Vol. 12 •Issue 11 • Page 27
HIPAA’s Impact on the Management of Paper Records
It seems that everyone working in health care these days is talking about the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Few laws have created more confusion and more concern. Who does it apply to? How will it affect daily business? How does it affect the storage of medical records?
HIPAA’s goal is to encourage smooth, efficient and secure electronic health care transactions. In developing operational standards for HIPAA, the Department of Health and Human Services (HHS) must balance the desire for efficiency and patient privacy. HHS is still fine-tuning its ap-proach to this daunting task. This means, for now, that the full implications of HIPAA are still at least partly unknown.
Paper Won’t Go Away
HIPAA’s regulations apply to a broad array of different businesses in the health care industry that have access to protected health information (PHI). Such businesses include health care providers, health plans and health care clearinghouses (collectively Covered Entities) and other businesses that exchange PHI with Covered Entities. Because of this broad scope, HIPAA is scalable to a variety of settings.
“Recognizing that medical records, X-rays and admission forms are still predominantly in paper form, HIPAA does not require Covered Entities to switch to electronic systems,” said Jennifer L. Urban, a health care attorney at Foley & Lardner who works extensively on HIPAA issues with a wide variety of health care clients. In fact, HIPAA says little about paper communications that contain PHI. According to HHS, the Electronic Transactions Rule does not apply to paper medical records or their transmission by fax. However, the Privacy Rule does have implications for paper medical records. The Security Rule, which is now in proposed form, will also impact the use of PHI in paper form.
The good news? In the case of paper communications, the Privacy Rule and proposed Security Rule reinforce best practices for protecting patient privacy. Most organizations already have these procedures in place.
Keeping Paper Private and Secure
In providing guidance on how to interpret the Privacy Rule, the U.S. Office of Civil Rights (OCR) stated that Covered Entities are required to “make reasonable efforts to limit access to PHI to those in the workforce who need access based on their roles.” In addition, the OCR states that Covered Entities should take “reasonable precautions to prevent inadvertent or unnecessary disclosures.”
Most organizations won’t require substantial remodeling to achieve HIPAA compliance. But the OCR does emphasize that Covered Entities “may need to make certain adjustments to their facilities to minimize access, such as isolating and locking file cabinets or record rooms, or providing additional security, such as passwords on computers maintaining personal information.”
The OCR’s interpretation of “reasonable effort” will be influenced heavily by a facility’s size and scope. “For example, locking the filing or shelving units may be the most effective means of limiting PHI access in a small group-practice office,” said Urban.
For larger health care organizations, high-density mobile storage is an option that offers both security and enhanced space utilization. Mobile storage eliminates wasted aisle space and offers options that can be adapted to meet security needs. By placing sensitive documents in a centralized area with controlled access, health organizations can take a substantial step forward in HIPAA compliance. Powered, programmable systems offer the most options, including remote system access to limit entry, while addressing many security concerns safely and effectively.
Some high-density mobile and rotary filing systems can now be equipped with code-access keypads that limit access. Codes are easily reprogrammed for enhanced security. Integrating information management software featuring security options and advanced labeling technology with high-density storage provides a reliable mechanism to track access.
Take Another Look
Your facility may have security and privacy issues well in hand. However, with HIPAA enforcement being phased into existence, it is an excellent time to re-examine your policies.
Large facilities that use a combination of paper and electronic formats should consider hiring a consultant to conduct security and technical audits to find the weaknesses in their systems. Smaller practices and facilities should be putting privacy and security procedures into place, training employees and investing in ways to limit PHI access.
These steps are about more than regulatory compliance. They are about preserving the trust that patients place in the health care system. That’s a trust worth protecting.
Christopher T. Batterman is director of marketing at Spacesaver Corp. and a nationally recognized speaker and presenter on mobile storage applications.
Paper and HIPAA:
10 tips for compliance
The following actions can help you remain compliant with HIPAA guidelines as they apply to paper documents:
1. Formalize policies–If your organization doesn’t have policies in place regarding access and security of protected health information (PHI), it’s time to draft them.
2. Lock up files–Although it’s not required, it’s much easier to comply with HIPAA if file cabinets containing sensitive information are locked.
3. Limit access–Only necessary personnel should have access to medical records, claim forms and other protected data. Options such as rotary and mobile storage centralize records and limit access.
4. Train your employees–Train new employees on PHI security and privacy as part of their orientation. Current employees should also receive “refresher” training.
5. Communicate policy changes–Policy changes regarding the handling of PHI should be widely communicated in a timely manner to pertinent personnel. Use several communications channels–i.e., memos, e-mail, employee newsletters and department meetings.
6. Develop guidelines for “workstation” PHI use–The security standards will require that Covered Entities have guidelines for using PHI at their workstations. This refers mostly to computer usage. However, considering paper records when drafting these guidelines is a good idea.
7. Enter “chain of trust” agreements–When PHI moves from one organization to another, a “chain of trust partner agreement” is necessary to ensure that the same level of security will be maintained throughout the process.
8. Have a system in place to track access–The proposed Security Rule requires a mechanism to track PHI access. Some mobile storage systems integrate information management software that enables an unlimited number of security configurations. This combination also incorporates multilevel tracking and barcode technology that allows organizations to precisely track the physical location of stored items over time.
9. Follow termination procedures–A formal, documented procedure is required. It must include the following: changing combination locks; removing the former employee from access lists and user accounts; retrieval of keys, tokens or cards that allow access. Records administrators can easily reprogram the numeric codes on touch-pad access systems to ensure former employees are not able to enter storage systems.
10. Have a disaster plan–Electronic systems are now required to have disaster plans in place. This is a voluntary, but important, consideration for paper records. Programmable mobile storage systems can be wired into your facility’s fire and security systems for added protection. In addition, programmable systems have an automatic closing feature that protects valuable materials from fire and dust. Optional is a rechargeable battery–for use in the event of a power failure.