Medical Records Compliance
While the duty to retain proper medical records for purposes of ensuring quality care may be obvious to most health care providers, the integrity and veracity of the medical records can often make or break the defense of a claim in court. This makes it crucial for record keepers to objectively and consistently fully document their patient’s illness and treatments. This truth reins regardless of whether one utilizes paper records, digital, or electronic medical record. Paper Cuts can help. Let Paper Cuts assist you in effectively managing your medical records ongoing.
Maintaining Detailed Records
Medical Records Liability
Healthcare providers, including hospitals, physician practices, nursing homes, and home health providers,all have legal obligations to maintain and preserve medical records. Improper record keeping can lead to significant consequences. The improper release of medical records and the improper destruction of records can lead to civil and/or criminal liability. Any individual who willfully discloses hospital or medical record information may be held responsible in civil proceedings. Anyone helping another to wrongfully disclose the medical records may be held personally liable. A hospital may be held liable for an employee’s wrongful production of a patient’s medical records. Insurance does not typically cover this type of event, which may lead to an outcome that is financially devastating to the hospital and the individuals responsible. Past Jury awards have been seen as high as $300,000 to $400,000 for improper release of information.
Scope of Business Associates
Under HIPAA guidelines, the definition of Business Associates was expanded to include entities such as cloud computing companies that help with storage of electronic medical records and data. They are required to enter into written business associate agreements with the organizations they conduct business with regarding the medical records. Even if they do not routinely access the protected health information, they may have the opportunity to, so the HIPAA rules consider them business associates. In contrast, true conduits of information transportation, such as the US Postal Service, UPS or Fed Ex, or digital couriers are not considered business associates. It is advisable to make a list of all vendors that meet this expanded definition to ensure your entity has updated written business associate agreements in place.
Concerns with your Business Associate HIPAA compliance?
We can help you. Contact us now and ask for Leonel:
Reviewing Business Associate Vendors
When analyzing the vendors who perform services for you regarding access to medical records, one’s status as a business associate is based on roles and responsibilities, not upon whether one enters into a business associate agreement or contract. Therefore, if a covered entity gets push back from a Business Associate who is utilizing your PHI to perform a service for you, such as auditing or scanning, remind them they are already acting as a Business Associate regardless if the document is signed.
Need guidance with your Business Associate contract agreements?
Paper Cuts can assist you. Contact us now and ask for Darryl:
Importance of HIPAA Compliance
In 2013, the Department of Health and Human Services revised HIPAA rules, with the final regulations outlined under the HITECH Act. Despite the passage of time, many health care providers and Business Associates still have not updated or implemented their HIPPA Compliance plans with all the required documentation. This may lead to compliance issues if HIPAA audits discover inconsistencies or non-compliance with you or your medical organization. With regard to Business Associates, the HIPAA definition has been expanded to include vendors who create, receive maintain, or transmit PHI in order to perform a function on behalf of a covered entity.
Spoiling Medical Evidence
Spoliation is the intentional destruction, mutilation, alteration or concealment of evidence. The term includes both intentional and negligent losses of evidence. Historically, spoliation referred to destruction of evidence with fraudulent intent, but recently it has been broadened to cover innocent or inadvertent loss of evidence. Penalties for spoliation will be imposed upon a party to a lawsuit who is responsible for the loss of evidence. Indeed, if it is believed that the loss or destruction of physical evidence was willful, for the purpose of preventing its use in an official court proceeding, the penalties may even become criminal.
Lost or Stolen Records
Because physicians and hospitals are subject to statutory and regulatory obligations to maintain medical records and to safeguard the integrity of those records, a failure in either respect may result in legal liability in the context of a malpractice suit. Also, this can apply from the standpoint of an independent liability based upon a nondisclosure of information that should have been maintained and disclosed by the provider. Misplaced or stolen medical records, or a record or portion of a record that can not be located can be subject to legal liability. Not only is there a duty to make medical records by various healthcare providers, there is a similar duty to preserve them.
Destruction of Medical Records
Just as important as maintaining system for properly storing and accessing medical records, is having a detailed protocol for how medical records and patient information will be destroyed once the retention period has expired. Such records should be destroyed so there is no possibility of reconstruction of the information. Appropriate methods for destroying paper records, including burning, shredding, pulping, and pulverizing. Use of HIPAA approved professionals for recycling or pulverizing to destroy microfilm or microfiche is recommended. Data discs should always be completely pulverized so no data can be resurrected from remaining pieces.
Use Certificates of Destruction
A Certificate of Destruction should be prepared for each patient record. This certificate and other destruction documentation should be maintained permanently. It is important for the institution to maintain these documents to be able to prove the records were destroyed in the hospital’s regular course of business.
If contracting out your destruction services, consider a leding professional HIPAA approved firm such as Paper Cuts, because we are always aware of the latest requirements for HIPAA regulations that must be complied with. We can assist you in setting up an initial Business Associate Agreement so it is in place for us to provide proper destruction services for you, ensuring compliance with HIPAA privacy rules.
Finally, be sure to document destruction of any medical record or medical data by maintaining a proper log book. The log should include information such as the date of destruction, method of destruction, description of the disposed of records including media types, inclusive dates covered, a statement that the records were destroyed in the normal course of business; and the signatures of the individuals supervising and witnessing the destruction.
Legal Issues for Medical Records
Naturally, records involved in any open investigation, audit or litigation should not be destroyed. You should ensure you have a litigation hold program in place to preserve all the necessary documentation and evidence in the event of litigation being filed. For those records that are ready for destruction, the following recommendations should be followed.
As a reminder, legal penalties for not following HIPAA compliance can be extremely overwhelming. More recently, CVS Pharmacy paid $2.5 million dollars for HIPAA violation when it was discovered it had a practice of discarding patient information, such as identifying information on pill bottle labels and other paperwork, in industrial trash containers outside selected stores that were not secure and could be accessed by the public.