May 2015

HIPAA a Back Breaker for Chiropractic Interns
By Robert Murphy
For The Record
Vol. 27 No. 5 No. 10

A recent study of chiropractic interns' perceptions about the HIPAA Omnibus Rule showed that, even among those who had received previous training, no one understood the law adequately. The study, according to its author, highlights an unmet need for better HIT education among chiropractic interns and perhaps other health care disciplines as well.

Purpose and Methods
Joe Lintz, MS, RHIA, director of the HIM program at Parker University in Dallas and author of the study, sought to "assess the knowledge and awareness of HIPAA's new privacy and security restrictions for patient health information among junior and senior chiropractic interns," according to the study report. Beyond this, he also was concerned to "determine how health information professionals can assist chiropractic interns in their practice in terms of disclosure of patient information."

The size of the organization tends to be a major factor in whether HIPAA guidelines are met, according to Lintz. "Smaller clinics and organizations like chiropractic clinics that tend to lack access to sufficient internal resources could struggle more with this HIPAA change," he says. "For example, a chiropractic clinic does not have a certified health information professional with knowledge of HIPAA's new privacy and security rules to support daily operations of the clinic."

Thirty interns in their second or third years of a chiropractic clinical practicum were asked to participate in the study. Each answered the following questions related to HIPAA's privacy and security restrictions for patient health information:

• Is your business associate a covered entity? Business associates are subject to the same HIPAA security provisions as covered entities for implementing administrative, physical, and technical safeguards on patient health information. They are also subject to civil and criminal penalties for violations.

• What do you know about the use of patient health information in making communications? The HIPAA standard was expanded to ban direct or indirect payment for communications, and now applies to business associates.

• How do you disseminate health information to the patient? The rule states organizations must provide the patient (or someone authorized by the patient) with a copy of their medical record, preferably in an electronic format.

• What is your knowledge of the requirement pertaining to providing patient information? According to the HIPAA standard, when a practice is asked to provide patient health information, it can provide only the minimum necessary to accomplish a given task.

• How familiar are you with data breach penalties? Under the HITECH Act, fines for data breaches were increased to $100 to $50,000 per violation, with a yearly maximum of $25,000 to $1.5 million. Plus, there are mandatory penalties for willful neglect.

For each of these items, the interns were asked to indicate their level of knowledge on a scale of 1 (not at all) to 5 (very much). Of the 30 participants, 16 had previous HIPAA training. Lintz believed such training would make a difference in the findings.

Inauspicious Outcomes
Turns out it didn't. In an ideal world, junior and senior chiropractic interns with at least some prior HIPAA training should be expected to have a passing familiarity with the law's requirements. However, none of the 30 interns, regardless of previous training, understood the latest HIPAA rules adequately. Nor did they have the slightest clue how these rules could impact their future practices.

"A few of them replied that they will not worry about any of this until they get a breach," Lintz says. The fact that some of the subjects received their HIPAA training prior to 2013 might help explain their lack of knowledge about the new rules, he adds.

Lintz says the survey's small population size militates against drawing statistically significant inferences. Still, he says the results are something of an unfavorable portent, particularly given the relatively rudimentary IT infrastructure of chiropractic practices. "Chiropractors are not as computerized with medical records as other health care providers are, so they don't have a lot of knowledge about HIPAA rules on EHRs. Everything is entered manually," Lintz says.

Perhaps the survey's most noteworthy outcome was that all 30 respondents were "not at all" familiar with the data breach penalties. Other key findings include 90% of respondents being not at all familiar with how to distribute protected health information, and the same percentage being unfamiliar with the business associate concept.

Training Implications
The good news is that most of the interns in the study expressed interest in learning more about HIPAA from various training resources, particularly when it comes to using patient health information in marketing communications. Almost all said they were confident that HIM professionals could help them better understand the new HIPAA privacy and security restrictions for patient health information.

Other areas in which the chiropractic interns expressed interest in being trained include the following:

• identifying data breach penalties;

• disclosing health information to patients and third parties; and

• developing organizationwide privacy and security training methods.

Who is responsible for providing training? If medical students fail to learn HIPAA regulations in school, they must turn to other resources once they're out in the field. But ultimately, the responsibility lies with the individual, says Stasia Sands-Kahn, MD, an internist and HIT consultant. "One could make an argument that any health care professional who is actively working in the field is responsible for being compliant with governmental regulations," she says. "It is their personal responsibility to stay up to date."

Compliance with the Omnibus Rule hinges on two key efforts, says Sands-Kahn. One is to make sure that applicable policies, procedures, and documentation are in place.
The second is ensuring that all office staff members are familiar with HIPAA regulations.

Up to Spec With HITECH
Even before considering the new rules, health care organizations must have the requisite mechanisms in place for adhering to the preexisting stipulations. Sands-Kahn recommends designating a privacy and security officer who must stay current with the requirements and train new employees as well as supervise refresher courses to keep the entire office up to date.

A current privacy, security, and disaster recovery manual is essential, Sands-Kahn says. The HIPAA section must include the latest notice of privacy practices, privacy logs, and authorization-and-request forms, as well as policies on breach notification and the release of medical records. Subjects tackled in the security section include computer maintenance, encryption, data backup, remote access, and fax transmission. For disaster recovery, Sands-Kahn suggests the manual contain an emergency operations plan featuring the contact information for staff, support, and federal and local government.

Maintain both paper and electronic copies of the manual, with the electronic version encrypted on a cloud-based file system, Sands-Kahn says. Also keep an information system inventory onsite with a duplicate paper copy offsite as well as an electronic version.

Sands-Kahn recommends holding yearly compliance meetings to refresh employees and physicians on the latest privacy and security rules, and to discuss what to do in case of an emergency.

— Robert Murphy is a freelance medical writer in Watertown, New York.