One of the most common causes of Health Insurance Portability and Accountability Act (HIPAA) violations involves the mishandling of Protected Health Information (PHI). Whether you're a doctor, chiropractor, dentist or any other covered entity, you should follow these tips when handling PHI to avoid violations.
Destroy Outdated and Inaccurate PHI
PHI that's outdated, inaccurate or otherwise not needed by your healthcare practice should be destroyed. Keeping it stored in your facility (or elsewhere) only increases the risk of a data breach. Furthermore, it could result in a fine if your practice is ever audited by the OCR. And with the OCR currently conducting the second phase of its HIPAA audits, that's a very real possibility.
Obtain Patient's Authorization When Sharing PHI
Before sharing or otherwise disclosing PHI, covered entities should first obtain authorization/consent from the respective patient. While the Office for Civil Rights (OCR) allows covered entities to disclose PHI without authorization in certain circumstances, these are typically few and far between. Normally, you'll need the patient's authorization before you can disclose his or her PHI outside of your healthcare practice.
Honor PHI Requests
Under the HIPAA Privacy Rule, healthcare patients have a legal right to obtain a copy of their PHI used and/or stored by their healthcare provider. So if a patient requests a copy of his or her PHI, you must honor this request by providing it.
Train Employees How to Handle PHI
Even if you know how to properly handle PHI, perhaps one or more of your employees don't know how handle PHI. As such, this could trigger a HIPAA violation and subsequent penalties if your practice is audited. To prevent such heartache, train employees on the nuances of HIPAA and how to correctly handle PHI.
Always Use Business Associates Agreements with Third Parties
If you plan on disclosing PHI with a third-party, be sure to use a Business Associates Agreement (BAA). This document is required any time a third party has access to a covered entity's PHI. Even if it's nothing more than an email service or cloud storage service, you need a BAA. Some covered entities overlook this step, only to get hit with hefty fines and other penalties later when they are audited by the OCR.
These are just a few tips that covered entities should follow when handling PHI. Implementing them in your healthcare practice helps to create a HIPAA-compliant environment while respecting the privacy of your patients.