Tom Murphy is an experienced risk management consultant who provides guidance to medical professionals and entities on risk and claims management. He has over 30 years of experience in these areas. Katherine Becker is an associate consultant at Acevedo Consulting who has legal and healthcare compliance experience. She advises clients on HIPAA, Medicare, Medicaid and other regulatory issues. The presentation discusses common HIPAA compliance issues like having updated policies, justifying fees for patient records, securing protected health information, and using business associate agreements. It emphasizes reviewing practices from an audit perspective and training staff on policies to avoid penalties from regulatory agencies for violations.

1. HIPAA: How to Avoid Becoming a Worst-Case Scenario
Katherine Becker
Acevedo Consulting
561.278.9328
kbecker@acevedoconsulting.com
Tom Murphy
Danna-Gracey
800.966.2120
Tom@dannagracey.com

2. Tom Murphy: Danna‐Gracey
 30 years of extensive experience with claims and risk
management
 An experienced risk management consultant, providing
physicians and various medical entities with risk and
claims management techniques for implementation
 Maintains an advisory position for various societies
involving malpractice, claims and tort reform
 A frequent guest lecturer for numerous medical societies
and associations, sharing his expertise with the medical
community while gaining additional insight into the
business of medicine
 Performs malpractice claims studies for medical specialty
societies

3. HIPAA – How to Avoid Becoming a Worst‐Case Scenario
Today’s Speaker:
Katherine Becker,
JD, LLM, CHC, CHPC, CPC‐A
Associate Consultant
Katherine Becker is a graduate of the University of Wisconsin Law School and received her LLM in
healthcare law from the Loyola University Chicago. She has experience working in the courts,
lobbying as well as private practice. She had the honor of serving as a Judicial Intern for the
Wisconsin Supreme Court, where she researched and participated in drafting opinions. Her
experience includes analyzing the effect of new legal developments on clients’ business interests;
experience which she uses to help Acevedo Consulting’s clients in navigating the compliance risks
inherent in health care reform. Katherine uses her background in health care and law to assist clients
in developing and maintaining compliance and HIPAA programs. She also assists clients with
Medicare and Medicaid enrollment, as well as state licensing with the Agency for Health Care
Administration. Katherine also advises clients on participation in incentive programs such as PQRS
and Meaningful Use. She also works with Accountable Care Organizations offering guidance as they
develop and maintain compliance for participation in the Medicare Shared Savings Program.
Katherine is certified in Healthcare Compliance (CHC) and Healthcare Privacy Compliance (CHPC)
through the Health Care Compliance Association and a certified Professional Coder (CPC) through the
AAPC.

4. Policies
• Do you have policies?
• When was the last time you read them?
• Are you training your staff on your policies?
4

5. Patient Compliant
• Patient requests x‐ray records from doctor’s office and is told there
will be a $15 fee.
• Patient complains to the practice about the fee and does not receive
a response.
• Patient files a complaint with the Office of Civil Rights.
• Have we heard from OCR?
5

6. Patient Record Fees
• What do you charge patients for copies of their records?
• Do you have different fees for different types of records?
• Paper
• Electronic
• X‐rays, MRI, etc.
• Are your fees published for your patients?
• In Notice of Privacy Practices?
• Record Request Form?
• Policies?
• Website?
6

7. Portal
• You cannot charge patients for retrieving their records
through the patient portal.
• Make sure that your portal works and is being used
appropriately. For anyone who has been attesting to
Meaningful Use, you’ve been attesting that you have a
patient portal and it works.
7

8. Review Your Policy!!
• Make sure you can justify the cost you are charging to the patient.
• Based on cost of materials
• Salary of person who is filling request
• Cost of postage
• You are allowed to use an average cost, but it must be reasonable.
• Make sure you update all relevant policies or signs that include a
cost.
8

9. Lost Records
• Physician loses over 100 patient records after his car is broken into.
• Some records include complete social security numbers, date of birth
and payment information.
• Breach was reported January 2015.
• Have we heard from OCR?
9

10. Records
• Where are your records?
• Paper, electronic, etc.
• If electronic are they sitting on the actual hardware or is it being accessed
remotely?
• If PHI resides on the hardware, it is mobile?
• Are devices with PHI encrypted?
• Who is allowed to leave with PHI?
• Who is allowed to have remote access to PHI?
• Do you have policies?????
10

11. Patient Complaint
• Practice sends out an email to patients letting them know the
practice will no longer be accepting Blue Cross Blue Shield.
• Practice forgot to BCC patients, so the entire contact list was visible
to all recipients.
• Patient complained to the State Attorney’s office.
• Did the State Attorney’s office respond?
11

12. Complaints
• Make sure your staff is trained on how to handle patient complaints
whether expressed verbally or in writing.
• Who handles complaints?
• How are the complaints documented?
• Patient’s chart?
• Central complaint file?
• Note: At no time during the OCR audit were we told who the
complaining patient was.
12

13. Record Request Mix Up
• Patient emails doctor asking for his medical records to be either
mailed or sent via FedEx. Patient says the office offered to fax him
the records, but he does NOT want them faxed as he shares the fax
machine with the whole office.
• Patient receives records via fax and from multiple people in his office.
13

14. Record Requests
• How are record requests handled?
• One person? Whoever receives the request?
• How will you send record requests?
• Mail?
• Email?
• Fax?
• In person pickup?
• How are requests documented?
• Form?
• Verbal?
14

15. Email
• Patients generally have the right to receive copies of their
PHI via email.
• You must warn them that unencrypted email is not a
secure form of communication.
• If the patient accepts the risks, then you must comply.
• Make sure you have the risks and patient consent in
writing!!
15

16. Email Access
• This should be a very controlled form of access. Not everyone should
have the ability to email patients.
• Do NOT let employees email patients their records from personal
email addresses.
• If you do not have a corporate email, set one up and make sure that
the privacy officer maintains control of the account.
• Audit this heavily. Make sure that patients who have received PHI via
email have the corresponding request in their chart.
16

17. HIPAA in the Media
• NFL player visiting S. Florida over the 4th of July has an incident with
fireworks.
• Media picks up on the event through police reports, but no one
knows what the injury was.
• Employee from Jackson Memorial Hospital took pictures of the
patient’s medical record and sent them to ESPN.
17

18. Results so Far
• Hospital has fired 2 employees
• OCR is still investigating
• NFL player is suing ESPN as well as the hospital
18

19. Social Media
• Practice had a biller who used Snapchat to share a patient photo with
coworkers.
• Practice had policy about cell phone use in the office, but was not
following it.
• Do you have policies on:
• PHI on devices?
• Social Media?
19

20. Handling Patient Information
• Have you trained your staff on the appropriate use of PHI?
• Remember HIPAA has a minimum necessary standard!
• Patient records are not for our own amusement whether the patient
is someone we happen to know or a celebrity.
• Make sure that you have found ways to audit who is accessing PHI.
20

21. Improper Marketing
• OCR settles with a PT Group for $25,000, implementation of a
corrective action plan and annual reporting of compliance for a one
year period.
• PT Practice failed to reasonably safeguard PHI
• Improperly disclosed PHI without an authorization
• Failed to implement policies and procedures with respect to PHI that
were designed to comply with HIPAA’s requirements on
authorizations.
• What did they do?
21

22. Patient Testimonials
• Make sure you have a signed authorization before including patient
testimonials on your website, walls, etc. and save it!!!
• Never assume that a patient is ok with you sharing their information
with others no matter how happy they were with your services.
• If you intend to use the patient testimonial make sure the patient
sees a copy of it first and approves.
• Is it just text?
• Do you use full name?
• Do you include a picture?
22

23. Business Associate Agreement
• OCR initiated a breach investigation after a breach report on
September 27, 2011 which indicated that an unencrypted password‐
protected laptop was stolen from a business associate’s employee’s
locked vehicle.
• During the investigation it was determined that:
• There was not a business associate agreement in place
• The organization had failed to do a system wide security risk assessment.
23

24. OCR Result
• Penalty of $1.5 Million
• Required to develop an organization wide risk analysis and risk
management plan
• Required to train all appropriate work force members on all policies
and procedures
24

25. Business Associate Agreements
• Make sure you have a business associate agreement with anyone
outside your organization that handles your PHI
• Shredding company
• Lawyers
• Outside transcription
• Auditors
• Etc.
• Make sure your agreements are current and reflect your relationship
as it exists now.
25

26. Security Risk Analysis
• Make sure you have a Security Risk Analysis
• This should be reviewed at least yearly, but may need to be done
more frequently if there are changes to the practice that change your
risks.
• Make sure you can defend your answers when you identify a risk
area. For instance if you have PHI residing on mobile devices, but are
choosing not to encrypt what is your justification for that?
26

27. What is the takeaway?
• A complaint by one patient is just as powerful as a breach of
hundreds of patients.
• Never assume that something “goes without saying”
• Look around your office now, is there anything you would
not want to have to defend?
27

28. When Reviewing Your Policies
• Always view it from the perspective of an audit.
• When was the last time you trained your staff on your policies?
• Audit your own policies and work flow to make sure that the two
match. If they don’t you need to determine whether the work flow
or the policy needs to change.
28

29. Most of the Time Your Medical Malpractice Insurance
Doesn’t Offer Enough Coverage
Your Business Office Policies Don’t Cover Cyber
Do I need additional insurance?

30.  Claims Made by Clients or Employees
 Regulatory Procedures
 Fines and Penalties Relating to Privacy Laws
 Cost to Notify Affected Individuals
 Cost to Restore Data/Computer Programs Damaged by Hackers/Virus
 Business Interruption and Extra Expense Due to a Breach
 Some Policies Include Loss of Money Due to Hacking
What does Cyber Insurance cover?

31. Questions?
Tom Murphy
800‐966.2120
Tom@dannagracey.com

32. Acevedo Consulting Incorporated
2605 West Atlantic Avenue, Suite D‐102
Delray Beach, FL 33445
561.278.9328
www.AcevedoConsultingInc.com
32