It’s been a challenging year for HIPAA compliance. OCR levied more than $20 million in breach settlement fines. Ransomware rocked the healthcare industry.
As OCR's auditors wrap up the final desk audit reports for phase two of the HIPAA audit program, many covered entities (CE) are breathing a little easier. Only 167 CEs were selected for desk audits in July. Audited CEs can expect to wait several months to see the final audit reports, although they will have the opportunity to review a draft version and submit comments that will be attached to the final report.
But phase two is far from over. Business associates (BA) will be selected for desk audits this fall—the first time these entities will be subject to OCR's HIPAA audits. And early next year, OCR will launch comprehensive on-site audits of both CEs and BAs.
Q: In our pharmacy dispensing system, we can enter free-form notes for certain records such as a patient record, prescription records, and physician records. This field is used to enter notes that are customer service?focused and not treatment- or payment-related in nature. Would these notes be considered PHI, and would record retention requirements apply to these notes?
Social media is everywhere—even inside the walls of hospitals. Staff may log into personal accounts during lunch breaks, and many organizations maintain official social media accounts; plus, of course, patients and visitors often rely on social media to keep in touch with friends and family. For many, social media is so much a part of their everyday routine that the benefits are almost too obvious to list. Yet the risks—including potential HIPAA violations—are often not as clear, and privacy and security officers need to stay aware of them.
Q: We recently received a request for a patient's records. The patient transferred to another provider several years ago and we subsequently transferred all the patient's records to the new provider. Should I direct the request to the provider the patient transferred to? I'm unsure that we should be responsible for retrieving and releasing information for this patient since we transferred the patient's entire record to the new provider.
A: If you sent a copy of the patient's records to the new provider and still have the original records, it would be appropriate for you to respond to the request. If you transferred all records to the new provider and no longer have the patient's information, refer the request to the new provider.
Editor's note: Mary Brandt, MBA, RHIA, CHE, CHPS, is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.
