By Dan Matas, Founder of OutcomesBase, Inc.
HIPAA is short for the Health Insurance Portability and Accountability Act, and it affects everyone receiving any kind of health/medical treatment as well as everyone who is providing it. The focus of HIPAA is to protect the confidentiality of sensitive treatment information as well as to ensure that there are certain security measures in place to prevent unwanted disclosure or access. As I often say whenever I train on HIPAA best practices, “You should treat the medical information of others like it was your own. How confidential would you want your personal medical information to be treated?”
A breach is whenever protected health information (PHI) is used, disclosed, or accessed outside of HIPAA law and protections. According to the Office for Civil Rights (OCR) statistics, as reported by hipaajournal.com, the number of large HIPAA breaches (those in which over 500 patients were impacted) is increasing. They posted the following chart showing the trend of large HIPAA data breaches over the past several years:
With the increase of Telehealth in the post-pandemic world, it could make sense that there is an increasing trend of HIPAA breaches. However, we also have very sophisticated encryption tools and softwares that should be helping to prevent this level of breaches. Our PHI, and the PHI of our clients, is at stake, and we have a responsibility to do everything in our power to ensure its confidentiality.
Common HIPAA Breaches in ABA
I compiled a list of some of the most common HIPAA breaches I have seen throughout my career working in ABA:
Improper Disclosure
Some examples of improper disposal range from talking to another child’s parent about a different client, all the way to accidentally sending the wrong report to a funding source. Another common HIPAA breach I have seen is staff giving the address of a client to someone else, including an Uber driver or a girlfriend/boyfriend, who is giving them a ride to work. Using discretion and protecting confidentiality of clients is an on-going and daily activity. Most often, these breaches are accidental, but are also preventable with the proper staff training and systems in place.
Access Controls
While it might make sense for some roles in an organization to have access to all client records (e.g., billers, schedulers, clinical directors), there should also be certain control levels in place. For instance, schedulers shouldn’t ever need to access a client’s treatment plans or clinical data, but would need a large range of client information related to where they live, how to contact them, and who their caregivers are. When there are not defined roles and responsibilities, PHI becomes too easily shared and accessible.
Improper Storage and Disposal
In ABA, there is a lot of session and treatment data created given the high frequency of the service and the requirements to track client treatment progress daily, summarize daily treatment with a session note, and to produce regular progress reports. While most companies have moved to doing all of these things online, there are still often old paper files that need to be stored and disposed of. There are various laws in place regarding how long client records need to be stored for, but there are also specifications for how it must be stored (e.g. in a locked cabinet in a locked room) and disposed of that need be adhered to in order to be in compliance with HIPAA law.
Non-Compliant Systems
Having the right system is crucial to adhering to HIPAA law. Companies that are still using Excel and Word for the majority of their record keeping need to ensure that they have folders setup with varying levels of security and that only those who need the information to do their job have access to it. It’s also imperative that the companies using an Electronic Medical Record (EMR) are checking to ensure that it is set up with the proper encryption and security standards required under HIPAA law. Often this includes multi-factor authentication for users. Most companies, like CentralReach have done the research for you and have dedicated teams devoted to security who should be able to walk you through the measures in place within their software. If a company can’t do this, it should be huge red flag!
Organization-wide HIPAA Best Practices
Below is a compilation of things every ABA company should have in place to ensure that they are effectively protecting PHI and in compliance with HIPAA law & Security Rule requirements.
Education and Training of Staff
One of the greatest assets to every ABA company, is their staff. However, if staff aren’t educated on the proper protocols to protect client PHI, then they aren’t going to be effective in doing so. The Office of Inspector General (OIG) requires that all staff are trained on HIPAA and Security laws initially upon hire, and then whenever significant changes occur. Additionally, it is recommended that staff are also trained at least annually to refresh their knowledge of internal HIPAA practices and controls. In my opinion, it’s also important to look at your company’s data to assess if additional trainings are needed. Where are breaches occurring and who is most-often responsible? That will help you target trainings and help to minimize potential breaches from occurring.
Security Practices
Every organization needs to put together security protocols that will best serve their staff structure and systems, while also ensuring the protection of PHI. These protocols should be documented and revisited at least annually. These security practices should also be highlighted and reviewed during staff trainings to ensure staff aren’t just understanding the concept of HIPAA, but also, how their behaviors help to keep client records protected.
Business Associate Contracts
In accordance with HIPAA law, every vendor a company is working with in which PHI is stored or exchanged (e.g. EMR, HR portal, Worker’s Comp logs, etc.), needs to have a Business Associates Agreement (BAA) in place. This BAA is a contract in which the vendor agrees to ensure that their system has the correct security and encryption required under the law, but also outlines how they will respond in the event of a breach, and how they will notify you of such. The BAA doesn’t ensure no breaches occur, but it is very helpful in determining liability and how to respond in the event of a breach.
Enforcement and Resources
Companies should be holding their staff accountable to their internal HIPAA and Security protocols. Staff who are responsible for a breach, should receive a corrective action commiserate with the infraction. It is also imperative that all staff are treated equally in regards to enforcement. Anyone can be responsible for a breach, and the same corrective action standards should apply to all. I highly recommend that along with corrective action, the employee responsible also receives a documented re-training on company HIPAA protocols. All companies should also have a dedicated resource/employee to oversee the privacy and security of the organization. This person should be responsible for staff trainings, ensuring protocols are in place and updated, and for responding to potential breaches within the organization.
Multi-State Rules
Many ABA companies practice in more than one state. Although HIPAA is a federal law, each state may also have their own set of requirements when it comes to PHI, security, and disposal. I recommend that each company working across multiple states do the research to understand the unique requirements of each, and to create a matrix documenting these differences. You might also be able to lean on an attorney or law group that you work with to do this research for you. Just keep in mind, regulations do change over time and a one-time review of the current laws is not sufficient.
I could talk about HIPAA for days. I have been involved in minor breaches, and also have had to problem-solve and work through some major ones. There are plenty of horror stories that have kept me up at night related to privacy and security; but again, many breaches are preventable if best practices are established and followed.
If OutcomesBase can assist your company in any way, whether that be in evaluating your current trainings and protocols, or in helping establish them, please let us know. We are here to help, and hopefully, assist in keeping PHI secure for your clients.
Comments