Over the years, fax machines have become a fixture in virtually every office – including doctors’ offices. With the advent of HIPAA regulations and their HITECH overlay, however, doctors may begin to look at their fax machines in a totally new light.
Let’s face it; if you have sent enough faxes, chances are that you or a member of your staff has sent a fax to the wrong number. Because of this, virtually every fax cover sheet gives instructions as to what to do if the wrong recipient gets the fax.
What happens when protected health information (PHI) is sent to the wrong recipient?
While technically this may not be covered by the new HITECH rules, it would be covered by the general HIPAA regulations and, therefore, depending on the number of patients affected, HHS would either have to be notified immediately or at the end of the year.
This is especially troubling in light of the fact that many doctors’ offices still send their encounter forms or superbills to medical billing companies by fax. In a recent interview, Susan McAndrew, the Deputy Director for Health Information Privacy for OCR (the new sheriff in town to police HIPAA and HITECH violations), reported that the breach numbers for the month of January 2010 are as follows:
• As of January 2010, there have been 35 reports of breaches affecting 500+ individuals resulting in 712,000 notices, and
• Most of the reports were E-PHI and contained lost or stolen unencrypted media or portable devices, and
• There were more than 300 reports of smaller breaches, and
• Most of the paper records were sent to wrong fax numbers, wrong addresses, and wrong individuals.
It is frightening to think that a misdialed number on a fax machine can begin the process of risk assessments, notifications and fines simply because of an oversight in your medical practice. There has been very little if any proactive enforcement of HIPAA on the part of the government, and because the enforcement and assessment of penalties for HIPAA violations has been virtually non-existent, many holders of protected health information (PHI) have, at some level, grown accustomed to certain practices that have never been questioned or tested. They have, therefore, convinced themselves that they are in compliance with the law.
The rules of the game, however, are rapidly changing and many people are not aware that the government is mandated to and, in fact, intends to police the medical profession and enforce its laws and regulations through “periodic audits.”
Based on a statement from Susan McAndrew, the calendar for when these periodic audits will take place has not yet been established. Essentially, she said that OCR is considering its budgetary means and the most effective methodologies as there are many ways to accomplish these periodic audits.
In future posts to this blog and submissions to our website www.gs3medicalbilling.com, we will have various materials available to keep medical professionals abreast of developments and to point out some of the issues and challenges they may face regarding compliance with HIPAA HITECH.