In 1996 Congress passed the Health Insurance Portability and Accountability Act (HIPAA). One of the components of the law was to protect the privacy of patient information. This law required covered entities to properly store and then destroy patient information. Doctors and hospitals now had to secure the information in their care.
Since becoming law the use of medical records has changed significantly. We are in the middle of the national conversion to electronic medical records(EMR). The Health Information Technology for Economic and Clinical Health Act (HITECH) was part of the stimulus package and encourages the conversion to EMRs. This is done with a carrot in the form of grants to digitize but also with a stick in the form of reduce medicare payments for practices that don’t have EMRs.
The use of EMRs provides many benefits to the medical profession but also has new risks. Instead of a few files found in the trash it might be a disk drive stolen that has the information for thousands of patients. This is the reason that HITECH mandated the disclosure of data breaches to patient data.
Medicine has also changed. It is now much easier to get and use genetic information. To protect privacy the Genetic Information Nondiscrimination Act of 2008 (GINA) was passed. This limits the use of genetic information.
To apply the changes from the new laws the Office for Civil Rights (OCR) has issued final rules on how the law would be applied. The OCR is responsible for enforcing the provisions of the law. The full release is on their website but here are some of the major changes:
- Business associates of covered entities are now liable for compliance with HIPAA Privacy requirements.
- Limiting the disclosure or sale of protected health information without consent from the patient.
- Expand individuals’ rights to receive electronic copies of their health information.
- Restrict disclosures to a health plan when the patient has paid for the treatment out of pocket.
- Require modifications and redistribution of the notice of privacy practices.
- Update the individual authorization for research and the disclosure of immunizations.
- Increase access to decedent information by family members or others.
- Adopt HITECH security enhancements to the Enforcement Rule concerning willful noncompliance.
The changes go into effect on March 26, 2013. Practices will have 180 days to comply with the new enforcement provisions. If you want a date it is September 23, 2013. HHS Secretary Kathleen Sebelius said, ”The new rule will help protect patient privacy and safeguard patients’ health information in an ever-expanding digital age.”
Medical records contain sensitive information about patients and their health, and it is imperative that it is well taken care of. These records contain enough information to easily pass of the identity theft threat, and it is due to this that professional medical records shredding services are required to keep those records from the risk of being stolen. It is no longer enough to throw away those records or medical charts which can easily be sieved through during recycling or trash collecting process.
With all the news of data breaches, patients want to know about the privacy of their medical records. The increasing threat has made people more aware and now they want to know where their information is kept and whether it will remain confidential. Hence, the importance for medical records shredding has become paramount, to not only safeguard the rights of our clients but also to prove the credibility of medical institutions. Following are some of the reasons why medical records shredding is becoming a necessity:
Identity theft is a common crime in the United States with millions of people victimized each year. And medical records contain a lot of personal information about a client that is more than enough for any criminal wishing to wrongfully acquire that information. Document shredding services make sure that the information is shredded and destructed in such a way it becomes inaccessible.
In order to win over the patients trust you need to assure them that their information is safe with you and that you will take all possible measures to make sure that it does not end up in the wrong hands. Patients’ information is sometimes quite sensitive and the only way to provide complete surety is to guarantee that their documents will be fully destroyed.
It is the Law
HIPAA (Health Insurance Portability and Accountability Act) requires the security of patient records. This includes secure disposal of all patient records.
Document shredding is vital in today’s time and age especially for sensitive information like medical records. You can either opt for onsite or offsite document shredding services based on your own personal preferences and needs. You will not only be doing yourself and your clients a favor but will also be helping Mother Nature as the shredded documents are then passed on to recycling plants, hence saving a lot of trees from being cut each year.
Many smaller medical practices have shrugged of the threat of HIPAA violations. It was hard to argue with them. The Department of Health and Human Services (HHS) has target large organizations in the past. That has changed with the announcement of an agreement with the Hospice of North Idaho (HONI).
The violation happened when a laptop from HONI was stolen. The computer contained unencrypted data with the personal health information (PHI) for 441 patients. The even happened in June of 2010. Since the event HONI has taken many steps to protect the information of their patients.
This is the first prosecution of a breach of less than 500 people. The settlement calls for a fine of $50,000. It is an expensive mistake for a smaller practice to make. The HITECH amendments to HIPAA require the practice to notify patients when there is a breach of medical data.
Medical practices of all sizes are now on notice that HHS is actively looking for anyone who violates HIPAA. They are taking the security of medical information very seriously. It is easier to protect the paper documents. The first part is the physical storage of the records and then shredding them once they are no longer needed.
Protecting the electronic records are a bigger challenge. Not many doctors understand the security requirements for networks and servers. This requires the expertise of a network security expert. They can audit how the records are stored and shared. But in the end the weakest link are the lost laptops and data tapes that people take home. These are inviting targets for thieves looking into car windows or on the bus. A better solution might be a cloud storage solution. This allows a practice to focus the security on one server instead of many computers that may not be as secure. The benefit is now the data is available to anyone with a connection to the internet.
Few papers are more regulated that medical records. HIPAA has been in place for years and covers the safe storage and disposal of personal health information (PHI). Now the Department of Health and Human Services (HHS) is more aggressively going after HIPAA violators. It is hard to imagine the average practice has $1.5 million in reserves to pay the HHS in fines.
The HITECH additions to HIPAA now require practices to give notification for any data breach. A notice to patients is not only expensive but destroys the credibility of the practice in the eyes of the patient. Trust is valuable for any business and even more so when it is your health that is at stake.
Many practices are moving to electronic medical records (EMRs). This has the advantage of eliminating much of the expense of storing and shredding papers. However, it will be decades before paper is completely eliminated from medicine. All this still needs to be properly destroyed.
Most doctors’ offices now have a shredding service that helps them with their HIPAA compliance. It makes it easier to have a destroy all paper policy so there is never a question of what needs to be destroyed and what can be thrown away. The service comes by and provides a certificate of destruction. The good news is the convenience costs less than buying shredders for everyone.
The biggest surprise is the satisfaction of the patients. When people are sick they can be very sensitive. The loud grinding of a shredder is sometimes too much for patients. This makes the staff move the shredding to outside patient hours. And since no one likes to come in early of stay late at work it just piles up.
It is the pile of un-shredded paper that is the biggest risk to a HIPAA compliance plan. Eventually someone will toss them in the dumpster to avoid the work of shredding. With so many people going through dumpsters there is the risk they will be discovered and reported to the news or police. That is how HHS uncovers complaints.
In 1974 Congress passed the Privacy Act. This is the grandfather of all the current privacy laws. It put into law that “the privacy of an individual is directly affected by the collection, maintenance, use, and dissemination of personal information.” It covered how companies and organizations needed to protect personal information. This kick started the shredding industry as information needed to be properly destroyed.
It has had several additions over the years. Some of the biggest changes include the Fair Credit Reporting Act (FACRA) in 2001 and Fair and Accurate Credit Transactions Act of 2003. These cover most financial transactions and companies. For medical information there has been the Health Insurance Portability and Accountability Act (HIPAA) in 1996 and Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009.
But Senator Daniel Akaka of Hawaii is wondering if the Privacy Act itself needs an update. The advance of technology has made much of the act out of date and irrelevant. Digital records allow for a whole different set of threats to individuals privacy. Just one example are the data breaches that affect millions of people with just one mistake or hacker.
There is also a giant loophole in the Privacy Act for “routine” information. This can be disclosed without the user intent. So as governments continue to use more private databases it is sharing more information without the disclosure that most financial institutions like to hide in the fine print of their privacy policies.
Senator Akaka is submitted and amendment to cybersecurity legislation that is making its way through the Senate. It will be interesting to see if it can get any traction this year.
James Pyles is an attorney who specializes in the privacy rights of patients. He thinks there is a need to extend more privacy protections to patients. He has authored the Health Information Privacy Bill of Rights. The goal is to bring the same level of privacy protection that consumers get to patients.
As the nation moves to electronic health records (EHRs) at the direction of HITECH there are holes forming around patient privacy. It is no longer just shredding medical records. This data is now currently sold for research and marketing purposes without the knowledge of the patient. This can no longer be done with financial records.
There is also more security that needs to be put in place. The number of breaches of patient data is alarmingly high. There are requirements in 46 states to notify patients of the breaches but every state is different and four states are still left with nothing.
A lack of patient data may also lead to bad medical outcomes. People needing mental healthcare may avoid it since the information is not private. Leaving these problems un-treated can lead to problems for society at large. There may also be reluctance to get treatment for STDs or other stigmatized diseases.
EHRs have the potential to be of great benefit for the patient as well as for the medical community. Records can now be shared more easily which is nice when you want your records sent to a specialist but most people don’t feel the practice has the right to sell your information without your knowledge. Lets hope the privacy legislation like what Mr Pyles is proposing can help close the gap.
Washington has been unable to pass a national data breach notification law. This is the result of a lack of interest and the standard gridlock from politicization. The one exception is for medical data that was part of the HITECH updates to HIPAA.
The problem is that 46 states, the District of Columbia, Puerto Rico and the Virgin Islands have filled the void with their own laws. For businesses working in multiple states it can be very confusing. Every state law is different in the size of breach, type of breach, and notification method. Here is a good list of each law from the National Conference of State Legislators.
So for those of you wondering who the four states are that have avoided the trend to require data breach notification, they are Alabama, Kentucky, New Mexico, and South Dakota.
For businesses in the 46 states or anyone who handle medical information there are some simple steps to make sure you are not needing to notify your customers.
- Limit access to private information with locked doors and locked file cabinets.
- Perform a network security audit on computers and servers. Make sure nothing sensitve is exposed on the internet.
- Shred everything you no longer need. Keep a copy of your certificate of destruction on file for your compliance records.
More than 1000 medical records have been found in a recycling dumpster at a school. The incident happened in Kansas City, Kansas. The records originated at Affordable Medical and Surgical Services. The office closed in 2005 after Krishana Rajanna lost his medical license.
Dr Rajanna admits to leaving the records in the recycling dumpster at Brookridge Elementary. He believed they would be destroyed quickly. However, that dumpster is only emtied monthly. It is also not protected until it is picked up.
What makes this a larger issues is the type of practice that Dr Rajanna operated. The clinic offered abortion services. Some of the records contained histories that included the procedure.
No medical records should ever been treated with such disregaurd. HIPPA requires proper destruction of medical records. But a doctor should know better even without a law mandating the safeguards. It is not surprising the clinic was closed.
They only secure way to shred paper remains hiring a good shredding service. There are serveral options for Kansas City Shredding.
Jacquelyn Romero was looking for boxes to store her Christmas decorations but got more than she expected. She found what looked like good boxes by a dumpster but they weren’t empty. They were filled with medical records. The files inclueded all the basics you need for identity theft.
Jacquelyn called the local news with the problem. It is still unclear who was responsible for the records. They are now with the Nevada Board of Medical Examiners.
Shredding medical records has been a federal requirement since HIPAA went into effect half a dozen years ago. The fines that can be imposed are very punative with the HITECH changes to the law.
If you have medical records we have some great Las Vegas shredding services that can help you out. The can turn medical records into bits and then recycle it all.
According to a study by the Ponemon Institute, the healthcare industry is not providing the funding needed to protect patients private data and comply with HITECH. The numbers are not very promising.
The average number of data braches per organization was 4.1. This is a 32% increase over the same survey last year. The number of records exposed in each breach was up 46%. It took 1-2 months to notify patients of the breach. Worst of all was 33% of the respondents to the survey thought the breaches had lead to identity theft.
The sources of the breaches remain the same. Lost and stolen computers and drives. The problem is only going to get worse as doctors move to mobile devices like tablet computers.
So since they know they have a big problem and the increased pressure from the increased HITECH fines then the hospitals must be working very hard to fix the problem. Unfortunetly, that is not the case. Only 29% of respondents believed that data security was a top priority for their organizations.
Until we see some of the HITECH fines actually imposed then many hospitals will ignore the holes in their data security. It is going to be most painful for the first ones they make an example of.