, both coincidentally born in the same year. Unfortunately, the records clerk sends the wrong patient information to the new doctor’s office. After the re-

cords clerk sends the information, she discards the sticky note in the garbage.


30


Three months later, the error is discovered when Ms. Smith checks in at her new doctor’s office and is handed a sheet with “her” information on it to update. Unfortunately, none of the information was correct because it belongs to the other Ms. Smith.

After sharing this scenario with your front desk team, ask them to identify the HIPAA risks. Then, after collecting several risks from your team, ask them how they would solve the problems. Use the risks and the solutions identified below as a guide through the process.

RISKS:

• The practice accepted a verbal request for a transfer of medical records instead of getting the patient to sign an actual release form.

• The patient’s request was recorded onto a sticky note and left in plain view.

• When the release request is sent to the medical records clerk, there isn’t enough information to ensure the correct records are selected and sent.

• Instead of shredding the sticky note with the patient information on it, the medical records clerk threw it away in the garbage.

SOLUTIONS:• Never accept a verbal request to transfer records.

• Provide complete information when submitting a release of information. Your form should include the patient’s full name, full birth date, who they want their information sent to, and what specifically you are authorized to send. Then be sure they sign and date the form.

• Have a clear policy that specifically outlines the guidelines for sending out patient information and whether it needs to be authorized internally by a supervisor before it’s sent.

• Ensure all staff (new and old) are trained on these guidelines and document the training when complete.

Even though several things went wrong in this scenario, it isn’t very far-fetched. Your front desk team it pulled in numerous directions, and is expected




to multi-task and do everything accurately. By not having a formal policy on what and how to authorize the release of patient records, you are asking for trouble.

The only way to ensure things are handled correctly is to have a plan. If a patient is rushed and doesn’t want to take the time, tell him or her,

“I’m sorry, without a signed release of information on file with specific instructions regarding what information and to whom we can release it to, we can’t send it. This is a protection for you and your personal information. I am not allowed to make exceptions.”

It is imperative your front desk team stick to the rules and not allow ANY exceptions to release of information rules.


32


How to Avoid

Payment Opt-Out

Complications

Patients with commercial insurance policies now have the right to choose whether they want you to submit their claims for the services you provided to their insurance carrier. They should do this on an Opt-Out Form. Usually this is provided with new patient paperwork at your front desk during check-in.

Keeping track of which patients want their visits billed, which ones don’t, and which patients refuse this option can create additional challenges for your front desk staff. You must train your team to clearly understand the differences between each option. They must be able to explain the Opt-Out Form to your patients to ensure it is used correctly.

If not recorded properly, you may file an insurance claim for a patient who didn’t authorize it. If this occurs, you can be subject to substantial HIPAA viola-

tion penalties. Even if you get the opt-out right the first time, without the right processes in place, it’s easy to forget the next time and bill the carrier and defy the patient’s wish.

Opt-outs can be complex and aren’t as common as many other front desk tasks. This makes mistakes and resultant HIPAA violations with them more common.

So, what can you do about it?

Your front desk staff must understand who the opt-out option applies to. Opt-outs only apply to commercial payers (i.e. HMOs, point-of-service plans, indemnity plans, etc.). Whereas federal and state plans (i.e. Medicare, Tricare, CHAMPUS, PBA, etc.) DON’T have this option. So, for state and federal plans, you




don’t need your patient to complete an opt-out form. If you try to file an opt-out for any of these plans, you’ll most likely be in violation of their payer guidelines.

Get opt-out form signed: All of your commercial-insurance patients must fill out and sign an Opt-Out Form. Once the form is completed, you should retain a copy of this signed form with each patient’s records. For those patients who do opt out of having their claims submitted to their commercial-insurance car-rier, you must find a way to flag their claims so they are not sent by mistake. Remember, each time you make an error and send a claim to a carrier when the patient has opted out, it’s a potential violation and fine.

SAMPLE FORM: You can find a sample patient opt-out form that you can cus-

tomize on page L-11 in the HIPAA Forms and Tools Library at the back of this report.


34


Sidestep Patient

Communication

Problems

It’s easy for phone messages, faxes, social media posts, and emails to wind up in the wrong hands, with the potential for — you guessed it — HIPAA violations and fines. It’s also very easy to avoid these violations with a few simple precautions. However, if you don’t take them, the consequences can be very ex-

pensive. Here are several of the most common patient communication errors and how you can resolve them so that you don’t end up penalized.

Voicemail/Non-Patient Communication

HIPAA violations can easily take place over the telephone, so this is one of the areas investigators scrutinize most closely. Phone messages left with patients’ spouses, co-workers, or on answering machines without consent are violations each time they occur. It doesn’t matter whether you are talking to someone about her 93-year-old mother’s appointment, or a spouse’s billing issue. Unless you have a written consent from the patient (or other authorized signer) that gives you the right to speak to or leave a message with someone other than your patient, you are in violation.

Specifically, watch out for requests from family members and spouses for patient information without confirmation of formal authorization. Usually, this is due to familiarity with the family member or spouse. All may be fine for a while, but if something is released that the patient didn’t want their family privy to, and you don’t have the correct release on file, you could be in big trouble.




Here are a few of the most common dangers when trying to communicate with patients:

Voicemail:

You can protect yourself by adopting a clear policy and training your front desk team to never use your patient’s name when leaving a voicemail. You should also not leave any other information that identifies the patient. And most important of all, be consistent. The same policy should be applied whether a front desk person or the doctor is calling the patient. Here are two examples of acceptable language for voicemail messages:

– Appointments: “Please call us back regarding your appointment at XXX-XXXX.”

– Billing: “Please call us back regarding your invoice at XXX-XXXX.”

Also, you should NEVER leave test results or other medical information on voicemail. Instead, request that the patient call you back to get the information from you directly. Don’t say what it’s about unless your patient has given you specific clearance in writing. Here are some examples of wording to use on your authorization form to get your patients’ authorization:

– “I give my permission for Dr. Smith’s office to leave specific information about scheduling appointments with his openings on my voicemail at [insert number].”

– “I give my permission for Dr. Smith’s office to leave specific information about billing on my voicemail at [insert number].”

Non-Patient Answers the Phone:

Sometimes family members or an office assistant may answer a patient’s phone and are willing to take a message. Although this seems reasonable, your staff is violating your patient’s rights if they disclose information to anyone else without prior clearance from your patient. The proper response is to have your team politely say something along the lines of:


36


– “I’m so sorry, but I can’t provide you with that information. It’s confidential. I’m not allowed to give that out over the phone. I hope you understand.”

People may be angry at this response, but it’s better than compromising your patients’ PHI and getting fined.

Before you ever pick up the phone to call an existing patient, get into the habit of reviewing his or her consent form on file. Even though this adds another step to your process, it’s the only way to comply with each patient’s wishes.

WARNING: Don’t be lulled into setting up a “cheat sheet” with each active patient’s name and their consent guidelines to make it easier for your front desk staff to get it right. This is not a good idea. Remember, your patients have the right to revoke their consent at any time, and if your cheat sheet isn’t updated, you have an instant HIPAA violation.

It’s also important to train your team how to answer questions when someone calls into your office. For example, let’s say you leave a message for a patient on their voicemail regarding an appointment, asking them to call and confirm. However, instead of the patient calling back, it’s her husband asking who the message was for. The only way to help your front desk team be compliant is to arm them with very specific responses for a variety of scenarios so they aren’t caught off guard. And if they ever don’t know how to answer a question, be sure they at least know to ask a supervisor for assistance.

REMEMBER: If you don’t have written consent from the patient, limit yourself to simply asking for a call back, and don’t leave any additional information. Also, never verbally leave lab results or patient medical information on voicemail under any circumstances.

You’ll find a voicemail training scenario on the next page. Based on this scenario, work with your front desk team to create multiple HIPAA-compliant solutions and run through them with your team regularly. This will help them be prepared for anything that comes their way.




Again, be sure to document your training. HIPAA investigators will be looking for it. Documenting your training can be as easy as creating a spreadsheet with the date of the training, the topic, and the names of the staff in attendance. Keep your this sheet in a binder or in an easily accessible folder on your computer, and include any of the training documents that you used. Be sure to put the date of the training on the supporting documents so they can be tied back to the log sheet if you are ever investigated.

Voicemail training scenarioOne of your patients leaves a message on your practice’s machine after you’ve closed. The patient asks about the availability of appointment times for the coming week. The patient leaves a phone number and asks for a call back with the appointment information.

The next day, one of your front desk staff returns the patient’s call. However, instead of the patient, they reach her voicemail. Your team member leaves a message for the patient by name, stating that she is returning her call, and leaves specific information identifying the specialist the patient wants to see, the availability of appointment times for the coming week, and asks the pa-

tient to call her back.

Although returning a patient’s phone call should be relatively easy, this is a perfect example of what can go wrong. Your front desk staff must remember that when they dial a patient’s number, they don’t actually know where or who they are calling. Is it a cellphone only answered by the patient? Is it a house phone answered by other family members? Is it an office phone whose voicemail is scanned by an assistant? There is no way to confirm the information you are leaving will be secure. Accordingly, your front desk team must use caution.

A good rule of thumb is to never leave detailed information on a patient’s voicemail. When leaving a voicemail message, you should avoid using the pa-

tient’s name (like in the scenario above) or any specific information. You have no idea if the patient’s phone number you are calling is secure. Someone else could pick up the message and now knows that your patient wanted to make an appointment with your practice. If you are a primary care practice, it may not


38


be too much of a problem (although it is still a HIPAA violation). However, if you are in a more sensitive specialty (i.e., family planning clinic, mental health office, addiction clinic, etc.), it can be a huge problem that causes the patient to submit a complaint with OCR.

The correct way to handle leaving any voicemail message for a patient is to only leave your name and your callback number so that you aren’t revealing any of your patient’s private information.

Avoid Faxing Missteps

Sending your patient’s PHI via fax can significantly increase your risk of a HIPAA violation. Your front desk staff can violate patient confidentiality by both sending and receiving fax PHI incorrectly. It is essential that your front desk team know what they can and can’t send electronically, and whether they have the right kind of release on file.

NOTE: Before you send patient PHI, the first step is to confirm if it is a permitted or authorized disclosure. In cases of authorized disclosures, remember you must have a Authorized Disclosure Form signed by your patient (or their representative) on file:

– Incoming faxes: It is imperative that your fax machine is placed outside of plain view. If someone isn’t monitoring your fax machine regularly, incoming faxes can build up, and possibly be seen by passersby. Anoth-

er area of concern is if you receive your faxes electronically (eFaxes). Typically, eFaxes arrive in your email. If this is the case, be sure you limit access to the email account with the incoming faxes.

It’s important that you have a specific protocol for how to handle incoming faxes. Your procedure should include how to access them, where to save them, and what to do with the original document.

– Outgoing faxes: Depending on the type of fax machine you use, a HIPAA violation can occur in variety of situations when sending faxes, as well.

• Non-digital fFax: If an outgoing fax doesn’t successfully go through right away, sometimes it just sits on the machine. Then, the unit can




try again at a later time. If this occurs, anyone can pick up the pending fax and read it.

• Digital fax: If your machine scans your fax and stores it until it is ready to go out, this can also cause problems. If after you scan in your fax, it doesn’t get delivered after several attempts, your fax machine may print a failure page. In many instances, this page can have a copy of the first page of your fax, along with the delivery problem information. If this occurs, patient information could be easily seen.

TIPS: With either type of fax machine, it is essential you take your time and type in the right numbers. The wrong number could mean your patient’s PHI ends up in some random place. If you are investigated for HIPAA compliance, investigators will look for your fax machine to see whether it’s located in a common area and how you use it. They’ll also look for eFaxes and how you manage them. Investiga-

tors see red flags when they find an unattended fax machine with faxes piled up, or an eFax in box that everyone has access to, because they know that each fax sent and received could be construed as a violation — the fines can really add up.

All of the answers to these questions should be “YES” before you ever decide to fax patient PHI:

� Do I have an up-to-date release form signed by the patient on file?

� Does the release form indicate authorization to send to the person I am faxing?

� Is the information I am sending authorized by the release I have on file?

� Do I have a phone number for the person I am sending the fax to? This allows me to call immediately after the transmission to make sure records were received without a security breach.

� Is my fax cover sheet marked with “CONFIDENTIAL INFORMATION” at the top of the page in large letters?

What can and can’t you send via fax? Your front desk staff must be aware that the following information is NEVER to be transmitted via fax. Doing so is considered and immediate breach of privacy. These records can only be sent via


40


mail marked “confidential” or digitally via email if your email is encrypted and protected from breach.

• HIV results

• Mental health records

• Narcotic prescriptions

• Alcohol abuse records

• Substance abuse records

• Child abuse records (It is important to be aware of both national and your state-specific law enforcement exceptions. See more information in the box below.)

Releasing Child Abuse PHI

HHS guidelines indicate that you may disclose PHI to law enforcement officials, related to child abuse, under these six circumstances:

1. Court-ordered: As required by law, you may release PHI related to “court orders, court-or-dered warrants, subpoenas” and administrative requests.

2. Identification: If requested to do so, you may release PHI to help “identify or locate a suspect, fugitive, material witness or missing person.”

3. Solve a crime: You may release PHI in response to a “law enforcement official’s request for information about a victim or suspected victim of a crime.”

4. Report murder: If you suspect that “criminal activity caused the death,” you may alert law enforcement of a person’s death.

5. Report a crime on your premises: If you determine that the PHI is “evidence of a crime that occurred on your premises,” you may release the related information.

6. Report a crime in an emergency off premises: Should you respond to a medical emer-gency off premises that involves a crime, should you feel it is necessary, you may “inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.”

NOTE: Be sure to check your state guidelines, as there could be variations to the above rules based on your geographic location. Also, in these types of situations, it is probably best that only a manager or provider make the decision on when it is appropriate to send this type of sensitive information. Should you choose to implement this rule internally, be sure to thoroughly train your front desk staff.




Keeping Email PHI Secure

Unless your front desk staff emails are encrypted, they are NOT secure. Period. Remember, you really have no control over who actually reads your emails on the other end. Also, emails can easily be printed and/or forwarded. This means that your patient’s PHI can fall into the wrong hands, significantly increasing your exposure to HIPAA violations and fines.

You can solve this problem by limiting emails to simple notices that lead the recipient to log onto an Electronic Health Record (EHR) patient portal to retrieve the information. An EHR is a secure, username- and password-protected environment where patients have an expec-

tation of privacy. Make sure your EHR vendor has a solid record of maintaining client security. This should be covered in your Business Associate Agreement (BAA) with the vendor.

You should also be sure to use an approved vendor to encrypt your email. Here are a variety of services you can check out (this report does not endorse any of these services — you should research them to ensure they meet your needs before using any of them):

• Voltage (www.voltage.com)

• DataMotion (www.datamotion.com)

• Proofpoint (www.proofpoint.com)

• EdgeWave (www.edgewave.com)

• Cryptzone (www.cryptzone.com)

• Symantec (www.symantec.com)

• Sophos (www.sophos.com)

• LuxSci (www.luxsci.com)

• Microsoft Exchange (https://products.office.com/en-us/exchange/microsoft-exchange-server)

Encrypting your data is an essential step to protecting your patient’s PHI. It can be incredibly valuable in protecting you against accidental privacy breaches, prying eyes, or lost equipment containing email information.


42

http://www.luxsci.com

https://products.office.com/en-us/exchange/microsoft-exchange-server

https://products.office.com/en-us/exchange/microsoft-exchange-server


In addition to having your data encrypted, you should ensure that all incoming communications (computers, phones, thumb drives, etc.) are encrypted, secured and scanned to protect them from harm, whether accidental or intended. Having your data encrypted is considered a best practice, and an important part of your HIPAA compliance. However, don’t get complacent. Having your data and incoming communications encrypted doesn’t mean that hackers can’t find a way to access it.

Protecting Other Types of Electronic Devices

In addition to your patients’ PHI being received on front desk computers, you may also communicate with your team via smartphones with voice, email, text, and other web-based data transmission options available. This increases the possibility of exposure of your patients’ PHI, which, of course, increases your chances of HIPAA violations.

As with all other electronics in your office, the goal should be uniformity when it comes to security. Consider encrypting smartphone communications like you would with all other mediums, such as email. Treat smartphone voice communications exactly as you would regular phone communications, and use smartphone web-based apps securely, just as you would on the office computers.

IMPORTANT: Under no circumstances should front desk staff (or any other of your office staff, including physicians) use PERSONAL smartphones to conduct office business. Removing personal smartphones from circulation in the office also removes them from creating HIPAA violation risks.

SAMPLE FORM: See sample Mobile Device Management Policy on page L-32 in the HIPAA Forms and Tools Library at the back of this report.

Once you decide on an encryption method, be sure to specifically document how you’d like your patients’ private information to be transmitted. Remember that investigators operate under the assumption that “if it’s not documented, it’s not being done.” You should keep a binder of all documented security measures you’re implementing, so you can easily access them as needed. However, be sure to keep the training documents secure so not just anyone can access them.

NOTE: See page 5 for a discussion of what constitutes PHI and IIHI.




Encryption Checklist

There are many encryption methods and technologies you can use to protect your data from being accessed and viewed by unauthorized users. To determine if you need an encryption system, or if you are at risk, you should assess the following:

Emails: If you send emails containing PHI: Yes No Are they encrypted? Yes No Do you have a process or policy in place that forbids sending emails over nonen-

crypted services? Yes No Do you have a process in place to ensure emails are being sent securely?

Texting: If your PHI is texted, where is it texted from, and is it protected? Office Protected Not Protected Home Protected Not Protected Other places Protected Not Protected All of the above Protected Not Protected

Remote Access: If you provide remote access to your PHI: Yes No Is your remote access protected? Yes No Do you regularly change passwords for staff with remote access? Yes No Do you control what data is accessible by person when they log in? Yes No Do you keep a log of who has access to your data remotely?

Networking/Equipment:

Yes No Is your wireless network encrypted? Yes No Is your guest wireless on a segregated network? Yes No Do any portable devices/equipment containing PHI leave your practice/business

(i.e. thumb drives, CDs, laptops, etc.? Yes No If applicable, do you track the return of portable devices/equipment?

Scanning Documents: If you scan PHI: Yes No After scanning paper documents do you keep the paper copies on site? Yes No After scanning paper documents do you keep the paper copies destroyed? Yes No Do you keep scanned documents in your EHR? Yes No Are additional versions of scanned documents deleted from your system? Yes No Are scans being sent as attachments to emails? Yes No If you send scanned PHI as attachments to emails, are these emails automatically

deleted once sent?


44


Steer Clear of

Social Networking

Compliance Traps

A post on Facebook, Twitter, or various other social networks can be made in seconds and seen by millions of people in a matter of hours. Accordingly, it is imperative that your front desk staff understands that posting any patient information on social networking sites without their permission can get your practice (and them personally) into serious trouble.

Your front desk staff may not realize that they can be held personally responsible if they are the cause of a breach of PHI. This means they individually could be fined or even put in jail — there are cases on record of this happening. It’s important that they understand their personal exposure, too. And remember, penalties can apply to each item if it is believed the information was leaked — or worse, viewed.

The answer is NOT to delete all of your social media accounts. However, you do have to make sure your front desk staff (along with everyone else in your practice) knows not to post identifying information about patients, including their images, on any social networking site (i.e., Facebook, Twitter, LinkedIn, Pinterest, Instagram, etc.) without written authorization. No exceptions.

Be sure your staff knows that this applies to their personal social media

accounts as well as any accounts maintained by your practice. Once people are on their own personal social media pages, they sometimes forget that what they post could be visible to patients, co-workers, and regulators, as well. Investigators now look at social media routinely to check for HIPAA violations. When they find them, the fines can hit seven figures.




A responsible social media policy that everyone in your office follows is the key to protecting yourself. The Mayo Clinic has a good one, which can be found at http://sharing.mayoclinic.org/guidelines/for-mayo-clinic-employees. Its social media policy makes these basic points:

• Follow all applicable privacy policies.

• Write in the first person. Make it clear that you are speaking for yourself and not on behalf of the practice or clinic.

• If you communicate on the Internet about the practice or clinic, disclose your connection to the practice/clinic and your role.

• Use a personal email address (not your business address) as your primary means of communication for any non-business communication.

• If your blog, posting, or other online activities are inconsistent with or would negatively impact the practice’s/clinic’s reputation or brand, you should not refer to the practice/clinic or identify your connection to the clinic.

• Be respectful and professional to fellow employees, business partners, competitors and patients.

• Ensure that your blogging and social-networking activity does not inter-fere with your work commitments.

• Ask your HIPAA Privacy Officer if you have any questions about what is appropriate to include in your blog or social-networking profile.

SAMPLE FORM: You’ll find a sample Social Networking Policy document for your staff to sign on page L-20 in the HIPAA Forms and Tools Library at the back of this report. This will help you emphasize the importance of keeping PHI and IIHI off of social media.


46

http://sharing.mayoclinic.org/guidelines/for-mayo-clinic-employees


Plug Up Dangerous

Information

Privacy Leaks

Information leaks can occur in multiple places surrounding your front desk. In most cases, they occur innocently. However, it doesn’t really matter if they are intended. It won’t change whether an investigator considers them to be a violation.

Here are some common front desk information leaks you should be on the lookout for and how you can head them off at the pass:

Overheard Conversations

Most front desks are very public places. You can have patients checking in and checking out, staff discussing a patient, a full waiting room, etc. This makes overheard conversations a significant risk. When your front desk staff verifies a patient’s name, helps someone with a referral, or calls in a prescription, they are most likely speaking a significant amount of PHI and IIHI out loud. Any one of the patients in your waiting room, checking in, checking out, or walking down the hall could overhear this confidential data. And, if a patient feels violated, your chances of getting investigated just went through the roof.

Here are several of the top ways private patient information might be over-heard and how you can avoid it:

• Staff to patient: Personal data your front desk staff openly asks for at check-in and check-out may be overheard. Even though your staff may think it’s commonplace to discuss such data publicly, your patients may not want to openly divulge sensitive or personal items (i.e., STDs, pregnancies, oncology or mental health referrals, etc.).




EXAMPLE: An OB-GYN practice has one area to check out for a multi-provider practice. Accordingly, it is common for there to be multiple people waiting in line to check out. The front desk person hands a piece of paper to Patient A with the information for a mental health referral. As the staff member hands over the piece of paper she says, “Dr. Jones asked me to give you this list of psychologists.” The receptionist didn’t realize that the next person in line to check out was Patient A’s neighbor and she overheard everything.

• Staff to staff: Conversations between your staff can also open you up to HIPAA breaches if they don’t keep their voices down. Your front desk team must be aware of who could overhear them. It’s always best to ad-

vise your front desk staff (and other personnel) to use their “inside voices” when discussing patient information in your office.

EXAMPLE: An infectious disease practice has their front desk set up so patients can check in at the window, and patients can check out on their way out the door. The practice’s billing person is in a back room area behind the reception desk. As Patient A is checking out, Patient B is at the window waiting to check in. At that same moment, the front desk person loudly asks the billing person, “What is the diag-

nosis code for Hepatitis B.” The biller in the back room yells back the answer and the front desk person puts it into her computer, prints out the receipt, and says goodbye to the patient. All the while, Patient B was standing at the window listening to the entire conversation.

• Phone: When your reception staff speaks to patients on the phone in the same vicinity as other patients who are checking in, checking out or wait-ing to see the doctor it can be a real concern. Encourage your front desk staff to be aware when they are using patient names and to speak more softly. If your front desk habitually reveals PHI and/or IIHI out loud during phone encounters, you could have as many HIPAA violations as you have phone calls, which can result in monumental penalties.

EXAMPLE: Your front desk person picks up the phone to an elderly patient trying to confirm her appointment later that week. The elderly


48


patient is soft spoken and having a hard time hearing your reception-

ist and keeps saying “What?” Your receptionist is trying to confirm the patient’s address and date of birth before she confirms the ap-

pointment. Each time your patient asks, “What?” your receptionist speaks louder: “YES, MS. SMITH, I’LL BE GLAD TO GIVE YOU YOUR APPOINTMENT TIME, I JUST NEED TO CONFIRM YOUR BIRTH DATE AND ADDRESS.” The patient provides her birth date and address over the phone and the receptionist replies, “OK, MS. SMITH, LET ME CON-

FIRM THAT YOUR BIRTH DATE IS OCTOBER 5, 1932, AND YOUR AD-

DRESS IS 123 MAIN STREET ... IS THAT CORRECT?” The entire waiting room overhears the conversation.

• Check-out: Unanswered questions during an office visit can lead to additional opportunities for HIPAA violations at check-out. Encourage your front desk staff to stop patients if they start asking personal ques-

tions during check-out. Your check-out staff should go and get someone in the practice that can take the patient aside and answer their questions, away from the general traffic.

EXAMPLE: A patient didn’t write down the name of a cream his phy-

sician recommended that he get at the drug store to combat genital itch. As he is checking out, he realizes this and asks the receptionist for the information. Trying to be helpful, the receptionist goes to the back and gets the information the patient requested. As she hands the piece of paper to the patient, she says, “I believe this is the cream the doctor recommended for your genital itch.” A patient at the adjacent check-in area heard the entire conversation.

Although the answer to HIPAA compliance may not always be the most con-

venient process for everyone, allowing staff to take the easy way out can really cost you. Although you can’t ever guarantee PHI won’t be overheard, the mere fact that you took some action to avoid a breach can count positively toward your case if an investigator finds issues with your practice.

Depending on the layout of your office, here are tactics to reduce the chances of your patients’ PHI being overheard at your front desk:




• Window: A sliding window at your front desk that separates your back office from the waiting room can be beneficial to avoid overheard conver-sations. However, you must use the window for it to work. The window should remain closed when making patient phone calls. Also, if you need to discuss something personal with the patient, you can invite him or her back into your area behind the window for privacy. NOTE: Ensure your front desk staff can see through the glass. Nothing is more annoying to a patient than to feel ignored.

• Consultation desk: Instead of asking patients at your front desk for per-sonal information, designate a confidential area in your office you can use for this purpose.

• Writing: Instead of asking for personal information verbally at check-in, have the patient write down the information in his or her paperwork.

• Back office conversations: Instead of yelling across the room to get a di-agnosis code or phone number for a delicate piece of information (i.e. an oncology referral), encourage your front desk staff to get up and ask for the information quietly so it can’t be overheard.

• Notice: Put a notice on the wall that asks only one patient to come up to your front desk at a time. This is to protect everyone’s privacy.

SAMPLE FORM: You can find a sample Employee Confidentiality Agreement on page L-35 in the HIPAA Forms and Tools Library at the back of this report.. You can provide to your front desk staff to help reiterate the importance of keeping patient information private.

Protect Your Computer Screen

It’s common for most offices to have their staff log out of their computer workstations at the end of the day or at the end of their shift. However, many practices forget how important it is to have safeguards in place EVERY time a member of your team leaves the computer. This is especially true for your front desk staff. The proximity of your front desk makes it much more likely that your patient’s PHI can be revealed. Do you really know how often your staff leaves


50


their computer screen unattended? What about when they go to the restroom, carry a chart to an exam room, or go to lunch?

ANY unattended front desk computer stations with active screens are a MAJOR violation that can get you into serious trouble, unless you take action to avoid it. Here are several items you can put into place to stop this type of violation in its tracks:

• Usernames and passwords: Assign unique usernames and passwords to each of your staff members. Do NOT allow your team to write these down anywhere near their computer. A surprising number of offices have usernames and passwords taped right next to computer terminals. This defeats the whole purpose of passwords protecting their computer and violates HIPAA guidelines.

• Update access codes regularly: Set periodic dates throughout the year when your passwords are reset so that even if someone does figure out a password, the exposure does not last long. Most computer operating sys-

tems enable you to set an automatic reminder for password reset every 90 days, which is a reasonable period of time to use a password before it becomes stale.

• Establish a “secure terminal” procedure: For every electronic device you have — including desktop computer stations, laptops, tablets, and smart-phones — implement procedures to prevent any of these from being un-

attended while logged in. All staff should log out if they have to step away from their device even for a minute. It doesn’t matter if they are stepping away for lunch, a restroom break, or even just a moment to bring a chart back to an exam room — all devices must be secured any time they are unattended.

SAMPLE FORM: See the Sample Workstation Use Policy on page L-30 in the HIPAA Forms and Tools Library at the back of this report.

• Automatic log-off: According to HIPAA guidelines, you must “implement electronic procedures that terminate an electronic session after a prede-

termined time of inactivity.” This is true for all of your staff and especially




true for your front desk team. Generally, ALL computers should automat-ically log off your system if they are EVER unattended for ANY reason for ANY amount of time. HIPAA technical guidelines also state, “Automatic log-off is an effective way to prevent unauthorized users from accessing PHI on a workstation when it is left unattended for a period of time.” Most systems allow you to configure the settings for automatic log-off. You should document your decision-making process for determining the amount of time before the system logs off. Experts recommend between 5-10 minutes in high-traffic areas and no more than 20 minutes in other locations.

• Lockable screensavers. This option can be helpful for the period of time before the system logs off. The computer won’t completely log off, but the screen will go to the screensaver, and the user will have to type in a password to regain access.

Don’t Let Investigators Find More than Trash

in Your Garbage

Once something is thrown away, most people don’t think about it again. However, this can be very dangerous when it comes to protecting PHI. Much of what goes in the trash in a medical office may have PHI/IIHI on it. That could mean that your cleaning staff is exposed to confidential information that they shouldn’t see. The problem is bigger than PHI/IIHI too — if a staff member writes down a password and then throws it out, someone could pick it out of your trash and access your computer with it. Investigators will be sensitive to what goes in your trash, and what they find could lead to serious fines.

Have a paper destruction policy in place, with documentation that all of your staff, including those at your front desk, have been trained on.

Your staff must know how to correctly dispose of unwanted paper — with no exceptions — by secure shredding. You can place a locked receptacle with a slot at the top in a convenient spot, and then have a staff member tasked with


52


shredding and securely disposing of the shredded contents. There are also ser-vices that will collect and securely shred your materials for you.

Do what makes sense for the size of your office but remember — until every piece of paper that could contain PHI/IIHI or any of your passwords for that infor-mation is completely destroyed, you still have a risk of violation. Small practices caught with PHI in their accessible trash frequently face six-figure fines. Don’t be one of them. If you don’t use an external service, at a minimum, ensure you have an effective shredder in your office.

WARNING: These days, “trash” also includes thumb drives, data drives, data storage CDs, and even old smartphones, tablets, and laptops. Just because they are older, and might not work anymore, does not mean that you can dispose of them casually. You would be amazed at what a computer-savvy person can find on a damaged hard drive. You could be liable for hundreds of separate violations just for casually discarding a broken laptop. The same principle for digital PHI/IIHI applies as for paper. You MUST make sure that no information is readable, usable or, accessible.

One method of safely discarding electronic media is degaussing, which involves using a strong magnetic field to fully erase the data. Another way is to physically damage the media beyond repair, making the data inaccessible. You should also maintain a log of destroyed media. If you have an outside firm destroy your electronic media, ask for a destruction certificate to prove it was destroyed. If your equipment is being sold or given away for reuse, be sure to have someone completely remove all PHI, and provide you with a sanitation report to confirm it was processed properly.

IMPORTANT: Regardless of the method you choose, make sure to write down your policies and procedures. You should also have your employees and BAs sign a Paper Destruction Policy as part of the hiring/contracting process and keep it on file.




Don’t Be Shamed by Your Wall of Fame

If you post pictures of patients on a “Wall of Fame,” you could be in danger of HIPAA violations. These “walls” are normally collections of pictures or announce-

ments about your patients. For example, OB-GYN practices regularly have walls of birth announcements. Dermatology practices may have before-and-after pic-

tures showing results of acne treatments. Pediatric practices might post school pictures of their patients. Many practices have had these displays for years. However, unless you have a signed and dated patient Authorization Disclosure form on file for every one of these pictures before they are posted, each one is a potential HIPAA violation.

It’s actually very simple. Don’t rush to tear down your wall of fame. You’ll probably hurt some of your most loyal patients’ feelings if you do. You just need their written consent to keep the pictures up and to add any new ones.

SAMPLE FORM: Use the sample Authorized Disclosure Form on page L-23 in the HIPAA Forms and Tools Library at the back of this report to get written au-

thorization from your patients to post their pictures and make your “wall of fame” HIPAA compliant. Be sure you get a consent for EACH patient’s picture, including consent from parents for children’s photos. If you can’t get a con-

sent from a particular patient, be sure not to post their picture until you do.

Some specialties have the benefit of being able to show before-and-after pictures without including the patients’ face (i.e. dentists, dermatologists). In this case, you don’t necessarily need a signed Authorization Disclosure Form, but it may be a good idea just in case.

Stick with the Minimum Necessary to Get the Job Done

If you work in an office where patients are seen, your front desk staff needs to be completely clear that they can’t talk about what goes on with your patients to anyone outside of your practice. It doesn’t matter how interesting or enter-taining the story might be — their family and friends have no right to know.


54


What many staff don’t really get, however, is the same rule applies inside your office. Let’s say you have a large staff in a plastic surgery practice and one of the doctors has a celebrity client. It’s common for all of the staff to want to know when the celebrity or local official is in the office and what was done. But this is a privacy violation. Unless those staff members need to know about this patient in order to do their jobs, then they should not get any information.

Before you send or share any information, you must get a signed release from the patient. The release must also contain not only who the information can be released to, but specifically what can be released. Then, you need a process in place to be sure you ONLY release the authorized information AND NOTHING ELSE. If you give out more information than is needed to treat the patient — in-

side or outside your practice — then you are in violation. Don’t miss this distinc-

tion and incur substantial fines as a result.

You and your front desk staff have to be very careful about this. HIPAA allows you to disclose the minimum necessary for the other doctor’s stated purpose “if reasonable under the circumstances.” For example, if you refer a pregnant patient to a specialist, why would that particular physician’s office be interested in something that happened 10 years ago that is not related to her pregnancy at all? You need to work closely with your front desk staff on this and be sure that they do not send more information than necessary. Instruct your staff to provide only the minimum necessary information and have front desk staff ask the HIPAA Security and Privacy Officer or Manager any time they are unsure.




Permitted vs. Authorized Uses and Disclosures

Under the HIPAA Privacy Rule, there are specific instances in which a practice is “permit-ted, but not required, to use and disclose PHI, without an individual’s authorization …” These situations or purposes are listed as “Permitted Uses and Disclosures.” However, there are clear instances when you must have written authorization from your patient to release their informa-

tion. Your staff should be aware of when they apply. Here is a breakdown of both that will help you distinguish between the two, and understand what your staff needs to be trained on:

PERMITTED: Permitted uses and disclosures include providing the information directly to the individual who is the subject of the data (except for psychotherapy notes).

There are instances when an informal consent (verbally) is acceptable. This may be obtained for the use of patient contact information in a directory and health-status notification to friends or family identified by the patient and other purposes. The patient must have the opportunity to agree or object to these items. This type of disclosure allows others, like family members who are involved with the patient’s care, access to the patient’s situation without sacrificing privacy.

Additionally, there are 12 national priority purposes, not healthcare related, in which the Privacy Rule permits, but does not require, you to use and disclose PHI without your patients’ specific authorization or permission. The list includes:

1. required by law 2. public health activities3. health oversight activities 4. victims of abuse, neglect or domestic violence;5. law enforcement purposes 6. judicial and administrative proceedings 7. decedents 8. cadaveric organ, eye, or tissue donation 9. research 10. serious threat to health or safety 11. essential government functions 12. worker’s compensation

AUTHORIZED: To disclose patient information for other reasons than indicated above (as with psychotherapy notes), you must obtain an individual’s written authorization. Also, your decision to supply treatment to the patient must not be influenced by a request for PHI. To release this information, you must receive the patient’s authorization in writing. Your release form must be specific, written in plain language, and contain explicit information regarding what the patient is authorizing you to release and to whom. Your release form must also clearly spell out your patients’ rights to revoke their authorization at any time.

SAMPLE FORM: You can find a sample PHI release form on page L-6 of this in the HIPAA Forms and Tools Library at the back of this report.


56


Cut Your Liability for

Business Associate

HIPAA Blunder

Your front desk team not only deals with patients, in many instances they are the primary contact for outside vendors, as well. Some of these vendors perform functions that require access to your patients’ PHI ... they are known as Business

Associates (BAs).

NOTE: See Business Associate vendor type examples on page 60.

You may not realize it, but you can be liable if a BA accidentally releases patient PHI you gave them access to. To protect you and your practice, it is pru-

dent to have each of your BAs sign a Business Asso-

ciate Agreement (BAA). Having a BAA makes it so that your BAs can be investigated and penalized for their part in a breach of your patients’ PHI. However, it doesn’t completely absolve you from responsibil-ity. Accordingly, it is important that you have a clear understanding of how your BAs are utilizing your patients’ PHI, and what processes they have in place to protect it.

The bottom line is, that the Office for Civil Rights (OCR), the government agency that polices HIPAA, has made it abundantly clear that not knowing is no excuse for not meeting HIPAA compliance requirements. Period.

HIPAA BA Definition:

“… a person or entity that

performs certain functions or

activities that involve the use or

disclosure of protected health

information on behalf of, or pro-

vides services to, a covered entity.

A member of the covered enti-

ty’s workforce is not a business

associate.”

NOTE: “Covered Entity” is HIPAA’s term for you and your medical practice or facility.




Business Associate Agreements (BAAs)

BAAs must include the following to fully protect you and your practice from getting stuck with the liability for HIPAA violations caused by your BAs:

• Establish the rules for the use of your patients’ PHI by the BA

• Clearly state that the BA will protect your PHI

• Require the BA to report to you any disclosure of the patients’ PHI that wasn’t covered in the contract (including privacy breaches)

• Require the BA to provide information for patients who request copies of their records

• Require the BA to return the patients’ health records and information if your contract with them is terminated

SAMPLE FORM: You can find a sample Business Associate Agreement on page L-24 in the HIPAA Forms and Tools Library at the back of this report.

Differentiating Vendor Types

There are two clear types of vendors your practice and your front desk team work with on a daily basis:

1. Business Associate (BA):

Those vendors who receive formal access to your PHI because they can’t do their job without it. Each BA that you authorize to access your PHI should sign a BAA with your practice. This is the only way to ensure that they shoulder the responsibility to appropriately protect your patients’ private information

Temporary staff agencies would be considered a BA. You should get a signed BAA with the agency. Also, the temporary staff working in your office should sign a confidentiality agreement to ensure they understand the sensitive nature of the information they are handling.

SAMPLE FORM: You can find a sample Employee Confidentiality Agreement on page L-35 in the HIPAA Forms and Tools Library at the back of this report.


58


2. Non-BA vendors: Those vendors who don’t formally have access to your patient’s PHI but can gain access to it by proximity. These vendors can be more of a challenge to manage. They may come in and out of your office, and you may have never considered them a HIPAA threat.

So, who are these vendors? Cleaning services are a good example. Al-though you don’t provide them with specific access to your patients’ PHI, they have access to it because they are working around it. As we men-

tioned earlier, if someone at your front desk (or anywhere else in your office) throws away a piece of paper with PHI on it, the cleaning staff might see private data as they empty your waste basket. Every time this happens, it could be con-

sidered a violation and end up costing you.

Even pharmaceutical reps who visit your office can create a HIPAA problem at your front desk. Let’s say a pharmaceutical rep is sitting in your reception area waiting to see the doctor. In-

termittently they go up to the receptionist and ask when they will be able to see the doctor. Several times while they were at the front desk, new patients were checking in at the same time. Accordingly, the rep was able to overhear private information during the check-in process

Overall, BAs can be easier to manage than non-BA vendors. You know you’ve formally given them access to your patients’ PHI, and you can proactively ensure they protect it. In fact, in many instances, your front desk plays a big role in tracking a BA’s compliance. It’s important that your front desk team be aware of what each BA’s role is, and what level of access to informa-

tion they need to perform their jobs. Like everyone else, BAs should have access to no more information that is required for them to complete their task.

BA Management Tips

• It is strongly recommended that you keep a list of all BAs, their type of access (system and physical), and a thorough list of BA workforce members who can access your patients’ PHI. This list should be main-

tained regardless of the size of your practice and shouldn’t be visible to patients. This documentation is an import-ant part of your HIPAA safety efforts and is essential to have in case of an investigation.

• File cabinets should be locked at the end of the day and the keys secured.

• Papers with PHI should be shredded, rather than tossed in a wastebasket, and so on.

• You should train on all of these procedures with your front desk staff. Then doc-

ument and log the training accordingly.




Involving your front desk staff can make a huge difference in heading off ven-

dor HIPAA violations before they become a problem. Get everyone on your re-

ception team together to brainstorm all possible BAs and vendors you work with, their function, and what risk may be due to PHI exposure. After finalizing your list of BAs with your front desk team, keep it in a place that is readily viewable. This will serve you in good stead as part of your due diligence later on.

Communicating with your vendors is an incredibly important part of your efforts to keep your patients’ information secure. You should be clear to your vendors that your patients have an expectation of privacy and that is your prior-ity, no exceptions. However, it is ultimately your responsibility to protect your patients’ PHI. That means keeping their information out of the hands of vendors that shouldn’t have access to it.

Business Associate Type Examples

The topic of Business Associates (BAs) is broader than just their interaction with your front desk staff. Below you’ll find a list of common BAs your practice may contract with. For more information on how to successfully work with BAs to ensure the privacy of your patients’ private healthcare information and to reduce your liability, go to: http://www.hhs.gov/hipaa/for-professionals/covered-enti-

ties/sample-business-associate-agreement-provisions/index.html.

Business associate examples: Non-BA vendor examples:

• Attorneys privy to PHI • Labs• IT companies • Contract physicians• Data centers, PHI storage • Office employees• Medical billing companies • Students

• Medical transcription firms • Medical practices• Answering services • Hospitals• Translating services • Nominal contact (painters, HVAC techs, etc.)• EHR vendors • Entity conduits (couriers, Internet providers, etc.)• Shredding services• Coding auditors• Any other entities or individuals with access to PHI


60

http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html


Protect Yourself

Against a Costly

Data Breach

If your practice experiences a breach of your patients’ PHI, OCR investigators will request a copy of your Security Risk Assessment along with other possible documents. If you don’t have one when they ask, your chances of getting hit with a penalty skyrockets.

A Security Risk Assessment is required for you to be in compliance with the HIPAA Security Rule. Although your Risk Assessment document doesn’t exclusively deal with your front desk, because of the high breach potential, your front desk security efforts will most certainly be a big part of your record.

The purpose of a Security Risk Assessment document is to improve the security of your patients’ confidential information by:

1. Identifying HIPAA risk areas and vulnerabilities within your practice.

2. Creating an action plan to resolve mitigate each one.

3. Documenting the results of your actions showing how your patients’ con-

fidential information is more protected after you implement your actions.

Now that you know what the information danger zones are, try walking through your office as if you are a patient, to spot potential violations. Walk in your front door, sit in your waiting room, and stand at your front desk as if you are checking in. Try walking to an exam room and then evaluating your checkout process. Each step your patient takes in your office can add a different HIPAA risk and potential violation.




IMPORTANT: Consider this guide a starting point only. A full risk assessment process also includes elements such as: Scope, Determine the Likelihood and Potential Impact of Threat Occurrence, Determine the Level of Risk, and Documentation. To create your full Risk Assessment documentation, we strongly suggestion you download the Security Risk Assessment Tool from HealthIT.gov (https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assess-

ment-tool) and follow its directions.

Get Started Identifying Risks

Use the list below as a guide as you walk through your reception area (and your entire practice) to identify risks. Then, each time you identify an area of risk, document it, write up an action plan to mitigate the risk, and then document the results of your action plan. Use this as a simple foundation for your Security Risk Assessment documentation.

a. Location: Where your front desk is located can make a huge difference in your ability to protect your patients’ confidential healthcare information. No matter how good your front staff are, they won’t be able to keep PHI/IIHI secure if they are positioned right in the middle of your waiting room, so patients can see their computer screen or if everything they say on the phone is easily overheard. (See the “Overheard Conversations”

section on page 47 of this report for how to improve your HIPAA privacy depending on your front desk location.)

b. Equipment: Evaluate the location of computers, phones, and faxes in your office. Focus on what information can be seen, overheard, and printed. Look into the security of the fax machine and how frequently it is checked. If a pile of unattended faxes is spilling onto the floor, it is a potential serious risk. (See “Avoiding Fax Machine Missteps” on page 39 for suggestions on how to make your fax machine more secure.)

NOTE: An asset inventory of all hardware and software that can store, create, transmit, or receive PHI is required to be in full compliance with PHI guidelines. Once this is created, don’t forget to update in every six months or so.


62

https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool



c. Chart security: Evaluate how secure your record maintenance storage is. Track how your patient paperwork moves through your office. Potential danger zones include desks where charts and paperwork piles up (like your front desk area), and chart pockets outside of exam rooms where PHI/IIHI may be visible. If you use chart pockets, be sure that nothing can be seen through it and that the information inside is tracked to avoid loss or theft. Do the same thing for electronic charts. Tablets and similar devices need to be tracked with the same diligence as paper charts.

d. Information destruction: Evaluate how all of your PHI/IIHI is destroyed. Remember, you should NEVER throw patient PHI in the trash — it should be shredded and securely discarded. Most of your staff will likely under-stand this concept and will shred documents that clearly are confidential. It’s more of a problem to police everyday information such as sticky notes used to remember something such as a user name and password that end up in the garbage. (See “Don’t Let Investigators Find More than Trash in Your Garbage” on page 52 for suggestions on how to safely discard your PHI/IIHI.) It’s important to assess both your paper and your digital risks and procedures.

e. Active work: Confirm that no PHI is exposed on desks, counters, or other open surfaces. Review front desk routines to make sure PHI/IIHI is not stacked up where anyone can access it. (See “Protect Your Computer Screen” on page 50 for suggestions on preventing loss of PHI on the screen.)

f. Networking: Evaluate computer (and networking) systems both internally and externally. Document current processes and procedures to determine potential weak spots in the storage, manipulation, dissemination, and transmission, as well as disposal of PHI/IIHI. Also consider having your employees sign a Workstation Use Policy as well as a Mobile Device Management Policy to make proper use of networking resources and smartphone use clear and documented.

SAMPLE FORMS: Find a sample Workstation Use Policy on page L-30 of and a Mobile Device Management Policy on page L-32 in the HIPAA Forms and Tools Library at the back of this report.




g. Electronic data: Best practices dictate that all electronic data is encrypt-ed. Data on laptops, peripheral memory units, thumb drives, etc. should all be encrypted, and password protected so that PHI/IIHI remains secure

even if the device itself is stolen.

SAMPLE FORMS: You can use a sample Asset Inventory Tracking Sheet provided on page L-4 in the HIPAA Forms and Tools Library at the back of this report to help you keep tabs of these potentially dangerous devices.

h. Email encryption: Get an encryption service for your email. Train your team members to NEVER send PHI/IIHI over unencrypted email such as standard Gmail or Hotmail accounts (only the professional versions are sufficient for ePHI). See “Keeping Email Secure” on page 42 tells you what you need to know about implementing email encryption.

i. Anti-virus and firewalls: Your anti-virus and firewall protection should always be kept up-to-date. With the increasing emphasis on electron-

ic transmission, this is VERY important. Experts recommend avoiding free anti-virus products. Purchase a well-known and regarded anti-virus package such as Norton (http://www.symantec-norton.com) or Kaspersky (www.kaspersky.com), and keep it updated regularly.

j. Disaster recovery: You must have a written Disaster Recovery Plan that safeguards all of your electronic and written patient information. Every-

one at your front desk (and your entire practice) needs to know what to do in a disaster situation to safeguard and preserve patient protect-ed information. Patients have a right to expect that their information is secure from loss. Many experts recommend cloud-based backup because it is located off-site and is encrypted.

SAMPLE FORM: Find a sample Disaster Recovery Plan document on page L-36 and a sample Contingency Plan on page L-40 in the HIPAA Forms and Tools Library at the back of this report.

k. Staff Security: Everyone working in your office should always wear ap-

propriate identification. Your patients have a right to know whom they’re talking to. In many busy offices, patients could easily approach the wrong person — including a BA — and disclose personal information. Having the


64

http://www.symantec-norton.com

http://www.kaspersky.com


patient know at a glance who they should talk to avoids the danger of them talking about PHI with someone who isn’t appropriate. And there is another good reason for having staff identified at all times. Having the name of your front desk staff helps break the ice with patients. It allows the needed relationship-building to begin. Establishing a personal relationship with patients from the start is a powerful tool for avoiding complaints and maintaining patients longer.

l. Staff non-disclosure: Have all of your staff members sign a non-disclosure form that clearly describes the importance of protecting PHI. Be sure your employees take the time to read the agreement and understand how central it is to their jobs. It’s important that they also understand that they carry personal liability, should they ever cause a breach.

SAMPLE FORM: A sample Employee Confidentiality Agreement is on page L-35 in the HIPAA Forms and Tools Library at the back of this report.

m. Passwords: Instruct everyone to safeguard and keep their passwords private. No one should ever share a password. Unique passwords must be issued to each individual member of your team (this is a HIPAA require-

ment). A password should give a person access ONLY to what they need to do his or her job. If someone forgets a password, cancel it, and issue a new one. (See more on protecting your passwords on page 51.)

n. Release of information: Determine who or what entities you typically share information with, inside and outside the office. Map out to whom information can be released and how to physically protect the informa-

tion (physical records, oral communication, hard copy, or electronic, etc., as well as email, fax, electronic storage devices, etc., in and out of the office). Also, determine an appropriate method for tracking patient PHI disclosure limitations as well as instances where the patient may revoke consent. Your information sharing procedures should include getting signed forms and checking for opt-out form limitations before releasing any PHI. (See “How to Avoid Payment Opt-Out Complications” on page 33 to help you think about these procedures.)




o. Notice of privacy practices: Evaluate how you deliver your Notice of Privacy Practices (NPP) to your patients and how you ask them to acknowledge receipt. You have to make a good faith effort to get them to sign (although they are not required to sign), and you have to document if they refuse. (You’ll find more information in “Avoid Top Notice of Privacy Practice Pitfalls” on page 21.)

SAMPLE FORM: You can a sample Disclosure Authorization Form, a Privacy Policy and a Notice of Privacy Practices form on pages L-23, L-8 and L-12 in the HIPAA Forms and Tools Library at the back of this report.

p. Posted information: Patient sign-in sheets, posted schedules, etc., should contain the minimal amount of PHI, and you must be proactive in stop-

ping this information from being seen by others. (See “Sign-In Sheet Security Solutions” on page 15 for ideas and suggested practices.)

q. Verbal information: Conversations must be held in confidential voice levels on the phone, in treatment areas, at your front desk, in the waiting room, during check-in and checkout, when collecting money, and in discussions between staff members. And certainly, no PHI should EVER be released over the intercom. (See “Overheard Conversations” on page 47 for examples of what you can do to reduce violations.)

Going through your office to identify HIPAA risks is not a “one time” exercise. Set yourself a schedule to check your risk areas regularly (monthly, quarterly, etc.), and document what you find each time. Your goal is to make sure your front desk (and entire office) setup remains secure and that you are conducting new staff training and regular refreshers for tenured staff, so everyone is on the same page. You should provide access to all documentation that helps reinforce good privacy habits to your entire office.

TIP: Handing an investigator a 4-year-old risk assessment document doesn’t protect you. At a minimum, update all your forms and your Risk Assessment document annually. Also, update any training required on an annual basis.

SAMPLE FORMS: You can use the sample Front Desk Secure Station Checklist

on page L-29 and the sample Front Desk Risk Assessment Checklist on page L-19 in the HIPAA Forms and Tools Library at the back of this report.


66


Head Off HIPAA Front Desk Nightmares Checklist

Use the checklist below to help determine how HIPAA- compliant your front desk is. Any of the items you mark as “No” should be further examined.

1. Do you have an updated risk assessment document? YES NO

2. Have you designated a HIPAA Security and Privacy Official for your practice?

YES NO

3. Have you explained personal liability for HIPAA violations and fines to all staff?

YES NO

4. Does everyone in your office know all 18 personal information danger zones?

YES NO

5. Have all staff members signed a non-disclosure agreement?

YES NO

6. Have all staff signed your social networking policy? YES NO

7. Do you have a Business Associate Agreement signed for all your business associates?

YES NO

8. Is your staff trained on telephone techniques? YES NO

9. Have you trained all staff on appropriate check-in scenarios?

YES NO

10. Is your sign-in sheet HIPAA-compliant? YES NO11. Is your NPP documentation updated, and is your staff

trained on making a “good faith” effort to get patient signatures?

YES NO

12. Is your staff trained on the Patient Opt-Out form? YES NO

13. Is your staff trained on information release and minimum necessary requirement?

YES NO

14. Do you have comprehensive HIPAA policies and procedures

YES NO




NOTES__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________


68


How to Access Your HIPAA Forms & Tools Library

The remainder of this handbook is dedicated to providing you with HIPAA-compliant sample forms, checklists, and other resources that will help you head off front desk HIPAA violations before they occur.

Along with this report, you will receive access to the electronic versions of these documents. This will allow you to customize them to meet your specific practice needs.

You should have received an email with instructions on how to access your electronic forms. If you have not received an email, or have any problems accessing your HIPAA forms library, please call us at 800-767-1181.




SAMPLE DOCUMENTS DISCLAIMER

The sample documents in this report are examples only. The documents have been compiled from a variety of healthcare practices, systems, and companies, and reviewed for HIPAA compliance.

These sample documents are not meant to be complete or exhaustive in any way. Because each medical practice is different, you should develop your own unique policies that are aligned with your specific needs. Accordingly, feel free to utilize these sample form, checklists and forms as foundations for your own documents.

These documents are available to purchasers of this report in a Word format to facilitate adaptation to your office’s needs. Please refer to the directions on the back page of this report for instructions on how to access your HIPAA document library. If you have any problems accessing the documents in your library, you may contact our support team at [email protected] or 800-767-1181.

As regulations change, the requirements related to these documents may also change. According-

ly, you should regularly review these documents to ensure they are in compliance with the most recent applicable laws and regulations.


70

mailto:[email protected]


Front Desk HIPAA

Forms and Checklists

LibraryTable of Contents

Data Encryption Checklist ��L-2

Sample Portable Asset Inventory Tracking Sheet ��L-4

Destruction of Patient PHI Policy ��L-5

Sample HIPAA Release of Information Authorization Form ��L-6

Sample Privacy Policy ��L-8

Sample Request to Opt-Out of Using Contracted Insurance �� L-11

Sample Notice of Privacy Practices �� L-12

Sample 2-Up Sign-in Card �� L-18

Sample Front Desk Secure Station Checklist �� L-19

Sample Use of Social Media Policy �� L-20

Sample Authorized Disclosure Consent Form �� L-23

Sample Business Associate Agreement �� L-24

Sample Front Desk Risk Assessment Checklist �� L-29

Sample Workstation Use Policy �� L-30

Sample Mobile Device Policy for Acceptable Use �� L-32Sample Employee Confidentiality Agreement �� L-35

Sample Disaster Recovery Plan (DRP)�� L-36

Sample Contingency Plan Form ��L-40

Sample Media Disposal and Re-Use Policy ��L-46


Published by Healthcare Training Leader, 800-767-1181, www.hctrainingleader.comL-1


Data Encryption Checklist

There are many encryption methods and technologies you can use to protect your data from being accessed and viewed by unauthorized users. To determine if you need an encryption system, or if you are at risk, you should assess the following:

1. Emails: (Do you send emails containing PHI?)

Yes No Are they encrypted?

Yes No Do you have a process or policy in place that forbids sending emails over nonencrypted services?

Yes No Do you have a process in place to ensure emails are being sent securely?

2. Texting: (Do you text PHI? If so, where is it texted from, and is it protected?)

Office Protected Not Protected

Home Protected Not Protected

Other places Protected Not Protected

All of the above Protected Not Protected

3. Remote Access: (Do you provide remote access to your PHI?)

Yes No Is your remote access protected?

Yes No Do you regularly change passwords for staff with remote access?

Yes No Do you control what data is accessible by person when they log in?

Yes No Do you keep a log of who has access to your data remotely?

4. Networking/Equipment: (Are your network and equipment protected?)

Yes No Is your wireless network encrypted?

Yes No Is your guest wireless on a segregated network?


L-2


Yes No Do any portable devices/equipment containing PHI leave your practice/business (i.e. thumb drives, CDs, laptops, etc.?

Yes No If applicable, do you track the return of portable devices/equipment?

5. Scanning Documents: (Do you scan PHI?)

Yes No After scanning paper documents do you keep the paper copies on site?

Yes No After scanning paper documents do you keep the paper copies destroyed?

Yes No Do you keep scanned documents in your EHR?

Yes No Are additional versions of scanned documents deleted from your system?

Yes No Are scans being sent as attachments to emails?

Yes No If you send scanned PHI as attachments to emails, are these emails auto-

matically deleted once sent?

This sample document is from a 2019 Training Leader handbook, Head Off Front Desk HIPAA Nightmares.

You may edit and reproduce this form as you wish with our compliments. www.HCtrainingleader.com • 1-800-767-1181



http://www.HCtrainingleader.com


Sample Portable Asset Inventory

Tracking Sheet*PEL = Portable Electronic Equipment

Log Entry Date

PEL ID# Staff Member Assigned PEL

Reason for

PEL* Assignment

Date PEL Returned

Initials




L-4



Destruction of Patient PHI PolicyHIPAA requires us to maintain the confidentiality of our patients’ protected health infor-

mation (PHI), a requirement that extends during the destruction of PHI. However, PHI should never be destroyed simply because a patient has died. These records must be maintained based on each state’s retention requirements. Individual states have specific retention requirements that should be used to establish the organization’s retention policy. Refer to your state laws for state-specific record retention requirements. This is a decision that only practice management should make. [INSERT any additional state requirements here]

Destruction of patient health information by the practice must be carried out in accordance with federal and state law and in accordance with each state’s retention requirements. Any records involved in any open investigation, audit, or litigation must not be destroyed until the litigation case has been closed.

Paper records: Should you identify paper PHI that is ready to be destroyed, it should be shredded or pulverized. If not shredded immediately, you should put the paper in a secured document-destruction bin provided by the company we contract with for shredding services [IN-

SERT name of company here. NOTE: All vendors that destroy PHI must sign a Business Associate Agreement].

The practice also can use its own heavy-duty shredder. Paper PHI must never be discarded in the regular trash. NOTE: When selecting a shredder, consider one that is commercial grade and is appropriate for the volume of documents that need to be shredded.

Electronic records: When patients’ PHI is stored or saved electronically, it is considered ePHI, electronic protected health information. When ePHI must be destroyed, like paper records, the HIPAA Security Rule requires it be completely destroyed. There are a variety of methods for destroying ePHI depending on the device or medium (overwriting of electronic media, magnetic degaussing, pulverizing, incinerating, cutting, etc.). You should never decide to delete ePHI with-

out permission from practice management.

Should a computer or other device that contains ePHI no longer be functional or needed, it should never be sold, given away, donated, or thrown away without permission from manage-

ment. It is always best to consider using an outside vendor to completely remove all ePHI before the equipment is released. This must also be done for any equipment slated for destruction.

Should you have questions about record retention requirements or the destruction process, please ask your supervisor.




Sample HIPAA Release of Information Authorization Form

This form provides authorization for the use or disclosure of your protected health information as required by the Health Insurance Portability and Accountability Act, 45 C.F.R. Parts 160 and 164. Please complete as indicated below, and sign and date at the bottom. I authorize the release of my complete health record (including records relating to mental healthcare, communicable diseases, HIV or AIDS, and treatment of alcohol or drug abuse).

1. AUTHORIZATION: I authorize [INSERT Practice or Provider Name] to use and disclose the protected health

information described below to (individual seeking the information).

2. EFFECTIVE PERIOD: This authorization for release of information covers the period of healthcare:

a. From __________to ________________ OR

b. all past, present, and future periods.

3. EXTENT OF AUTHORIZATION:

a. I authorize the release of my complete health record (including records relating to men-

tal healthcare, communicable diseases, HIV or AIDS, and treatment of alcohol or drug abuse). OR

b. I authorize the release of my complete health record with the exception of the following information:

Mental health records

Communicable diseases (including HIV and AIDS)

Alcohol/drug abuse treatment

Other (please specify): _______________________________________________

c. I authorize messages regarding the below approved items left at the following phone number(s):

Billing Information

Appointment Calls

Test Results

Other: ___________________________________________________________


L-6


4. PURPOSE: This medical information may be used by the person I authorize to receive this information for medical treatment or consultation, billing or claims payment, or other purposes as I may direct.

5. EXPIRATION: This authorization shall be in force and effect until [INSERT date or event] at which time this authorization expires.

6. REVOCATION: I understand that I have the right to revoke this authorization, in writing, at any time. I un-

derstand that a revocation is not effective to the extent that any person or entity has already acted in reliance on my authorization or if my authorization was obtained as a condition of obtaining insurance coverage and the insurer has a legal right to contest a claim.

7. TREATMENT: I understand that my treatment, payment, enrollment, or eligibility for benefits will not be conditioned on whether I sign this authorization.

8. PROTECTION: I understand that information used or disclosed pursuant to this authorization may be dis-

closed by the recipient and may no longer be protected by federal or state law.

____________________________________ _______________Patient/Personal pepresentative signature Date:

___________________________________________Printed Name of patient or personal representative

___________________________________________Relationship to patient







Sample Privacy Policy

In compliance with the HIPAA Privacy Rule, the workforce shall implement reasonable safe-

guards to ensure the confidentiality of PHI and to safeguard patients’ PHI and systems and data.

I. Protection of information on computers.

a. [INSERT Practice Name] shall comply with the HIPAA Security Rule to ensure that its elec-

tronic PHI is stored securely.

b. All workforce members shall comply with the HIPAA Policies and Procedures relating to security, including without limitation the Policy and Procedure titled “WORKSTATION USE” in order to protect PHI on computers.

II. Protection of paper records.

a. Confidential trash bins shall be used when disposing of any documents containing PHI, and such documents shall be shredded prior to disposal.

b. Paper records and medical charts will be stored or filed to avoid observation by patients or visitors.

c. Medical record departments, areas, file cabinets shall be locked or otherwise secured when unattended, and access shall be limited to the workforce who have a legitimate business need for such access.

d. Patient charts, encounter forms, and other documents containing patient information shall be kept face-down or covered and shall not be left where passersby can see their contents.

e. Medical record charts and other medical information outside exam rooms shall be placed facing the door or the wall.

f. Patient lists, including scheduled procedures and appointments, shall not be readily visible by patients or visitors.

g. Physical access to fax machines and printers shall be limited to authorized workforce members.

h. Confidential information shall not be left on an unattended printer, photocopier, or fax machine, unless these devices are in a secure area.


L-8


III. Protection from oral disclosure.

a. To the extent possible, phone conversations shall be held in areas where confidential information cannot be overheard. When speaking on the telephone, the workforce shall avoid excessive use of the patient’s name.

b. The workforce shall not make calls to patients, engage in face-to-face discussions with patients, or discuss patient matters in areas where such conversations can be overheard by other patients or visitors to the office.

c. Curtains or screens will be placed in areas where oral communications often occur between doctors and patients, or among professionals treating patients.

d. The workforce will not discuss patient information with anyone in a social conversation.

e. The workforce will not discuss the reason for, or any details regarding, a patient’s visit in the waiting area or in front of others who have no need for such information.

f. The workforce will anticipate patient privacy needs when giving out test or evaluation results, setting up referrals, or scheduling appointments.

g. The workforce will not reveal to a third party (including a spouse, employer, friend, or stranger) that a patient is being treated, has been treated, or will be treated by [INSERT Practice Name] unless such disclosure is authorized by another Policy and Procedure.

h. Dictation must be completed in an area where confidential information cannot be overheard.

i. Answering machines are turned down so information being left cannot be overheard by other staff or visitors.

IV. Overall safeguards.

a. Confidential information shall remain in the medical record. Medical records may be removed from [INSERT Practice Name] only by a physician authorized to do so for pur-poses of patient care at outreach clinics or other outside locations. The physician will return the medical records to the proper storage area upon completion of his/her work at the outside location. Other confidential information should not be copied or removed in any form from the medical records storage areas without appropriate approval.

b. Visitors and patients must be appropriately escorted at all times to ensure they do not access staff areas, dictating rooms, or chart storage, and non-patient visitors, including




without limitation, vendor representatives and pharmaceutical sales representatives, must never be permitted in areas that may contain confidential information.

c. Release of confidential information shall be done by staff specifically authorized to do so.

d. When a workforce member with access to protected health information is terminated, all future access of such member to PHI shall be denied, the terminated member shall immediately return all keys, access cards, and documents containing protected health in-

formation, and passwords will be changed immediately to prevent unauthorized access via the [INSERT Practice Name] computer systems.

V. Plan for disaster.

A written Disaster Recovery Plan (which is a part of your Contingency Plan) is required by law, but it is also good practice. If you have a complete system outage, you must still be able to access PHI in a timely manner.

Of course, good backups have to be maintained. And there should be a hard-copy list of names and phone numbers of anyone who needs to be contacted in case of a disaster.




L-10



Sample Request to Opt-Out of Using Contracted Insurance

Patient Name:

Date of Birth:

Medical Record #:

IMPORTANT: If you opt out of using your insurance for a specific service or for all services on a specific date, insurance will not and cannot be filed for these services at any later date.

DateIdentify Services for Which You Will

NOT Use Any Insurance BenefitsAmount Due at

Time of Service

WHAT OPTING OUT OF USING YOUR INSURANCE MEANS TO YOU:

• Your insurance will not be filed for the services indicated above, nor may you file the insur-ance yourself.

• The medical records related to the services indicated above will not be released to any third party unless you sign a release authorization or if required by law.

• You are required to pay in full for the services at the time you receive the services.

• Please ask any questions you have about this process before signing below.

Signing below means you have read this notice and will not use your insurance benefits for payment for the services listed above. You agree to be financially responsible for the full cost of the above services.

Signature: Date:Witness Signature: Date:Payment Received by:Records Locked Down by:

[INSERT Your Practice name, address, phone, email, website, etc.]







Sample Notice of Privacy PracticesThis notice describes how medical information about you may be used and disclosed and how

you can get access to this information. Please review it carefully.

YOUR RIGHTS

You have the right to:

• Get a copy of your paper or electronic medical record

• Correct your paper or electronic medical record

• Request confidential communication

• Ask us to limit the information we share

• Get a list of those with whom we’ve shared your information

• Get a copy of this privacy notice

• Choose someone to act for you

• File a complaint if you believe your privacy rights have been violated

YOUR CHOICES

You have some choices in the way that we use and share information as we:

• Tell family and friends about your condition

• Provide disaster relief

• Include you in a hospital directory

• Provide mental-health care

• Market our services and sell your information

• Raise funds

OUR USES AND DISCLOSURES

We may use and share your information as we:

• Treat you

• Run our organization


L-12


• Bill for your services

• Help with public health and safety issues

• Do research

• Comply with the law

• Respond to organ and tissue donation requests

• Work with a medical examiner or funeral director

• Address workers’ comp, law enforcement, and other government requests

• Respond to lawsuits and legal actions

YOUR RIGHTS

When it comes to your health information, you have certain rights. This section explains your rights and some of our responsibilities to help you.

Get an electronic or paper copy of your medical record:

• You can ask to see or get an electronic or paper copy of your medical record and other health information we have about you. Ask us how to do this.

• We will provide a copy or a summary of your health information, usually within 30 days of your request. We may charge a reasonable, cost-based fee.

Ask us to correct your medical record:

• You can ask us to correct health information about you that you think is incorrect or incomplete. Ask us how to do this.

• We may say “no” to your request, but we’ll tell you why in writing within 60 days.

Request confidential communications:

• You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address.

• We will say “yes” to all reasonable requests.

Ask us to limit what we use or share:

• You can ask us not to use or share certain health information for treatment, payment, or our operations. We are not required to agree to your request, and we may say “no” if it would affect your care.




• If you pay for a service or healthcare item out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer. We will say “yes” unless a law requires us to share that information.

Get a list of those with whom we’ve shared information:

• You can ask for a list or an accounting of the times we’ve shared your health information for six years prior to the date you ask, whom we shared it with, and why.

• We will include all the disclosures except for those about treatment, payment, and healthcare operations, and certain other disclosures (such as any you asked us to make). We’ll provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another within 12 months.

Get a copy of this privacy notice:

You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically. We will provide you with a paper copy promptly.

Choose someone to act for you:

• If you’ve given someone medical power of attorney, or if someone is your legal guardian, that person can exercise your rights and make choices about your health information.

• We will confirm the person has the authority and can act for you before action is taken.

File a complaint if you feel your rights are violated:

• You can complain if you feel we have violated your rights by contacting our office manag-

er or any one of our physicians.

• You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Ave., S.W., Washington, D.C. 20201, calling 877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/.

• We will not retaliate against you for filing a complaint.

YOUR CHOICES

For certain health information, you can tell us your choices about what we share. If you have a clear preference for how we share your information in the situations described below, talk to us. Tell us what you want us to do, and we will follow your instructions.


L-14


In these cases, you have both the right and choice to tell us to:

• Share information with your family, close friends, or others involved in your care

• Share information in a disaster relief situation

• Include your information in a hospital directory

If you are not able to tell us your preference, for example if you are unconscious, we may go ahead and share your information if we believe it is in your best interest. We may also share your information when needed to lessen a serious and imminent threat to health or safety.

In these cases, we never share your information unless you give us written permission:

• Marketing purposes

• Sale of your information

• Most sharing of psychotherapy notes

In the case of fundraising: We may contact you for fundraising efforts, but you can tell us not to contact you again.

OUR USES AND DISCLOSURES

How do we typically use or share your health information?

We typically use or share your health information in the following ways.

• Treat you: We can use your health information and share it with other professionals who are treating you. Example: A doctor treating you for an injury asks another doctor about your overall health condition.

• Run our organization: We can use and share your health information to run our practice, improve your care, and contact you when necessary. Example: We use health informa-

tion about you to manage your treatment and services.

• Bill for your services: We can use and share your health information to bill and get payment from health plans or other entities. Example: We give information about you to your health insurance plan, so it will pay for your services.

• How else can we use or share your health information? We are allowed or required to share your information in other ways — usually in ways that contribute to the public good, such as public health and research. We have to meet many conditions in the law before we can share your information for these purposes. For more information see: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html.




• Help with public health and safety issues: We can share health information about you for certain situations such as:

– Preventing disease

– Helping with product recalls

– Reporting adverse reactions to medications

– Reporting suspected abuse, neglect, or domestic violence

– Preventing or reducing a serious threat to anyone’s health or safety

Do research: We can use or share your information for health research.

Comply with the law: We will share information about you if state or federal laws require it, including with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law.

Respond to organ and tissue donation requests: We can share health information about you with organ procurement organizations.

Work with a medical examiner or funeral director: We can share health information with a coroner, medical examiner, or funeral director when an individual dies.

Address workers’ comp, law enforcement, and other government requests: We can use or share health information about you:

• For workers’ compensation claims

• For law enforcement purposes or with a law enforcement official

• With health oversight agencies for activities authorized by law

• For special government functions such as military, national security, and presidential protective services

Respond to lawsuits and legal actions: We can share health information about you in response to a court or administrative order, or in response to a subpoena.

OUR RESPONSIBILITIES

• We are required by law to maintain the privacy and security of your protected health information.

• We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information.


L-16


• We must follow the duties and privacy practices described in this notice and give you a copy of it.

• We will not use or share your information other than as described here unless you tell us in writing that we can. If you tell us we can, you may change your mind at any time. Let us know in writing if you change your mind.

Changes to the terms of this notice

We can change the terms of this notice, and the changes will apply to all information we have about you. The new notice will be available upon request, in our office, and on our website.

Other instructions for notice

• Insert effective date of this notice

• Insert name or title of the privacy official (or other privacy contact) and his/her email address and phone number.

• Insert any special notes that apply to your entity’s practices, such as “We never market or sell personal information.”

• The Privacy Rule requires you to describe any state or other laws that require greater limits on disclosures. For example, “We will never share any substance-abuse treatment records without your written permission.” Insert this type of information here. If no laws with greater limits apply to your entity, no information needs to be added.

• If your entity provides patients with access to their health information via the Blue Button protocol, you may want to insert a reference to it here.

Patient Signature: (Please date and sign this form):

Name of Patient (Print or Type) Date

Signature of Patient or Authorized Representative Relationship to Patient







Sample 2-Up Sign-in CardThank You for Choosing ABC Family Medicine

To help ensure the privacy of your personal information, please complete this card and hand it to someone at our front desk. Please print your information.

Name:________________________________________________________________Date:_____________________________Time of Arrival:_____________________[ ] am [ ] pmTime of Appointment: _______________[ ] am [ ] pmProvider You are Here to See: ______________________________________________



Thank You for Choosing ABC Family Medicine

To help ensure the privacy of your personal information, please complete this card and hand it to someone at our front desk. Please print your information.

Name:________________________________________________________________Date:_____________________________Time of Arrival:_____________________[ ] am [ ] pmTime of Appointment: _______________[ ] am [ ] pmProvider You are Here to See: ______________________________________________






L-18



Sample Front Desk Secure Station Checklist

Front Desk Secure Station ChecklistFor use when securing your front desk at break time, end of shift, or end of the day.

Are computers logged off and screens cleared?

All records are secure and filing cabinets locked?

Are all desktops, counter tops and surfaces clear of any PHI, passwords or login/access codes?

Are trash receptacles empty of all PHI, passwords or login/access codes?

Has all discarded material containing PHI, passwords or login/access codes been securely shredded and has the shredded material been discarded appropriately?

Is the front desk office area securely locked? (May be end of day only.)







Sample Use of Social Media PolicyPurpose:

To describe the rules governing appropriate access to and utilization of social media by employees of [INSERT Company Name] – going forward [INSERT Company Name] will be referred to as “Company.”

This policy applies to any member of the company workforce who uses social media for personal purposes and posts company-related content, whether during or off work. It applies to the use of social media when away from work, when the workforce member’s company affiliation is identified, known or apparent. It does not apply to content that is unrelated to the company.

The ultimate goal of this policy is to keep company patients’ personal information confidential at all times.

Policy:

1. Company expects its employees to reflect the organization’s core values when posting content about the company in any social media. This rule applies to all social media postings, even those on personal sites or pages, such as Facebook. All company employees are personally responsible for their posting on social media.

2. Company employees must comply with all laws and regulations that apply to them as company employees when they post on any social media.

a. All company employees are prohibited from disclosing on any Social Media site any Protected Heath Information (PHI) or Personally Identifiable Information (PII) they have obtained through their work at the company.

b. All company employees are prohibited from disclosing any of company confidential or proprietary information on any social media site.

c. All company employees are prohibited from engaging in any unlawful discrimination or bullying of other company employees through postings on any social media.

d. All Company employees must refrain from violating the privacy rights of company patients, members, and visitors by posting a photo, image, or description of the patient, member, or visitor on any social media site without consent of the patient, member, or visitor. Privacy rights can be violated if the posting on social media contains enough detail, so the patient, member, or visitor can be identified even if the person’s identity is not expressly stated.


L-20


3. Company employees may not disparage the services and care company patients and mem-

bers receive in postings on social media. This violation is more serious when patients and members have access to the social media posting, such as when patients or members are “friends” on an employee’s personal social media site or page, such as a Facebook page.

4. Company employees must obtain advance written approval to use official company logos, photos, videos, or images on personal social media sites or postings.

5. Contractors and vendors performing services for company are subject to the rules and prohi-bitions of this policy when posting company related information on any social media site.

Enforcement:

1. Company employees: Conduct deemed in violation of this policy may result in corrective action up to and including termination of employment. Human resources will assist decision-makers in determining corrective action.

2. Contractors and vendors: Conduct deemed in violation of this policy will result in a company request that the contractor be immediately removed from company property and from XYZ Health System related work or the termination of the related company contract.

3. Interpretation: This policy shall be interpreted and applied in a manner as to comply with all applicable laws.

Definitions:1. Confidential information: Company employee, customer, patient, and proprietary

information that is not generally available in the public domain. This is the default level for all information under company custody and control except that information specifically de-

clared to be either public or restricted. Examples of confidential information include, but are not limited to:

• Protected Health Information (PHI) and Personally Identifiable Information (PII)

• Passwords

• Operating methods

• Marketing tactics and supporting materials not otherwise available in the public domain

• Patient/customer/member information

• Employee information and records

• Any and all financial or business strategy information including, but not limited to, all enterprise strategy, business unit and entity plans, drafts and supporting data.




2. Personally Identifiable Information (PII): Information which can be used to distinguish or trace an individual’s identity, such as their name, Social Security Number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

3. Protected Health Information (PHI): PHI consists of health information that has been transmitted or maintained in any medium (written, oral, or electronic) that:

a. Identifies the individual; or

b. There is a reasonable basis to believe the information can be used either alone or in combination with other information to identify the individual;

And the information

a. Relates to the past, present, or future physical or mental health or condition of an individual or the provision of healthcare to an individual; or

b. Relates to the past, present, or future payment for the provision of healthcare to an individual.

4. Social media: Any online publication and content, including but not limited to postings, pages, blogs, or wikis and social networking sites such as Snap Chat, Instagram, Facebook, LinkedIn, Twitter, Flickr, and YouTube.

5. Workforce: Company employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work, is under the direct or indirect control of company, whether they are paid or not are subject to this policy.

Policy Ownership Information:

Person that Owns Policy:___________________________________________________

Department:______________________________________________________________

Dates:________________________

Reviewed:________________________________________________________________

Next Planned Review Date: _________________________________________________




L-22



Sample Authorized Disclosure Consent FormIn connection with the medical services I am receiving from my physician,

Dr. ________________, I consent that photographs may be taken of me or parts of my body, under the following checked conditions:

The photographs may be taken only with the consent of my physician and under such conditions and at such times as may be approved by him/her.

The photographs shall be taken by my physician or a photographer approved by my physician.

The photographs shall be used for medical records, and if in the judgment of my physician, medical research, education, or science will be benefited by their use, such photographs and information relating to my case may be published and republished, either separately or in connection with each other, in professional journals or medical books, or used for any other purpose that may be deemed proper in the interests of medical education, knowledge, or research, provided, however, that it is specifically understood that in any such publication or use I shall not be identified by name.

The aforementioned photographs may be modified or retouched in any way that my physician may consider desirable.

The photographs shall be used as part of my physician’s office display of patients, visible to office visitors, for as long as my physician wishes to keep them posted, subject to my revocation in writing.

Patient Signature (Please date and sign this form)

Name of Patient (Print or Type) Date

Signature of Patient or Authorized Representative Relationship to Patient







Sample Business Associate AgreementDefinitions:Catch-all definition: The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

Specific Definitions:a. Business associate or BA. “Business associate” shall generally have the same meaning

as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean [Insert Name of Business Associate].

b. Covered entity or CE. “Covered entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean [Insert Name of Covered Entity].

c. HIPAA rules. “HIPAA rules” shall mean the privacy, security, breach notification, and enforcement rules at 45 CFR Part 160 and Part 164.

Obligations and Activities of Business Associate:

Business associate agrees to:

a. Not use or disclose protected health information (PHI) other than as permitted or required by this agreement or as required by law;

b. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by the agreement;

c. Report to the CE any use or disclosure of PHI not provided for by the agreement of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any security incident of which it becomes aware; [You may wish to add additional specificity regarding the breach notification obligations of the BA, such as a stricter time frame for the BA to report a potential breach to you and/or whether the BA will handle breach notifications to individuals, the HHS Office for Civil Rights (OCR), and potentially the media, on your behalf.]


L-24


d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the BA agree to the same restrictions, conditions, and requirements that apply to the BA with respect to such information;

e. Make available PHI in a designated record set to the [INSERT: “covered entity,” “individual” or “the individual’s designatee”] as necessary to satisfy covered entity’s obligations under 45 CFR 164.524; [The parties may wish to add additional specificity regarding how the BA will respond to a request for access that the BA receives directly from the individual (such as whether and in what time and manner a BA is to provide the requested access or whether the BA will for-ward the individual’s request to the covered entity to fulfill) and the time frame for the BA to provide the information to the covered entity.]

f. Make any amendment(s) to PHI in a designated record set as directed or agreed to by the CE pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy CE’s obligations under 45 CFR 164.526; [The parties may wish to add additional specificity regarding how the BA will respond to a request for an amendment that the BA receives directly from the individual (such as whether and in what time and manner a BA is to act on the request for amendment or whether the BA will forward the individual’s request to the CE) and the time frame for the BA to incorporate any amendments to the information in the designated record set.]

g. Maintain and make available the information required to provide an accounting of disclo-

sures to the [INSERT “covered entity” or “individual”] as necessary to satisfy CE’s obligations under 45 CFR 164.528; [The parties may wish to add additional specificity regarding how the BA will respond to a re-quest for an accounting of disclosures that the BA receives directly from the individual (such as whether and in what time and manner the BA is to provide the accounting of disclosures to the individual or whether the BA will forward the request to the CE) and the time frame for the BA to provide information to the CE.]

h. To the extent the BA is to carry out one or more of CE’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the CE in the perfor-mance of such obligation(s); and

i. Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.

Permitted Uses and Disclosures by Business Associate:

a. BA may only use or disclose PHI as indicated below: [INSERT OPTIONS: Provide a specific list of permissible purposes OR reference an underlying service agreement, such as “as necessary




to perform the services set forth in Service Agreement.” In addition to other permissible purposes, you should specify whether the BA is authorized to use PHI to de-identify the information in accordance with 45 CFR 164.514(a)-(c). You may also wish to specify the man-ner in which the BA will de-identify the information and the permitted uses and disclosures by the BA of the de-identified information.]

b. BA may use or disclose PHI as required by law.

c. BA agrees to make uses and disclosures and requests for PHI. [INSERT OPTIONS: Consistent with CE’s minimum-necessary policies and procedures. OR subject to the following min-imum-necessary requirements: [Include specific minimum-necessary provisions that are consistent with the CE’s minimum-necessary policies and procedures.]

d. BA may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by the CE. [If the Agreement permits the BA to use or disclose PHI for its own man-agement and administration and legal responsibilities or for data aggregation services as set forth in optional provisions (e), (f), or (g) below, then add, “except for the specific uses and disclosures set forth below.”]

e. [OPTIONAL INSERT: BA may use PHI for the proper management and administration of the BA or to carry out the legal responsibilities of the BA.]

f. [OPTIONAL INSERT: BA may disclose PHI for the proper management and administration of BA or to carry out the legal responsibilities of the BA, provided the disclosures are required by law, or BA obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies BA of any instances of which it is aware in which the confidentiality of the informa-tion has been breached.]

g. [OPTIONAL INSERT: BA may provide data aggregation services relating to the healthcare operations of the covered entity.]

Provisions for CE to Inform BA of Privacy Practices and Restrictions:

a. [OPTIONAL INSERT: CE shall notify BA of any limitation(s) in the Notice of Privacy Practices of covered entity under 45 CFR 164.520, to the extent that such limitation may affect BA’s use or disclosure of PHI.]

b. [OPTIONAL INSERT: CE shall notify BA of any changes in, or revocation of, the permission by an individual to use or disclose his or her PHI, to the extent that such changes may affect BA’s use or disclosure of PHI.]


L-26


c. [OPTIONAL INSERT: CE shall notify BA of any restriction on the use or disclosure of PHI that CE has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect BA’s use or disclosure of PHI.]

Permissible Requests by Covered Entity: [OPTIONAL INSERT: CE shall not request BA to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by CE. Include an exception if the BA will use or disclose PHI for, and the agreement includes provisions for, data aggregation or management and administration and legal responsibilities of the BA.]

Term and Termination:a. Term. The Term of this Agreement shall be effective as of [INSERT effective date] and shall

terminate on [INSERT termination date or event] or on the date covered entity terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.

b. Termination for Cause. Business associate authorizes termination of this Agreement by covered entity, if covered entity determines Business Associate has violated a material term of the Agreement [and Business Associate has not cured the breach or ended the violation within the time specified by covered entity]. [Bracketed language may be added if the cov-ered entity wishes to provide the Business Associate with an opportunity to cure a violation or breach of the contract before termination for cause.]

c. Obligations of Business Associate Upon Termination. [OPTION 1 INSERT— If the BA is to return or destroy all PHI upon termination of the agree-ment.] Upon termination of this agreement for any reason, BA shall return to CE [or, if agreed to by CE, destroyed] all PHI received from CE, or created, maintained, or received by BA on behalf of CE, that the BA still maintains in any form. BA shall retain no copies of the PHI.

[OPTION 2 INSERT— If the agreement authorizes the BA to use or disclose PHI for its own management and administration or to carry out its legal responsibilities and the BA needs to retain PHI for such purposes after termination of the agreement]

1. Upon termination of this agreement for any reason, BA, with respect to PHI received from CE, or created, maintained, or received by BA on behalf of covered entity, shall:

2. Retain only that PHI that is necessary for BA to continue its proper management and administration or to carry out its legal responsibilities;

3. Return to CE [OPTIONAL INSERT: or, if agreed to by CE, destroyed] the remaining PHI that

the BA still maintains in any form;

4. Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information (ePHI) to prevent use or




disclosure of the PHI, other than as provided for in this Section, for as long as BA retains the PHI;

5. Not use or disclose the PHI retained by BA other than for the purposes for which such PHI was retained and subject to the same conditions set out at [INSERT section number related to paragraphs (e) and (f) above under “Permitted Uses and Disclosures by Busi-ness Associate”] which applied prior to termination; and

6. Return to CE [or, if agreed to by CE, destroy] the PHI retained by BA when it is no longer needed by BA for its proper management and administration or to carry out its legal responsibilities.

[The agreement could also provide that the BA will transmit the PHI to another BA of the CE at termination, and/or could add terms regarding a BA’s obligations to obtain or ensure the destruction of PHI created, received, or maintained by subcontractors.]

d. Survival. The obligations of Business Associate under this section shall survive the termination of this agreement.

Miscellaneous [OPTIONAL INSERT]:

a. [OPTIONAL INSERT] Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.

b. [OPTIONAL INSERT] Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the require-ments of the HIPAA Rules and any other applicable law.

c. [OPTIONAL INSERT] Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.




L-28



Sample Front Desk Risk Assessment Checklist

Front Desk Risk Assessment ChecklistFor use in the HIPAA-compliant day-to-day operation of your front desk

(Any items checked “no” should be addressed immediately.)

Are you wearing appropriate identification in the office? Yes No

Are you following established written policies on medical records with restrictions on disclosure?

Yes No

Do you know who has authorized access to PHI in order to release info? Yes No

Are you sharing passwords or access codes? Yes No

Are you sharing information with other staff ONLY when they need it to do their jobs?

Yes No

Are you sharing information with other offices, hospitals, or agencies ONLY when they are following safe transmittal guidelines?

Yes No

Are you using unencrypted or unsecure email like Gmail or Hotmail? Yes No

Are you sharing information with people other than the patient ONLY when they are properly designated and signed documentation is on file?

Yes No

Are you faxing information ONLY when you have documented clearance and the recipient is at his or her fax machine to immediately confirm receipt?

Yes No

Are you saying patient information out loud in the office or over the intercom? Yes No

Are you leaving your workstation without locking your computer and clearing its screen?

Yes No

Are you leaving any unattended paperwork when you leave your station? Yes No

Are you leaving paper charts where they can be seen? Yes No

Do you destroy every form, sticky note, or piece of paper that is not securely filed in patients’ records using appropriate shredding and disposal routine?

Yes No

Note: Would indicate that this checklist is not a substitute for an accurate and thorough security risk assessment.

Yes No







Sample Workstation Use PolicyOn-the-job email and Internet access are powerful tools that can help you accomplish your work

more efficiently. Internet access and email services are made available to staff primarily for business use.

We recognize that from time to time, staff may need to use these resources for personal reasons to balance demands between their work and personal lives. As such, employees may use email and Internet resources for both business and certain non-business purposes subject to the following:

1. Staff shall ensure that observable confidential information is adequately shielded from unauthorized disclosure and unauthorized access on computer screens.

2. Staff must be aware of their surroundings to ensure no one can incidentally view electronic protected health information (EPHI) on their workstation and that no EPHI is left unattended.

3. If you work from home or other non-office site, you must take the necessary steps to protect EPHI from other persons who may have access to your home or other non-office site. This includes password protection of personal computers, and security for all other forms of por-table EPHI such as locking up CD ROM disks, USB drives, PDAs, laptops, tablets, phones, etc.

4. User session-lock shall be implemented when a computer is left idle. When technology is ca-

pable, it shall be automatic after a specific time based on location and function. The session shall be locked to disable access to the PC until the user enters unique authenticator.

5. When technology is capable, while accessing EPHI outside of our office area, our area network (for example: extranet, VPN) will automatically log you off after a maximum of 30 minutes of inactivity. Automatic log-off is a system-enabled enforcement of session termi-nation after a period of inactivity and blocks further access until the workforce member reestablishes the connection using the identification and authentication process.

6. Email and Internet services are the company’s property. Use of these resources, whether in the office or from a remote dial-up location, is not private.

7. Non-business use of these resources must be governed by good judgment and restraint, and must be limited to non-work time, i.e., before or after work or during lunch hour.

8. Network and computing resources must be available for business use at all times. Management will limit non-business use if it interferes with HIPAA security rules, policies and compliance, with the overall availability or cost of the services or with the productivity of individual employees.


L-30


9. Network services including visits to specific websites will be monitored. Those who use company resources to access websites containing sexually explicit material or content that could be construed as hostile or inconsistent with company policies and values, may be subject to disciplinary action, up to and including dismissal. Employees who question whether a particular site is prohibited should check with a supervisor.

10. Email and internet services are business tools. They must not be used to send or forward threatening or harassing messages or chain letters, or to express personal opinions on behalf of the company in online forums.

11. Staff must obtain the approval from the systems administrator before downloading pictures, screensavers, messenger software from websites such as AOL, Yahoo, Lycos, and MSN, or any other software.

12. Users may not share their log-in or access codes or passwords with others and may not allow others to use their workstations except as allowed in an approved business process.

13. Protected health information may not be sent, copied, or removed from a workstation by any method except as part of an approved business process.

14. Workstations shall only be used in such a manner that the information displayed thereon is not made visible to others who do not have a legitimate business or healthcare reason to access that information, to the extent practicable.







Sample Mobile Device Policy for Acceptable UsePURPOSE:

This policy provides the standards and rules of behavior for the use of all mobile devices re-

quiring access to our networks. This includes personally owned or BYOD (Bring Your Own Devices) as well as company-provided smartphones and tablets. Staff requiring access to company network resources and/or services must adhere to this policy and use is granted on the condition that each user reads, signs, respects, and follows the company’s policies concerning the use of these resourc-

es and/or services.

ACCEPTABLE USE:

Acceptable business use is defined as activities that directly or indirectly support the business of the company. Mobile devices may be utilized for business use, subject to the following:

• All IT and Workstation Acceptable Use Policy Rules also apply to mobile device users as they pertain to protecting patient PHI and EPHI. (See IT and Workstation Acceptable Use Policy forms.)

• Staff shall ensure that confidential information is adequately shielded from unauthorized disclosure and unauthorized access on device screens.

• Staff must be aware of their surroundings to ensure no mobile device is left unattended and no one can incidentally view Electronic Protected Health Information (EPHI) on their device.

• If you work from home or other non-office site, you must take the necessary steps to protect EPHI from other persons who may have access to your home or other non-office site. This includes password protection and additional security measures for all mobile devices as necessary.

• Auto screen-lock shall be implemented when a device is left idle. When technology is capable, it shall be automatic after a specific time based on location and function. The session shall be locked to disable access to the device until the user enters their unique authenticator.

• Email and internet services are the company’s property. Use of these resources, whether in the office or from a remote location, is not private.

• Non-business use of these resources must be governed by good judgment and restraint, and must be limited to non-work time, i.e., before or after work or during lunch hour.


L-32


• Protected health information may not be sent, copied, or removed from a mobile device by any method except as part of an approved business process.

DEVICES AND SUPPORT:

• The following devices are supported:

� iPhone (iOS 8 and above; model 5s or newer)

� iPad (iOS 8 and above)

� Android ( 5.1 or newer)

• ALL mobile devices, including BYOD, must be pre-approved and administered by company IT personnel before connecting to the company network resources. IT personnel will imple-

ment proper configuration of standard apps, such as email, browsers, office productivity software, and security applications.

• Smartphones and tablets that are not on the list of supported devices are not allowed to connect to the network.

• Smartphones and tablets belonging to staff that are for personal use only are not allowed to connect to the network without proper authorization from IT personnel. To request access, a SARF (System Access Request Form) must be completed and approved by the individual’s supervisor.

• Staff’s access to company data is limited based on user profiles defined by IT and automati-

cally enforced.

• A mobile device may be remotely wiped of all company-related data if:

� The device is lost or stolen.

� The employee terminates his or her employment.

� IT detects a data or policy breach, a virus or similar threat to the security of the company.

� After seven incorrect log-in attempts.

RISKS, LIABILITIES & DISCLAIMERS:

• Employees are expected to use mobile devices in an ethical manner at all times and follow the company’s Acceptable Use Policy as outlined above.

• The company reserves the right to disconnect devices or disable services without notification.




• The IT staff will take every precaution to prevent the loss of an employee’s personal data in the event it must remotely wipe a device. However, it is the employee’s responsibility to take additional precautions, including backing up email, contacts, and so on.

• All lost or stolen devices authorized to access the company’s network must be reported immediately. Employees are solely responsible for notifying their mobile carrier if a device is lost. Additionally, the employee is responsible to remotely wipe any personal data.

• The employee is personally liable for all costs associated with his or her personal device.

• The employee assumes full liability for risks including, but not limited to, the partial or complete loss of company and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable.

• We reserve the right to take appropriate disciplinary action including termination for noncompliance with this policy.

Employee Signature (Please date and sign this form)

Date




L-34



Sample Employee Confidentiality AgreementConfidential information is defined as any information found in a patient’s medical record,

personal information, and work-related information (including salary information). All information relating to a patient’s care, treatment, or condition constitutes confidential information. This confidentiality policy also encompasses any trade secret scientific or technical information developed by the practice or its personnel.

• Employees shall never discuss a patient’s medical condition with any non-employee of the practice, friends, or family members. Confidential matters involving patients will not be discussed in areas where they might be overheard by other patients or other non-employ-

ees of the practice. Staff members are to be aware at all times that conversations regarding patients are not to be overheard by others and take appropriate steps to ensure this confidentiality.

• All salary information is confidential and may not be shared with others in the clinic or with patients. Only authorized individuals may relay salary information to employees or non-employees.

• Any unauthorized disclosure of confidential information by employees could render the clinic liable for damages. Any employee who violates the confidentiality of clinic, medical- or employee-related information is subject to disciplinary action up to and including termination from employment.

I have received a copy of, read, understand, and agree to uphold this written policy on matters of confidential information and trade secrets.

I also understand that in my daily job duties, I will have free access to confidential clinic opera-

tions and any violation of confidentiality, in whole or in part, could result in disciplinary action up to and including termination and/or legal action.

I recognize that this signed document of my agreement to uphold the provisions of this policy will be kept on file in my personnel file.

Employee: _____________________________________ Date:_____________________

Witnessed by Practice representative: __________________________________________

Date: _________________________







Sample Disaster Recovery Plan (DRP)

Contingency Plan: Protecting ePHI

Practice Name: [INSERT Practice Name]

Date Approved: [INSERT Date Approved]

Date Effective: [INSERT Date Effective]

Date Revised: [INSERT Date Revised, for Each Revision]

Purpose:

Provide uninterrupted patient care while protecting electronic protected health information against loss or damage due to natural disasters such as weather or earthquakes, as well as man-made disasters such as fire or terrorism, and to restore lost or damaged data as soon as possible following loss or damage.

Goal: Ensure that the practice has policies and procedures in place and that the workforce is properly informed on how to proceed when electronic systems are unavailable.

Responsible staff members:

Security Officer: [INSERT Name]

Practice Administrator/Office Manager: [INSERT Name]

Information Technology Specialist/Team: [INSERT Names]

Rationale: Disasters cannot be prevented or predicted. Therefore, practice personnel must be prepared to operate in the emergency mode when a disaster occurs. Disasters include (but are not limited to) hurricanes, tornadoes, flooding, ice storms, earthquakes, fires, power outages, terrorism, and even the end of life for the Electronic Medical Record (EMR) system.

This practice relies upon the IT specialist or Team and the EMR vendor to assist in an emergency. All staff members will be informed of the proper actions and will be notified when these actions should be implemented. The Security Officer and/or Practice Administrator/Office Manager will inform employees, contact software vendors, and initiate the Contingency Plan.


L-36


Preparation:

Backup (“Plan A”)

The EMR system used: [INSERT Name of System]

Data Is Backed Up By: [INSERT Name]

Backup Frequency: [INSERT Frequency]

Medium: [INSERT Storage Type]

Located/Stored: [INSERT Location of Storage Device]

Backup (“Plan B”)

In addition to A above, data is backed up off-site: [INSERT Explanation]

Any storage media (tapes, disks, flash drives) used are rotated and reused. When they are no longer needed, they will be destroyed according to our procedure described elsewhere, to ensure that PHI cannot be accessed.

Paper forms:

In anticipation of a disaster, this practice has developed a binder holding one master copy of each form used in this practice.

This binder is stored [INSERT Storage Location]. [INSERT Person’s Name] is responsible for immedi-ately retrieving the binder and making sufficient copies for use during emergency operations.

Forms to be included are:

• Registration forms• Routing sheet/encounter form• Health history form• Progress notes form• Financial form• Phone message sheets• Sign-in sheet (if appropriate)• Other: [INSERT Names of Other Forms]

Paper folders will be used as temporary charts. The temporary charts will be stored at [INSERT Location].

Emergency operations: When the electronic system is unavailable, the [INSERT Job Title] will notify all staff members to implement the plan.




Patient Sign-in Process:

Sign-in process will continue as usual.Sign-in sheets will be used[INSERT Any Additional Steps as Appropriate]

Patient registration: The front-desk staff will give patients a copy of the following forms to be completed and returned to the front desk, where they will be put into temporary charts and placed in holders for provider access. Folders will be located [INSERT Location]. Forms to be given to the patient include:

• Registration form for demographics• Health history form• Routing sheet/encounter form/Superbill

Documentation: Clinical staff will use progress sheets to write in the appropriate information about the patient’s visit. These will go into the temporary charts. Charts will be kept [INSERT Location] until the EHR system is restored.

Patient checkout: Routing sheets, encounter forms, and/or superbills will be completed and taken to checkout for billing and rescheduling. Checkout staff will collect the forms and deliver them to the appropriate individuals. Scheduling staff will schedule the next office visit with the patient via phone once the system is restored.

Message documentation: Telephone messages will be documented on phone message sheets to be processed after the system is restored.

Recovery:

When the EHR system becomes available, the following steps will be followed.

• Hardware: If needed, new hardware will be acquired by [INSERT Name] from [INSERT Source].

• Software: [INSERT Job Title(s)] will download and/or install software in order of priority determined previously. See the Software Criticality list on page [INSERT Page Number] of this contingency plan.

• Documentation: Clinical staff will enter a brief note into each patient’s electronic medical record, referring to the paper notes that were taken during the time that the system was down.


L-38


• EMR: Administrative staff will scan paper progress notes into the EMR, attaching them to the patient’s medical record. Then the paper records will be destroyed by [INSERT Name] by [INSERT Method].

• Billing: [INSERT Name] will enter and submit billing information.

• Scheduling: [INSERT Name] will contact patients who were seen during the outage to schedule the next visit.

• Messaging: Phone messages will be routed to the appropriate persons for processing.

Post-recovery:

The [INSERT Job Title] will schedule a meeting with the staff to determine the effectiveness of the Plan and to revise the Plan as needed.Contact phone numbers:

Practice Administrator/Office Manager: [INSERT Phone #] Security Officer: [INSERT Phone #]IT Specialist/Team Leader: [INSERT Phone #] Hardware Source: [INSERT Phone #] Software Vendor: [INSERT Phone #]

Software criticality: Software will be downloaded/installed in order of criticality. We have determined the following order of software.

1. [INSERT Software Program Name]2. [INSERT Software Program Name]3. [INSERT Software Program Name]4. [INSERT Software Program Name]5. [INSERT Software Program Name]6. [INSERT Software Program Name]7. [INSERT Software Program Name]

8. [INSERT Software Program Name]







Sample Contingency Plan FormName of Organization:_______________________________________________________

Date last edited: ___________________________________________________________

Definitions of terms• Business Continuity Operating Team (BCO Team) – Key members of management, staff,

and outside consultants, who will provide the technical and management skills necessary to achieve a smooth technology and business recovery.

• Business Impact Analysis (BIA) – A key component of the Business Continuity Plan that describes risks based on the organization ’s reliance on the personnel, tools, records, and services provided by the information technology and operating environment. The results of the BIA provide an illustration of the overall risks to the organization resulting from a disaster, and identify the steps required to improve redundancy and practices to minimize and mitigate possible risks.

• Disaster Recovery Plan (DRP) – The response to a disaster.

• Documents or Data – The organization’s patient and administrative documents and records that exist in physical and electronic form.

• Document Management System (“DMS”) – IT equipment, operating systems, applications, tools, and data that are deployed to manage the organization’s electronic data including email, document generation, document search, document retention, and management.

• Information Security Management System (“ISMS”) – A separate document that controls the operations and security of the organization’s information technology.

• Information technology (IT) – The organization’s system for managing and securing information and related operations including security procedures platforms, computer sys-

tems, and technology initiatives.

• Infrastructure – Information technology, facilities, and personnel.

• Organization personnel – Employee(s) of the organization.

• Records Management Policy – The Organization’s policy that covers the creation, maintenance, storage, and destruction of all documents and records.

• Recovery Point Objective (RPO) – Maximum tolerable period in which data might be lost from IT service due to a major incident, i.e., time from the last known good backup.

• Recovery Time Objective (RTO) – Maximum amount of time allowed for a system, data, or application to be recovered and fully functional for use by users.


L-40


• Significant Business Disruption (SBD) – A disruption to routine operations from internal or external events that may cause the invocation of the Business Continuity Plan.

1. Introduction and General

[INSERT Name of Organization] (the “organization”) conveys that its data network and the information stored on the system are critical to its operations and those of its patients. Based on the confidential nature of the electronic data stored on the systems and the need to maintain a stable network with maximum continuous production time, a Continuity of Operations (the “Plan”) is a critical component of the organization’s Infrastructure. In the event of a Significant Business Disruption, the organization’s efforts are focused on rapid recovery with minimal down-

time, preservation of data and restoration of critical functions. The Plan is reviewed annually after a review of the technology currently in use and the changes to the organization since the last review.

1.1 Statement of intent: This document delineates the organization’s established emergency preparedness and procedures for planning, maintaining and restoring business operations and Information Technology (“IT”) in response to a disaster, as well as the organization’s process-level plans for recovering critical technology platforms and the telecommunica-

tions infrastructure. In the event of an actual emergency situation, modifications to the plan may be made to ensure the physical safety of the organization’s employees, systems, and data. The organization’s mission is to ensure information system uptime, data integri-ty and availability, and business continuity.

1.2 Significant Business Disruptions (“SBDs”): An SBD is any disruption to the normal opera-

tions of the organization which impedes our ability to effectively serve our patients. The plan anticipates that both internal and external SBDs can result from a disaster:

• Internal SBDs are limited to events that effect only the organization’s ability to com-

municate and do business, such as a fire in its building.

• External SBDs prevent the operation of a number of institutions or limit access to full resources within a general area beyond the limits of the organization’s facilities. Examples of external SBDs include a denial of service attack, ransomware attack, hurricane or other storm or natural event, power outage, wide-scale impacting fire, or similar regional disruption. Wide scale SBDs require the organization to rely more heavily on outside organizations and systems, especially the capabilities of our key suppliers and vendors.

• We will maintain a comprehensive plan for the recovery of business and IT opera-

tions. The plan shall be formally reviewed annually to ensure that it is kept up to date and to consider changing circumstances.




• The plan shall cover all critical infrastructure elements, systems, and networks that allow for the conduct of key business activities.

1.3 Business location: The organization’s main location is located at [INSERT address]. All professional and administrative functions are conducted from this single location, which contains the organization’s HIPAA SECURITY OFFICIAL.

1.4 Plan location and access: The organization will maintain a copy of the plan in a file named “Continuity of Operations Plan.” A backup copy of the plan will be maintained in [INSERT electronic location].

2. Routine Operations and Preventive Measures

2.1 Information Technology Infrastructure: The organization uses [INSERT a description of systems and vendor names, for example: network infrastructure consisting of industry standard products from vendors.] The local area network in [INSERT location] is a [INSERT network description, i.e. switched high-speed Ethernet 100Mbps/1Gbps backbone con-

figuration]. The wide area network is based on a [INSERT network structure i.e. Virtual

Private Network (VPN)] between the [INSERT all locations], and a dedicated link with backup VPN between [INSERT location] and the recovery site. The organization has im-

plemented best redundancy practices which include secondary products with the server farm, storage area network, network infrastructure and firewall devices.

2.2 Data Backup and Recovery Procedures (Physical and Electronic): The organization main-

tains its physical documents and records at its primary [INSERT location]. [INSERT: De-

scribe other retention of documents and records responsibility, for example: Explain the format and how the data is stored, for example, The Organization maintains archived data off-site storage. Off-site Storage Location. Explain how/where, i.e. The HIPAA Security Of-ficial is responsible for the Organization’s Records Management Policy and records.] The

HIPAA Security Official is responsible for the maintenance of the organization ’s electronic records. The organization conducts full backups daily and as needed throughout the day using [INSERT: Describe how].

2.3 Facilities and personnel: The organization’s operations are conducted at a single office location. The members of the workforce include: [INSERT list of positions]

3. Alert, Escalation and Plan Invocation

This plan has been established to ensure that in the event of a disruption to operations there is a clear understanding of how to proceed. Procedures have been addressed to ensure that communications can be quickly established while working to recover operations to normal.


L-42


3.1 Business continuity: In the event the plan is invoked, the organization’s HIPAA Security Official serves to ensure business continuity. The HIPAA Security Official will provide the technical and management skills necessary to achieve a smooth technology and business recovery. In the event of an SBD, the plan may be activated.

The HIPAA Security Official is specifically responsible for:

• Responding immediately to a potential disaster, providing for emergency services and coordinating the efforts of such services;

• Assessing the extent of the disaster and its impact on business operations including data;

• Deciding the elements of the plan that should be activated;

• Maintaining vital services and operations;

• Coordinating the reestablishment of normal operations;

• Establishing communications with key suppliers and vendors to support the recov-

ery and coordinate business operational efforts (See Appendix 2; Key Suppliers and Vendors);

• Troubleshooting key issues until the underlying disaster or emergency has been resolved;

• Restoring key services as quickly as possible;

• Recovering to business as usual after the underlying disaster or emergency is resolved as soon as practicable.

3.2 Preparations for Hurricanes [INSERT pertinent disaster description here: for example, Unlike most SBD’s, hurricanes, and sometimes other significant storms, offer a chance to prepare in advance and respond in an appropriate manner. In the event that a hurricane or other predictable storm or event approaches the area, a three to seven-day window may exist.]

3.2.1. Emergency Shutdown Procedure: In the event of a potential or active SBD, the Organization may shut down the organization’s information systems.

3.2.2. Communication with outside parties: In the event of an SBD, the organization will immediately identify what means are available to best communicate with its patients, vendors, other who require notification. A listing of key vendors including contact information is provided in Appendix 2. While we ordinarily use telephones, faxes and email to communicate with outside parties, we will quickly evaluate what communications options are available or will quickly become available given the circumstances of the particular SBD.




3.3 Legal actions: The HIPAA Security Official will review the aftermath of the SBD and decide whether there may be legal actions resulting from the event, for example, the possibility of claims by or against the organization, etc.

4. Annual Review and Change Management

4.1 Responsibility for the plan. The HIPAA Security Official has the responsibility for the plan and for conducting the required periodic testing and the annual review.

4.2 Updating and Communication. Ensuring that the plan reflects ongoing changes to the business and systems architecture is essential to its success. This includes revising this document to reflect updates, changing and evaluating the Plan at periodic intervals.

4.3 Importance of Testing and Evaluation. Disaster recovery exercises are an essential part of the Plan’s development and preparedness process. Plan testing and review identifies non-compliance, what needs to be improved, and how improvements can be implemented. The Plan needs to be validated by simulating the circumstances within which it has to work and evaluating the results. Partial tests of individual components and recovery plans for specific systems will be carried out on a regular basis, as deemed necessary. A comprehensive test of the recovery capabilities will be performed on an annual basis. This will ensure data availability.

5. Disaster Recovery Plan (DRP)

5.1 Definition and scope. The DRP is a component of the Business Continuity Plan which establishes emergency preparedness plans and procedures. Disaster recovery outlines the response to a disaster and details the specific process of regaining access to the personnel, data, hardware, software necessary to resume critical business operations after a SBD. A DRP includes plans for coping with unexpected or sudden losses of key assets and is an element of the larger Plan process.

5.2 Significant Business Disruption. The specifics of the DRP that would be invoked and carried out in the event of an SBD.

5.3 Isolated incidents: The organization’s plan anticipates multiple kinds of internal SBDs in addition to a large-scale disaster, or external SBD, that would require the invocation of the entire Plan. Examples of these disruptions, which are also defined as Internal SBDs, involve the loss of the availability of:

• Services based on physical hardware failures

• Services based on corruption or application/data failures

• Network infrastructure and cabling due to failure

• Wide area network including loss of Internet connectivity

• Environmental failures


L-44


The organization’s response to these potential SBDs would depend on the systems that are in place after the SBD and what has been lost.

5.4 Data Backup. All ePHI data is backed up to [INSERT: describe how].

Appendix 1

Key Suppliers and Vendors

Location Description/Use

Critical Services/System

Name Phone Website Email

Appendix 2

Mission Critical RecordsElectronic and

paper vital recordsDescription Primary Location Redundant

Location

Appendix 3

Key Suppliers and Vendors

Service

ProviderDescription Individual Address Number Email







Sample Media Disposal and Re-Use PolicyOverview

[NAME OF ORGANIZATION] has adopted this Media Disposal and Re-Use Policy to comply with HIPAA and the HIPAA implementing regulations pertaining to media disposal and disposition, in ac-

cordance with the requirements at § 164.310(d)(1)(2).

Regarding disposal, media containing Individually Identified Health Information (IIHI), including protected health information (PHI), must be completely erased, properly encrypted, or destroyed in its final disposition, or the data residing on such media is subject to recovery and subsequent misuse or theft.

Regarding re-use, media containing IIHI, including PHI, must be completely erased or sanitized (wiped) before any re-use of such media may take place, or the data resid-

ing on such media is subject to corruption, compromise, or loss.

o Internal re-uses may include re-deployment of computers or sharing of disks, CDs, or flash drives.

o External re-uses may include donation of electronic media to charity organiza-

tions or local schools.

Electronic media means electronic storage material on which data is or may be recorded electronically, including, but not limited to, devices in computers or digital copiers (hard drives) and any removable or transportable digital memory medium such as magnetic tape or disk, optical disk, or digital memory card. Electronic media also includes transmission media used to exchange information already in electronic storage media (the Internet, dial-up lines, private networks, and the physical move-

ment of removable or transportable electronic storage media).

Policy

It is [NAME OF ORGANIZATION]’s policy to dispose of all media containing IIHI, in-

cluding PHI, in full compliance with all the requirements of HIPAA.

It is [NAME OF ORGANIZATION]’s policy to properly erase and or sanitize (wipe) all media containing IIHI, including PHI, before any media may be re-used.


L-46


This policy governs the receipt and removal of hardware and electronic media that contain electronic protected health information (ePHI) into and out of a facility and the movement of these items within a facility. This includes proper handling of all electronic media, including receipt, removal, backup, storage, reuse, disposal, and accountability.

It is [NAME OF ORGANIZATION]’s policy to fully document all media re-use and dis-

posal-related activities and efforts, in accordance with its documentation policy and HIPAA requirements.

Procedures for Media Disposal

The HIPAA Security Official, in consultation with [NAME OF ORGANIZATION]’s IT personnel and/or IT provider, is responsible for proper media disposal and for devel-oping procedures to ensure the proper disposition of all such media.

When a media device is identified to be completely erased, properly encrypted, or destroyed in its final disposition, or the data residing on such media is subject to re-

covery, the HIPAA Security Official, or his/her designee(s), will perform this function.

[NAME OF ORGANIZATION] will ensure that any disposal is handled by personnel authorized to dispose of ePHI and/or the hardware or electronic media on which it is stored.

If [NAME OF ORGANIZATION] contracts with a vendor to provide media disposal services, [NAME OF ORGANIZATION] will ensure a Business Associate Agreement is in place with the vendor prior to the commencement of any services. The contracted vendor will provide the practice a document destruction certificate.

The HIPAA Security Official shall maintain a log that indicates when a media device was completely erased, properly encrypted, or destroyed in its final disposition, or the data residing on such media is subject to recovery.

The log must also indicate if a media device was removed from [NAME OF ORGANI-ZATION]’s inventory and indicate the final disposition of the device (destroyed and/or disposed).




Procedures for Media Re-Use

The HIPAA Security Official, in consultation with [NAME OF ORGANIZATION]’s IT per-sonnel and/or IT provider, is responsible for proper media re-use and for developing procedures to ensure the proper disposition of all such media before re-use.

The HIPAA Security Official, in consultation with [NAME OF ORGANIZATION]’s IT per-sonnel and/or IT provider, may determine that, in some instances, all ePHI must be permanently deleted, whereas, in other instances, the electronic media should only be reformatted so that no files are accessible.

When a media device is identified to be re-used for internal purposes, the HIPAA Security Official will ensure the device has been completely erased before re-use and properly encrypted before any PHI is stored on the device.

If [NAME OF ORGANIZATION] contracts with a vendor to provide media re-use services, the vendor will provide the practice a sanitation certificate.

The HIPAA Security Official shall maintain a log that indicates when a media device was re-used for internal purposes and is properly encrypted before any PHI is stored on the device.

The log must also indicate the disposition of the re-used media device―location, use, person/date who authorized the re-use and the workforce member assigned to the re-used media device.

The same security safeguards in place for [NAME OF ORGANIZATION]’s media devices are applicable to its re-used media devices.




L-48



Resources

Resource Description Resource Web Address

Anti-Virus Programs Norton: www.symantec-norton.com

Kaspersky: www.kaspersky.com

Centers for Medicare and Medicaid Services (CMS)

www.cms.hhs.gov

Data Interchange Standards www.disa.org

Health and Human Services (HHS) Office of Civil Rights (OCR) HIPAA Videos (government agency that polices HIPAA)

https://www.youtube.com/channel/UC0CnOS9MsyNAFs5Uyvwk37g

HIPAA Security Rule http://www.hhs.gov/hipaa/for-professionals/security/

HIPAA Privacy Rule http://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html

HIPAA Security Series http://www.hhs.gov/hipaa/for-professionals/security/guidance/

National Association of Insurance Commissioners

www.naic.org/state_web_map.htm

National Uniform Billing Committee (website containing standards for institutional claims)

www.nubc.org

National Uniform Claim Committee (website containing information on non-institutional claim submission)

www.nucc.org

Security Risk Assessment Tool from HealthIT.gov




http://www.symantec-norton.com

http://www.kaspersky.com

http://www.cms.hhs.gov

http://www.disa.org



http://www.hhs.gov/hipaa/for-professionals/security/

http://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html

http://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html

http://www.hhs.gov/hipaa/for-professionals/security/guidance/

http://www.hhs.gov/hipaa/for-professionals/security/guidance/


http://www.nubc.org

http://www.nucc.org

http://HealthIT.gov




[Intentionally Left Blank]


L-50


HIPAA-Related Acronyms and Definitions

Acronym Cheat Sheet

BAA Business Associate Agreement

BA Business Associate

CE Covered Entity

EHR Electronic Health Records

ePHI Electronic Protected Health Information

HHS Health and Human Services

HIPAA Health Insurance Portability and Accountability Act

IIHI Individually Identifiable Health Information

NPP Notice of Privacy Practices

OCR Office for Civil Rights

PHI Protected Health Information




[Intentionally Left Blank]


L-52


Definitions

Anti-virus SoftwareA type of utility used to scan and remove viruses from an operating system and protect them from infection; typically used on computers, computing systems, and mobile devices, such as smartphones and tablets.

Authorized DisclosureTo disclose patient information for other reasons than indicated by a Permitted Disclosure.

Business Associate Agreements (BAA)

A written and signed agreement outlining each party’s responsibilities when it comes to patients’ personal health information that is to be shared with business associates.

Business Associates (BAs)

A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. Note: “Covered Entity” is HIPAA’s term for you and your medical practice or facility.

Civil PenaltiesYour patients can sue you separately and in addition to fines levied by government agencies. It is not unusual for practices hit with HIPAA violations to then be sued by their patients. The civil penalties are the monies awarded by courts to your patients if they win their lawsuits against you. Civil penalties can be charged against the practice, you and your staff as individ-

uals, or both.

Commercial Payers

Any health insurance not managed by a government program

Covered Entity (CE)This is a HIPAA term used to describe three groups: Health Plans, Healthcare Clearinghouses, and Healthcare Providers. To be considered a covered entity, each of these groups must transmit electronic health information in connection with transactions govered by HHS.




Data Breach

A intentional or unintentional release of secure information to an untrusted environment. They can be the result of a directed attack or improper handling of patient records by unwitting individuals. Data breaches may cause exposed patient information and ultimately HIPAA violations.

DegaussingA safe way to discard electronic media. It involves using a strong magnetic field to fully erase the data on the device.

Designated RepresentativeA person who speaks for a patient on medical matters. Designated representatives are appointed by the patient in a formal document such as a medical power of attorney, a living will or an advance care directive. This term can also be used to describe someone appointed by a court order to represent a seriously ill or comatose patient. Designated representatives can gain access to patient medical information to help make decisions about the patient’s care. Be sure you read a designated representative’s formal appointment document or order carefully. Without proper written evidence of appointment, you are at risk of disclosing information to a person who may not be authorized.

Disaster Recovery Plan

A document that specifies the resources, actions, personnel and data required to protect and reinstate healthcare information that’s compromised in the event of a system failure, natural disaster, vandalism or other calamitous event.

Electronic Health Record (EHR)

The systematized collection of patient health information stored in a digital format or, more simply, the digital version of a patient’s paper record.

Emancipated Minor

A person under the age of 18 who may nevertheless have the same rights to sign documents and give instructions as an adult. An emancipated minor has a full expectation of privacy and may successfully sue you for unauthorized disclosure of private information to anyone, including the emancipated minor’s own parent. Likewise, disclosing information without


L-54


the emancipated minor’s consent is a HIPAA violation. The various states have different laws regarding at what age and in what circumstances a child under 18 can become an emanci-pated minor.

EncryptionUsing technology to safeguard communications. Many EHR systems provide encrypted patient portal to facilitate secure electronic communication with patients. Unencrypted communications (for example, Gmail) pose a huge HIPAA risk to practices. Use technology to encode communications so that only authorized parties can read it.

Executor

A person designated by a court to represent the affairs of a deceased patient. An executor is usually nominated in a document like the patient’s last will and testament and then formally appointed by a court. An executor will always have a formal document of appointment. Once an executor is appointed, that person is the ONLY individual authorized to have access to a patient’s protected information. Even if a person claims to be designated in the patient’s will, that person can NOT act in the patient’s name as an executor until appointed by a court.

FirewallA network security system that monitors and controls incoming and outgoing network traffic and establishes a barrier based on predetermined security rules. A firewall is commonly used to protect a network system from an external network, such as the Internet.

GuardianA person who has been appointed to represent the interests of a patient. A legal guardian can have access to patient information and may make medical decisions and sign forms on the patient’s behalf. Legal guardians can be family members or a non-family member like lawyers. A legal guardian is always designated by a formal document, such as a court order. Be sure you have a current copy of the legal guardian’s authority to act on file.

HackingFor someone to get unauthorized access to data in a computer or other system.




Health and Human Services (HHS)

A U.S. government department designed to enhance and protect the health and well-being of all Americans. HHS is responsible for overseeing health laws and regulations, including the Health Insurance Portability and Accountability Act (HIPAA).

Health Insurance Portability and Accountability Act (HIPAA)

A group of laws and rules that detail both your organizational and individual responsibilities and liabilities regarding patient privacy and the establishment of standards for the privacy and security of protected health information (PHI).

HIPAA Privacy OfficialThe HIPAA Privacy Official oversees all ongoing activities related to the development, implementation, maintenance of, and adherence to the organization’s policies and procedures covering the privacy of, and access to, patient health information in compliance with federal and state laws and the healthcare organization’s information privacy practices.

HIPAA Security OfficialThe HIPAA Security Official is responsible for the organization’s HIPAA security program and compliance including but not limited to daily operations of the IT security program, oversight of the annual and ongoing risk assessment process, development, implementation, and maintenance of policies and procedures, ensuring the confidentiality, integrity and access of electronic protected health information and of monitoring program compliance as well as investigation and tracking of incidents and breaches and in compliance with federal and state laws.

HIPAA Security Rule

Establishes national standards to protect individuals’ electronic health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

Individually Identifiable Health Information (IIHI)

Nineteen specific pieces of information that could potentially identify a patient.


L-56


Internet Protocol (IP)

The rules that govern how data is sent from one computer to another over the Internet.

Next of KinA patient’s closest relatives, usually a spouse, child or parent. Next of kin can pose a significant HIPAA risk. Family members frequently assume they have a right to a patient’s medical and personal information, but unless the patient has formally designated next of kin designated representatives, you cannot assume next of kin have a right to information. Family dynamics are complicated, and some patients do not want their next of kin to know about their medical and personal information.

Non-BA Vendors

A vendor who works with your practice and has not received explicit permission to access your patients’ personal health information, but who may gain access to it by proximity. These vendors may present a HIPAA violation risk if patient information is not properly protected.

Non-DisclosureA legal contract between at least two parties that defines confidential information that the parties wish to share with one another for certain purposes, but wish to restrict access to or by third parties; otherwise known as a confidentiality agreement.

Notice of Privacy Practices (NPP)

A required document that spells out a patient’s rights, choices, and how you will use their private information. The NPP must be given to patients in a language and format they can understand. Though the patient is not obliged to sign the NPP, you are required to make a good faith effort to secure a patient signature.

Office for Civil Rights (OCR)An office in the HHS that enforces federal civil rights laws, conscience and religious freedom laws, the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule, which together protect the




fundamental rights of nondiscrimination, conscience, religious freedom, and health information privacy.

Opt-OutPatients now have the option of opting out of their insurance. If they elect to do so, their insurance company has no right to any information relating to the visit the patient paid for themselves. If you later disclose this visit, you have commit-ted a HIPAA violation.

Protected Health Information (PHI)Any personal information that’s in the patient’s health record (measurements, vaccinations, procedures, etc.).

Permitted DisclosuresUses and disclosures of patients’ PHI that include providing the information directly to the individual who is the subject of the data (except for psychotherapy notes).

Personal LiabilityThe concept that each person in the office has individual responsibility for safe-

guarding information. If patient protected information is compromised, each person involved can face civil and criminal fines and in exceptional cases, jail time. It is important to impress on front desk staff that each of them is personally at risk for any violation and the fines and punishments it can bring.

Personal RepresentativeA personal representative is a person legally authorized to make health care decisions on an individual’s behalf or to act for a deceased individual or the estate. The Privacy Rule permits an exception when a covered entity has a reasonable belief that the personal representative may be abusing or neglecting the individual, or that treating the person as the personal representative could otherwise endanger the individual.


L-58


Release Form (Release of Information)The form used to indicate information to be released to a third party at the authorization of the patient or their duly authorized representative. The form should describe the information to be released in detail to avoid disclosing more than the patient intends. Signed release forms are retained in the patient’s re-

cord to document proper information transmission at the patient’s order.

Security Risk Assessment

A formal internal audit of your practice for compliance and possible danger areas. Risk assessment documents are one of the first things investigators request, and offices that don’t have them almost always find themselves with violations and fines. Risk assessments should be conducted every year, formally documented and any danger areas mitigated as quickly as possible. Documentation of miti-

gation should be retained along with the risk assessment to demonstrate your HIPAA compliance.

Sign-in SheetThe record that a patient has arrived for an appointment and is ready to check in. Because sign-in sheets are frequently visible to all people in the waiting room and may contain IIHI, they can be a prime HIPAA violation danger zone unless properly designed and managed.

Web Universal Resource Locators (URLs)This is also called a web address. It is what you type into your browser to go to a web page. It may or may not start with “www.” It should always have some type of extension following a period (.com, .edu, .org, etc.).




NOTES__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________

__________________________________________________________________________________________________________


L-60


Index

A

Access .......................................................................................... 4, 44, L-2, L-33, L-42Anti-Virus ...............................................................................................................L-49Authorization .....................................................................................................54, L-6Authorized Disclosure ...............................................................................................27

B

Business Associate (BA) .............. 3, 42, 57, 58, 60, 61, 67, L-24, L-25, L-27, L-28, L-51Business Associate Agreement (BAA) ................................... 42, 57, 58, 67, L-24, L-51

C

Check-in ......................................................................................................................6Checklist ........................................................................ 25, 44, 66, 67, L-2, L-19, L-29Check-out ..................................................................................................................49Child Abuse ...............................................................................................................41Commercial Payers ............................................................................................33, L-53Communication .................................................................................. 6, 35, L-43, L-44Computer Screen ................................................................................................50, 63Confidential ............................................................................L-8, L-9, L-20, L-21, L-35Covered Entity ........................................................................... 5, 57, L-24, L-27, L-53

D

Data Breach .....................................................................................................61, L-54Designated Representative ..............................................................................25, L-54Destruction ...................................................................................................52, 53, 63Digital Sign-in Sheets ..........................................................................................15, 16Disaster Recovery ..........................................................64, L-10, L-36, L-40, L-44, L-54Disclosure ..................................................................................... 4, 27, 56, L-25, L-28Documentation ....................................................................................... 62, L-38, L-59


Published by Healthcare Training Leader, 800-767-1181, www.hctrainingleader.comIndex-I


E

EHR ....................................................................... 16, 42, 44, 60, L-3, L-38, L-54, L-55Electronic Devices ..................................................................................................... 43Electronic Health Record ................................................................................. 42, L-54Emancipated Minors ................................................................................................ 24Encryption .................................................................................................44, L-2, L-55Equipment .............................................................................................44, 62, L-2, L-4ePHI ......................................................................................... 64, L-5, L-27, L-30, L-32

FFax ................................................................................................................ 7, 40, 62Firewall .................................................................................................................. L-55

H

Hacking ............................................................................................................... 4, L-55Health and Human Services ...................................... 1, 27, L-14, L-16, L-49, L-51, L-56Health Insurance Portability and Accountability Act ............. 1, 2, L-6, L-51, L-56, L-57HHS .....................................................................1, 27, 41, L-24, L-49, L-51, L-56, L-57HIPAA Guidelines ...............................................................................18, 21, 24, 25, 51HIPAA Security and Privacy Official ....................................................................... 6, 67

I

IIHI ................................... 5, 6, 19, 43, 46, 47, 48, 52, 53, 62, 63, 64, L-51, L-56, L-59Individually Identifiable Health Information .........................................5, 19, L-51, L-56Information Leaks ..................................................................................................... 47

M

Mobile Device .............................................................................................43, 63, L-32

NNational Association of Insurance Commissioners ......................................... 24, L-49New Patients ............................................................................................................ 23Next of Kin .................................................................................................25, 29, L-57Notice of Privacy Practices ................................21, 22, 66, L-12, L-24, L-26, L-51, L-57NPP .................................................................... 21, 22, 23, 24, 25, 66, 67, L-51, L-57


Index-II


OOCR .....................................................1, 2, 4, 5, 21, 39, 57, 61, L-24, L-49, L-51, L-57Office for Civil Rights ................................................... 1, 21, 57, L-14, L-24, L-51, L-57Opt-Out .............................................................................................33, 67, L-11, L-58

P

Paper Sign-in Sheet .................................................................................................. 18Penalties ........................................................................ 1, 2, 3, 4, 15, 33, 45, 48, L-53PHI 1, 3, 4, 5, 9, 11, 13, 15, 16, 17, 21, 27, 37, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50,

52, 53, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, L-2, L-3, L-8, L-10, L-19, L-20, L-21, L-22, L-24, L-25, L-26, L-27, L-28, L-29, L-32, L-37, L-51, L-56, L-58

Phone ................................................................................ 35, 36, 48, L-37, L-39, L-45Pictures ........................................................................................................... 54, L-31Privacy Policy ............................................................................................... 25, 66, L-8Protected Health Information 57, L-6, L-10, L-16, L-24, L-27, L-30, L-32, L-36, L-53, L-56

R

Release of Information ..........................................................................28, 31, 32, L-6Role Play ............................................................................................................ 10, 11

S

Secure ................... 4, 17, 38, 42, 43, 52, 60, 62, 63, 64, 66, L-8, L-19, L-54, L-55, L-57Secure Terminal ....................................................................................................... 51Security Risk Assessment ..............................................................3, 61, 62, L-49, L-59Shred ........................................................................................................... 17, 53, 63Signature .................................................................................21, 22, 23, 27, 28, L-57Sign-in Cards ............................................................................................................. 16Sign-in Sheet ......................................................................................15, 16, 18, 19, 67Smartphone ........................................................................................................ 43, 63Social Networking ..................................................................................................... 45

TTraining ................................................................................................... 11, 29, 30, 38


Published by Healthcare Training Leader, 800-767-1181, www.hctrainingleader.comIndex-III


V

Vendor ............................................................................................................. 60, L-39Violation ................................................................................................................. 1, 2Voicemail ...................................................................................................... 35, 36, 38

WWorkstation .......................................................................................51, 63, L-30, L-32


Index-IV


HEAD OFF Front Desk HIPAA · Inside this execuive report, Head Of HIPAA Front Desk Nightmares,...

Documents

Transcript of HEAD OFF Front Desk HIPAA · Inside this execuive report, Head Of HIPAA Front Desk Nightmares,...