Q. Our physician practice operates a satellite clinic. The practice does not use an electronic medical record. Charts are transported from the practice to a workforce member’s home at the end of the week. That person then transports the records to the satellite clinic Monday morning. Does this violate HIPAA? Also, who is responsible for the breach of patient PHI if someone steals the charts from a workforce member’s vehicle?
A. HIPAA does not prohibit transporting charts temporarily to a workforce member’s home. Medical practices that do so must reasonably ensure that charts are secured while they are en route and temporarily stored at the workforce member’s home. Ideally, store charts in a locking file cabinet or safely in the workforce member’s home.
Exercise the same care that is necessary when transporting laptop computers. Don’t leave charts in plain sight in an unattended vehicle. If it becomes necessary to leave the charts in an unattended vehicle, lock them in the trunk, or out of sight of passersby if there is no trunk. You must document these practices (transportation and remote storage of charts) in policy and enforce them.
If the charts are stolen, ultimately the practice is liable. The incident would be considered a breach of unsecure PHI, and the practice would be required to notify patients within a reasonable period of time and follow all requirements of the interim breach notification rule (45 CFR 164.400–164.414).
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. He has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.
Mac McMillan, CISSM, has an insider’s look at what it’s like to undergo a HIPAA compliance audit.
A hospital randomly selected by OCR for its initial audit phase consulted with McMillan to assist with the audit process. The hospital underwent an audit by KPMG, LLP, the company that OCR hired to conduct the audits. OCR selected the hospital as one of its initial 20 audits.
McMillan, CEO of CynergisTek in Austin, Texas, shared what he learned during “2012 OCR Audits and Enforcement: A View from the Front Lines,” a recent webcast sponsored by ZixCorp. Upon completion of pilot testing, OCR will evaluate the process, and KPMG audit teams will conduct up to 130 additional random audits of healthcare organizations before the end of 2012. The audits are scheduled to begin in May.
The HITECH Act mandated the audits, which will measure healthcare organizations’ compliance with the HIPAA Privacy and Security Rules and breach notification rules.
This article is adapted from an article which originally appeared in the April Briefings on HIPAA published by HCPro, Inc.
Accretive Health, Inc., a consulting firm charged with violating health privacy laws, has asked to have the lawsuit dismissed, according to an April 30 report in the StarTribune. Accretive lost a laptop computer containing the medical data of 23,500 Minnesota residents last year.
The company claims that because no consumers have been harmed as a result of the lost data, claims of consumer fraud in Attorney General Lori Swanson’s lawsuit are baseless.
Swanson’s lawsuit seeks an order that would require Accretive to inform patients of the information collected, how that information will be used, and where that information has been sent. Accretive has accused Swanson of creating a media campaign against the company rather than settling the issue in court.
Source: StarTribune
Editors here at HCPro, Inc., the company that distributes this e-newsletter, attended the Health Care Compliance Association’s annual conference at Caesars Palace in Las Vegas April 29 to May 2.
We know -- HIPAA was a hot topic. The learning sessions we attended were packed.
We’d love to hear your accounts on those sessions. Any great takeaways? Things you’re already working on with staff?
Let us know!
Email Senior Managing Editor Dom Nicastro at dnicastro@hcpro.com!
I have a friend who is a Facebook friend of a nurse in a hospital in another state. This nurse posted a picture of herself posing with an athlete who had come to the organization for care.
The caption said something like “You were a great patient and even a better player.”
The first comment on her photo was “HIPAA VIOLATION.” Her response — “No, I didn’t say why this person was here.”
I think she still violated the rules – the patient’s name, face, hospital, approximate time of admission – all easily understandable from the post.
What do you think?
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!
Click here