We all know how imperative it is to protect our patients’ PHI. And we all have policies and procedures in place (or should have) to ensure our providers, staff and business associates are following legal requirements surrounding uses and disclosures of PHI and ePHI. But are you monitoring to make sure your policies and procedures are ACTUALLY being followed? What safeguards do you have in place to protect PHI in the event a breach occurs? Do you have a corrective action plan? Oftentimes, practices assume that because there are policies in place, they are being adhered to. This is not the case, as St. Luke’s-Roosevelt Hospital Center in NY recently found out. HHS announced last month that St. Lukes has paid them $387,200 to settle potential HIPAA violations that stemmed from a complaint alleging sensitive patient information had been mishandled. The OCR’s investigation revealed that staff impermissibly faxed a patient’s PHI (including HIV status, medical care, sexually transmitted diseases, medications, mental health diagnosis, and physical abuse) to his employer, rather than sending it to the requested personal post office box. Also, in recent news, Memorial Hermann Health System (MHHS) in Texas paid the OCR $2.4 million to settle potential HIPAA violations stemming from impermissible disclosure of ONE patient’s PHI to the media and others, without the patient’s authorization. A corrective action plan agreement was also entered into.

Mishandling of PHI and ePHI can be very costly to an organization. Ensure you have adequate policies and procedures in place. Continually train your staff and providers. Perform audits of your Business Associate Agreements to verify all HIPAA requirements are addressed. Make sure you have a hotline and web based tool for employees to report actual or suspected incidents, with a comprehensive incident management process to address concerns.

Billingology offers Virtual Compliance Officer services, assisting practices in the development and ongoing management of an active, working compliance program, built on a robust compliance software platform.