HIPAA audits and redacting
Editor’s note: Ancil Lea is the former coordinator for the Arkansas Office of Health Information Technology. Opinions, commentary and other essays posted in this space are wholly the view of the author(s).
–––––––––––––––––
One of the latest coffee meetings that got my attention was one I had recently at Starbucks about a HIPAA audit and the Office of Civil Rights (OCR).
Sitting down with a hospital CEO, we were going over several things, and during the course of the conversation she mentioned that her organization had recently gone through a HIPAA audit and how painful and intense it was. (HIPAA, stands for the Health Insurance Portability and Accountability Act of 1996, which includes provisions about patient privacy.) They passed, but it took a lot of “time and resources” to make it all happen. I believe this is probably an understatement on the amount of time and attention they gave to this process.
What really grabbed me about this conversation was a “little” item she mentioned about providing patient information.
When they were notified of the audit, the first thing an organization like this did and does is pick-up the phone and call their attorney. Smart move. They help orchestrate and advise during the process. She mentioned a small, MOST important detail revolved around, “redacting patient information” to give back to the OCR. I had her repeat this detail several times to get a grasp on this. She told me that if they had provided patient information to the OCR without redacting protected health information (PHI), they would possibly have been fined. A small but HUGE item. You would think that when working with the OCR that providing them information they already have, you wouldn’t have to redact. Not so.
Tim Ezell, an attorney with Friday, Eldredge, and Clark, specializes in healthcare law.
“Even when a provider is permitted under HIPAA to disclose health information, in many circumstances the ‘minimum necessary’ rule will still apply,” he said. “This means that the provider must make reasonable efforts to limit the health information disclosed to the minimum amount necessary to accomplish the intended purpose of the disclosure. Providers should be aware of this requirement and make redactions when and where necessary.”
Most hospitals or large clinics would have an attorney on speed dial for a case such as this. My fear is that a clinic in rural Arkansas/America would begin to comply quickly and overlook this small but costly detail. The office manager would start hustling and getting info to these guys (OCR), doing their best, and then find they’d receive substantial fines by trying to comply, but missing this detail. One never thinks they would have to redact something they’re sending to the government.
My advice is to find an attorney who specializes in this kind of audit and law, NOW. Set a time to meet with them and have a plan in place. Work with consulting firms that specialize in security risk and HIPAA compliance. Do the work up front and have things in place beforehand.
Another one of those critical items you can do upfront is have a “Meaningful Use” notebook that validates each item attested to with hardcopies. This would include numerator and denominator with backup, when indicated, as well as screen shots proving they have met the requirements.
And, when in doubt – REDACT!