HIPAA violations can be disasterous for physician-owned spine practices, and the risks are high.
HIPAA violations can be as simple as a shared password or absent-mindedly entering the wrong patient information. Here are 10 danger areas for spine surgeon business owners in technology and HIPAA violations.
1. Copy and pasting information. Physicians are looking to work efficiently, but copying and pasting features might transfer outdated or incorrect information and clutter the patient records to make it difficult to identify important information, according to a Medscape report. When a patient sues, the plaintiff attorney can easily spot a copy-and-paste job and then make the argument the physician wasn't really engaged in the case.
2. Online identity sharing. Physicians in small practices streamline their EHR by sharing the same password. However the shared password makes it difficult to figure out who made changes to the records and cause controversy during malpractice situations, according to the Medscape report. Individual physicians should be the only ones using their password to make changes to medical records.
3. Wandering minds and fat fingers lead to input errors. A report from the Department of Veterans Affairs EHR found 84 percent of notes on patient records contained some sort of documentation error and each patient had an average of 7.8 mistakes. Misinformation could lead to bad care and potential legal issues. Mistakes include:
• No supporting documentation for services performed
• Not signing notes
• Auto-filling with the incorrect option
4. Hacking situations. Digitizing technology with EMR and communication with email leaves this information vulnerable to hacking, even behind strict protections. There are sophisticated hackers out there with steep financial incentive to poach personal information about people — especially healthcare information. A hacker recently compromised more than 60,000 government employees by accessing the third party contractor Onsite Health Diagnostics' computer system. The largest healthcare data breach due to hacking this year was NRAD Medical Associates, where 97,000 patients were impacted.
5. Patients with iPhones. HIPAA is complex and providers are ultimately responsible for keeping patient information private. But what if patients share their medical information on Facebook or Twitter? What if they take pictures with their iPhones and post them online? One mother of a patient at Mercy Hospital in Springfield, Mo., tried to take a picture of her son visiting a specialist at the hospital and was detained due to a potential HIPAA violation. She was later released, but sued the hospital for "false imprisonment" and "emotional distress."
6. Staff members with Facebook accounts. Personal profiles online offer people a way to express themselves, which often means venting about work or describing a funny situation. Many professionals do it regularly and try to keep their descriptions vague, but for healthcare personnel any sharing could be disastrous. Implement a strict social media policy to avoid HIPAA violations and don't allow any leeway — it could be costly in the future. An emergency nurse was fired earlier this year from New York-Presbyterian Hospital after posting a picture of an empty trauma room on Instagram.
7. Taking records out of the office. A briefcase or medical file left in a Taxi or stolen from someone's house was once a serious concern; now even though most patient information is digital, stolen laptops and flashdrives are just as much of a problem. Develop a strict policy for employees taking records out of the office — including how long the employees can have the records out of the office, how long they can be left in the car and what protection they must have. Parkview Health paid $800,000 earlier this year to settle a potential HIPAA violation after a physician accused employees of improperly leaving patient records unattended.
8. Bad business partners. Healthcare providers are responsible for patient information even when they pass records off to their "business associates" for outsourced services. This is especially true for small practices that outsource billing information or data back up services. These businesses should be HIPAA compliant and willing to sign a HIPAA-required business associate agreement.
9. Security weakness. Information online must have a certain level of protection, and any weakness could compromise patient records. WellPoint settled for $1.7 million last year over allegations that a security weakness in the insurer's database exposed 600,000 people to "unauthorized individuals" on the internet. HHS officials announced a plan in June to step up enforcement for data breaches, which could make future suits even more costly.
10. Employee theft. Employers are responsible for their employees, meaning if staff members look up patient information inappropriately, physician practice owners could be in trouble. For example, a pharmacist at Walgreens looked up her husband's ex-girlfriend and shared information from that record with her husband. Walgreens was ordered to pay $1.44 million after the patient sued, claiming negligent supervision.
More articles on spine:
Temple University Hospital names Dr. Philip Villanueva neurotrauma director
Laser Spine Institute team to make Dominican Republic medical mission trip
Do experienced surgeons have better outcomes with scoliosis surgery? 5 findings