How I…

Managing Patient Confidentiality $lap!

Erinn Morgan

When change is afoot at a practice—either with a pending sale or the departure of an optometrist—the confidential management of patient files is sometimes neglected. But this misstep could actually be against the law.

We checked with John G. Classé, OD, JD, a professor at the University of Alabama at Birmingham's School of Optometry, to determine the key areas of concern. “When patients arrive at an office, they are asked to sign a document that acknowledges they have been informed that the practitioner has a privacy policy for the protection of their health care information,” says Classé.

“Failing to transfer records properly violates that promise and subjects the practitioner to the possibility of legal sanctions. Knowledge of regulatory and legal requirements about confidentiality is essential to fulfilling this obligation to your patients.” Still, this important detail can get lost in the shuffle when a practice has been sold or is moving.

Read on to determine if your office is violating patient confidentiality—and how to adhere to the laws surrounding this important practice management issue.

WHAT IS HIPAA?

Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) laid down new ground rules regarding the availability of group and individual health plans. A few years later, in 2000, the HIPAA Privacy Rule was set up to govern how patient information, including files, was to be handled. The concept was to protect all “individually identifiable health information.” This includes patients' past, present, or future physical or mental health or condition, health care provided, payment information for health care services, and even demographic information.

WHO IS ACCOUNTABLE?

The “accountability” lineup includes health plans, health care clearinghouses, and all health care providers, which covers opticians, optometrists, and ophthalmologists.

HIPAA also applies to business associates. According to Classé, “Contracts are required for business associates and they are subject to HIPAA privacy provisions. If a business associate breaches HIPAA requirements, the practitioner is not responsible as long as there is a business contract with the associate that requires adherence to HIPAA.” HIPAA requires health care providers to notify patients in writing of the practice's privacy policy regarding protected health information. The practice must also retain this privacy notice after it has been signed by the patient.

“Although permission is not needed for disclosures of personal health care information for treatment, payment, and health care operations, requests for information from third parties require that the patient's consent be obtained through a patient authorization, which must be in writing and describe the disclosure and the purpose for it,” adds Classé.

WHAT IS OPTICAL'S BIGGEST COMPLIANCE PROBLEM?

“The most troublesome issue is the ‘dumping’ of records at a practice site when a practitioner leaves,” says Classé. “HIPAA requires the owner transfer them to a successor practitioner, not leave them unattended. ‘Dumping’ is not only a HIPAA violation, but also can be construed as unprofessional conduct by a state board of optometry.”

Classé notes that this would also be considered a HIPAA violation even if copies of the records were left behind unattended while the originals were being moved.

HOW DO ECPS NAVIGATE HIPAA WHEN TRANSFERRING OR DESTROYING FILES?

HIPAA allows practitioners to transfer patient records to a successor practitioner by sale “or other disposition” as long as that practitioner also abides by HIPAA requirements to respect confidentiality. According to Classé, this requirement “eliminates the need to personally notify all patients affected by the transfer,” though state laws or board rules may require some form of notification, such as publication of a notice.

When it comes to the destruction of records, HIPAA says paper containing sensitive information should be shredded or burned. “Removable magnetic disks and tapes should be degaussed,” says Classé. “Fixed internal magnetic storage can be cleansed by a rewriting process using software that overwrites the usable storage locations. Removable solid state storage devices (flash drives) can also be cleansed by overwriting.”

ARE PROVIDERS OFF THE HOOK WHEN THEIR PATIENT FILES HAVE BEEN TRANSFERRED?

According to Classé, although the “obligation to ensure confidentiality” is effectively transferred to a successor provider when “ownership” (not mere possession) of the records is transferred, if the circumstances of the transaction do not result in protection of confidentiality, then both providers may be held to have breached ethical requirements.

Thus, it is very important for ECPs to document that the transfer of their patient records was properly handled. “The appropriate language should be included in a sales or assignment agreement,” says Classé. “This agreement must be between the owner of the records and the successor to ownership or possession. The transfer of records is a key part of the transaction, and confidentiality of patient records and information should be described in writing within the contract that constitutes the agreement between the parties.”

ARE THERE LAWS BEYOND HIPAA GOVERNING PRIVACY?

Yes. All jurisdictions have laws requiring practitioners to respect the confidentiality of patient records. In addition, many states' optometry boards have rules or regulations that require practitioners to maintain records for a minimum period of years, says Classé.

HOW CAN ECPS BEST EDUCATE THEMSELVES ABOUT THE LAWS GOVERNING PATIENT CONFIDENTIALITY AND FILE MANAGEMENT?

According to Classé, “Practitioners should read relevant articles, attend CE courses, use AOA resources, and look for information online, such as the Department of Health and Human Services website, which describes HIPAA confidentiality and security provisions (hhs.gov/ocr/privacy).” EB