Does your practice know what to do when protected health information gets in the wrong hands?

Medical practices and healthcare organizations deal with the personal and private information of their patients daily, and it can be more difficult than ever to keep that protected health information (PHI) protected with the increased use of technology.

“Working in a healthcare practice or organization, we’ve all experienced a situation where something has gone wrong to the wrong place, and then it’s the question of what do we do. How do we protect the PHI that maybe fell into the wrong hands?” says Kathryn Wickenhauser, MBA, CHTS, regulatory compliance advisor, DataFile Technologies, Kansas City, Mo., in this episode of the MGMA Small Talk podcast. Wickenhauser says the first step is to understand the difference between incidents, violations and breaches:

• Incident: “This is when a situation is brought to your attention and it is a cause for pause,” says Wickenhauser. But when you investigate the situation, you may find it actually was an appropriate authorization. “It’s an opportunity to look back at your protocols and procedures to prevent it from happening in the future,” she recommends.
• Violation: “This is a nonreportable, unauthorized disclosure,” Wickenhauser says. PHI may have been sent out accidentally and an unauthorized recipient received the information, but your organization can demonstrate a low risk of compromise to the PHI and to the patient. For example, if the unauthorized recipient is a covered entity, who is legally obligated to protect the PHI, that would be a violation but would not need to be reported to the Office for Civil Rights (OCR).
• Breach: This is an unauthorized disclosure of PHI, which does need to be reported to OCR and the patient. “This would be a situation where there is an unauthorized recipient or you become aware that the records did not reach their intended destination and you cannot demonstrate that low probability of compromise,” Wickenhauser explains.

Wickenhauser says with the advent in EHRs, there has been a shift in the way violations and breaches are occurring. “Now more than ever what we are seeing is misfiled information in the patient’s chart is what is causing the violation,” she says.

Listen to the full episode to learn more about how to protect your practice from data breaches and other HIPAA violations.  

Visit our Podcasts page to hear more episodes of MGMA Small Talk, or subscribe on Apple Podcasts, Google Play or SoundCloud so that you’ll never miss an episode.