星空入口

Training seasonal and permanent staff will avoid an audit.

As summer approaches, many practices are thinking about hiring student interns or seasonal staff. If you are considering hiring interns and giving them easy jobs around the office like purging old patient records or converting paper records to electronic, you鈥檒l want to make sure they have a solid grasp of HIPAA and protected health information (PHI) compliance beforehand.

Human error plays a huge role in many HIPAA and PHI violations, including cases related to document disposal. These breaches are often the result of inadequate training.

Continue reading for tips on how to prepare your existing or seasonal employees on appropriate document discarding methods.

Ensure Your Disposal Procedures Follow OCR Protocol

It鈥檚 essential that your staff members know the basics of what exactly PHI is and how to effectively dispose of it.

There are specific examples outlined by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on the proper way to dispose of patients鈥� PHI. In addition, your staff 鈥� seasonal or permanent 鈥� should be thoroughly trained on these disposal protocols.

PHI defined: PHI is best defined as 鈥渁ll 鈥榠ndividually identifiable health information鈥� held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral,鈥� according to the OCR guidance on the HIPAA Privacy Rule. Furthermore, any personal information that can identify the patient and is associated with the medical record is also considered to be protected data. In fact, federal guidance lists 18 categories of 鈥減ersonal identifiers鈥� that must be secured by covered entities (CEs) and business associates (BAs).

According to the OCR, any patient PHI such as their name, Social Security number, driver鈥檚 license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, or harm to an individual鈥檚 reputation.

Understand These Proper Disposal Tips

Employee training should be a fundamental component of your HIPAA compliance strategy, and your regulations must encompass training on proper PHI disposal. Conduct a training session with department heads on the subject of securely managing all types of data and ensuring that each staff member understands the necessary methods of using and safeguarding any PHI in any format. Next, implement and instruct all personnel in the correct procedures of disposing of HIPAA and PHI effectively and safely.

There are different ways to properly dispose of the different types of PHI, according to OCR guidance:

• Paper records: For PHI in paper records, shredding, burning, pulping, or pulverizing the records so the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed. Ideally, your office would carry out destruction on the premises to minimize the risk of unintentional exposure during transit.
• Electronic media: For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
• Prescription bottles: For PHI on labeled prescription bottles, maintaining bottles in opaque bags within a secure location and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI is recommended.

More info: For additional tips on safe disposal methods, please visit the OCR section on PHI disposal.

Remember: Employees will often presume that discarded items are disposed of immediately, which may not always be the case. It鈥檚 crucial for them to scrutinize their nondigital data with the same meticulousness as they do their digital data. Whether it鈥檚 paper documents or medication containers, everything should undergo a thorough information flow analysis to guarantee the security of each item until it鈥檚 completely destroyed.

Be Your Own Auditor

You may want to do a practice run or a test audit after a few days to make sure the message was received by your staff and the training was sufficient. Follow up as necessary until you are sure everyone is on the same page. The important thing is to do your own auditing, and don鈥檛 wait until it鈥檚 too late and a major story leaks out from your office to the local news.

鈥淐overed entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps,鈥� OCR cautions. 鈥淚n determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed of.鈥�

Find more information related to HIPAA and PHI basics for your office at .

Lindsey Bush, BA, MA, CPC, Development Editor, AAPC