SCGhealth Blog

Don’t let your disposal vendor mishandle your trash into a HIPAA violation

Tuesday, January 17, 2017

By Marla Durben Hirsch , contributing writer

Photo: Adobe Systems Incorporated.

Providers continue to be confused as to how to dispose of their trash without running afoul of HIPAA. But the stakes are now higher – because it’s often the provider’s trash collector that’s exposing the patient data that’s in the garbage.

The Department of Health and Human Services’ Office for Civil Rights, (OCR) which enforces HIPAA’s privacy and security rules, has published guidance on proper disposal methods. While HIPAA doesn’t require particular processes, OCR suggests several, such as shredding, burning, pulping or pulverizing the records so that patient protected health information (PHI) is unreadable and cannot be reconstructed. Records treated this way are considered “secure”; a breach of them doesn’t even have to be reported.

However, many providers still don’t realize that they need to take this step as part of disposal. A number of them, including CVS, Rite Aid and Cornell Prescription Pharmacy have settled alleged HIPAA violations after disposing of unsecured records and other materials containing PHI in unlocked publicly accessible dumpsters. State attorneys general have also fined providers, even solo practitioners, for faulty trash disposal.

And it gets worse, since many providers have turned to outside vendors to dispose of their trash, and the vendors are making mistakes and exposing the PHI, violating HIPAA. The provider is ultimately liable even though it has entrusted the vendor to perform the disposal.

A simple Google search reveals a multitude of these incidents.

For example, the disposal company hired by physician owned Radiology Regional Center, with several facilities in Florida, exposed patient PHI in December 2015 when the back of the truck transporting the records to an incinerator opened, spilling the contents all over the road. While the Center spent considerable time combing the area and retrieving the records, it still had to notify 483,663 patients about the breach. The incident triggered a lawsuit in 2016 from several patients who claim, among other things, that the doctors were unaware of their obligations regarding proper trash disposal and admitted ignorance regarding it. That lawsuit is still pending.

And that may not be all. OCR has for the first time has begun to train its sights on mistakes being made business associates. In 2016 the agency resolved several enforcement actions with providers and business associates for security breaches caused by the business associates. It would not be surprising for OCR to investigate Radiology Regional and other providers whose records have been compromised by their disposal company.

Review all of your business associate agreements with those handling PHI on your behalf to ensure that you are adequately protected in case the business associate exposes patient information. For example, the business associate should pay for the costs of the breach, such as the expense of notifying patients and offering them free credit monitoring. OCR has a model business associate agreement that can help you.

If you delegate trash disposal and destruction to an outside vendor, make sure you know how the vendor will safeguard the information and dispose of it. For instance, look to see if the containers the disposal company is using are sturdy. Ensure that the vendor’s staff is trained in HIPAA compliance.

Be proactive to the extent possible regarding your trash. Consider having the trash incinerated on site so it doesn’t have to be transported. Make the trash unreadable yourself before giving it to the vendor to cart away, say by shredding it or obliterating PHI with a marker. Had Radiology Regional Center taken some of those steps, it may not have been in the hot spot it is today.

It’s time to assess your annual training compliance

Wednesday, August 03, 2016

By: Ben Regalado, Contributing Writer

We’re past the midpoint of the year, and are now into the dog days of summer. For some practices, things slow down, and for others, the tempo increases faster than a Sousa march! Regardless, this is the time to assess if you’ve completed your annual training, and if not, prepare to do so over the next few months.

HIPAA is more than privacy
The Office of Civil Rights, charged with HIPAA Privacy and Security regulation enforcement, is stepping up organization audits. Areas of concern, from texting to social media, are expanding as fast as communication methods. Hacking data from hospitals and medical practices put healthcare in the news in ways no one wants. And yet, unfortunately, the number of practices conducting the annual required training to prepare and update staff on policies and procedures has fallen over the past two years. FN1

Here are some topics you need to cover:
● Privacy: Your staff should understand and acknowledge regulations, patient rights and practice responsibilities, including the standard that they may only access and use protected health information to the minimum necessary level to perform their job.
● Security: From computers to tablets and mobile devices, tell your staff how to protect data from disclosure.
● Reporting: If there’s a suspected violation, make sure your staff know the process for reporting it, and to whom.

It’s critically important that you log not only the date and method of training, but also who participated.

OSHA covers a wide range of safety issues
A little more than a year ago, the Occupational Safety and Health Administration’s (OSHA) mandated shift from the Material Safety Data Sheets (MSDS) to Safety Data Sheets (SDS) went into effect. Effective June 1, 2016, employers using, handling or storing hazardous chemicals were required to update their labeling and communication plans, and provide necessary training.

The internationally standardized SDS sheets are considered an improvement over the previous MSDS. The universal format allows for quick access to information, especially emergency numbers, particular hazards, and first aid.FN2 Staff should understand your workplace labeling and hazard communication programs and receive regular updates on newly identified physical or health hazards for chemicals they may come in contact with.

The above is one of nine standards that OHSA posted on its website which may apply to health care employers.FN3 Others standards are:

• Bloodborne Pathogens
• Ionized Radiation
• Exit Routes
• Electrical
• Emergency Action Plan
• Fire Safety
• Medical and First Aid
• Personal Protective Equipment

It’s important in your annual training to touch on all these points. Sometimes this is a reiteration of policy. Other times it’s reminding staff of where to find, and how to use, documents and equipment you’ve provided for their safety.

The OSHA website has various publications and sample or model plans for you to download, customize and share.

Other training
In reviewing a recent managed care contract, we found language that mandated “completion of CMS’ Medicare Learning Network® ‘Medicare Parts C and D Fraud, Waste, and Abuse Training and Medicare Parts C and D General Compliance Training’ by Provider employees, officers, and Downstream Entities initially within 90 days of hire/contracting and at least annually thereafter.”

While there may be limited exceptions, the bottom line is that compliance training may now be part of your contractual obligations, not just your obligation as an employer.

As an employer, it’s also important to make sure your annual training and updates include key areas such as internal policies and procedures regarding weather and personal safety, harassment, and your overall compliance plan.

It’s important to continuously remind your staff of their obligations to protect patients and support the physicians and other providers by understanding and ensuring compliance with national regulations and internal policies. Don’t merely rely on handbooks and orientation at hire to get the message through. Reinforce it regularly though training and other reminders. Remember — people learn in different ways, and reinforcement will make a difference in the long run.

1. NueMD. “2016 HIPAA Survey Update.” Accessed July 28, 2016.
2. Safety Services Company. “What Is the Difference Between MSDS and SDS?” Accessed July 28, 2016.
3. United States Department of Labor Occupational Safety & Health Administration. “Compliance Assistance Quick Start.”

Patient data breaches, HIPAA enforcement on the rise

Wednesday, February 04, 2015

by Marla Durben Hirsch

The number of data breaches tracked in 2014 hit a new high, with 783 breaches reported, up 27.5 percent from 2013, according to San Diego-based Identity Theft Resource Center. The leading cause of the breaches, 29 percent, was due to hacking, followed by third party/subcontractor breaches and accidental disclosures.

Unfortunately, the health care industry topped the data breach list, with 42.5 percent of breaches attributable to that sector. One of the largest breach was suffered by Franklin, Tennessee-based Community Health System, which reported this summer that it was hacked, compromising 4.5 million patient records. The Health System operates 206 facilities in 29 states.

These incidents have brought the number of reported breaches of 500 or more records on the Department of Health and Human Services (HHS) website – also known as the "wall of shame" to a staggering 1,196. (Breaches of less than 500 records must still be reported to HHS but are not made public).

Perhaps not surprisingly, the number of government enforcement actions against HIPAA violators have also increased in 2014. HHS' Office for Civil Rights (OCR), which is in charge of HIPAA privacy and security compliance, stated in early 2014 that enforcement will be more "aggressive" and that a report of a data breach will likely lead to a subsequent investigation. (This new stance may be due in part to a report issued by HHS’ Office of Inspector General in November 2013 that cited OCR for inadequate enforcement).

There's also been an uptick in state enforcement activity. The HITECH Act of 2009 amending HIPAA granted state attorneys general the right to enforce HIPAA, and more of them are taking advantage of this new authority. A number of states, such as Minnesota, California and Massachusetts have already settled allegations of HIPAA violations with providers and business associates. Puerto Rico levied a record $6.8 million HIPAA fine against health insurer Triple S Salid in February 2014 for a breach affecting only about 13,000 patients. In January 2015, the Indiana attorney general’s office fined a dentist $12,000 for hiring a company to dispose of patient records and did so by throwing them into a dumpster. This is the first time that this state has sued for a HIPAA violation.

And in a relatively new development, individuals have increasingly been successful in using HIPAA as the standard of care in state privacy lawsuits. HIPAA does not grant people the right to sue for HIPAA violations, known as a "private right of action." But courts are now moving to allow HIPAA's rules to be used as more of a bright line. For instance, an appeals court upheld a $1.44 million breach of privacy verdict against Walgreens and one of its pharmacists in November 2014 under that theory. The pharmacist, who was dating the patient's ex-boyfriend, had accessed the patient’s records and shared them with the boyfriend, violating HIPAA; the boyfriend then threatened to use the information against the patient in a paternity lawsuit.

However, apparently some physician practices are not getting the memo about the importance of keeping patient records secure. A new survey of 1,037 published by NueMD found that only 62 percent provided annual HIPAA training, 45 percent had a breach notification policy, 40 percent were not aware that they needed agreements with their business associates, 36 percent were not aware that the HITECH Act had increased their compliance obligations, and 23 percent didn’t even have a HIPAA compliance plan.

The bottom line: double check that your practice is in compliance with HIPAA; if it isn't, take the necessary steps to get up to speed. Even the most careful practice can suffer a data breach, and the consequences can be very far reaching.

HHS website on breach notification

Identify Theft Resource Center announcement

NueMD survey

OIG report

Walgreens court of appeals decision

Announcement of Indiana dentist's HIPAA fine

Non-par docs still face penalties for not taking part in PQRS, EHR

Tuesday, June 10, 2014

2015 is a big year for payment adjustments for providers who’ve failed to take part in the Centers for Medicare & Medicaid Services (CMS) incentive programs for electronic health records (EHR) meaningful use and the Physician Quality Reporting System (PQRS). 

It’s the year that CMS goes from dangling the carrot of extra pay to using the stick of less pay for providers who’ve failed to take part in these programs, or to obtain a hardship exemption of any sort.
The HITECH Act decreed that, starting in 2015, those who didn’t report enough quality measures in PQRS would see a 1.5 percent cut, those who failed to achieve EHR meaningful use would see a 1 percent cut.
For providers who accept assignment on Medicare claims, CMS will take the penalty directly out of the allowed amount for services billed. Because it will apply the penalty to the entire allowed charge, then pay 80 percent of that amount, the beneficiary’s 20 percent coinsurance would be slightly reduced as well.
Non-participating providers who don’t accept assignment can typically charge up to 115 percent of the allowed charge for a service. The difference is, the beneficiary pays directly to the provider and Medicare makes its payment directly to the beneficiary. 
Even in these instances, however, the ultimate payment the provider is able to collect will be reduced for failure to take part in incentive programs.

In recent transmittal1384 to its One Time Notification Manual, CMS spells out how it will work, using a hypothetical service with a $100 allowed charge. 
Ordinarily, a non-par provider who accepted assignment would get paid 95 percent of the allowed charge, or $95, with the beneficiary paying 20 percent of that amount. 
The calculation formula is the same for a provider who doesn’t accept assignment, but it impacts how much the provider is allowed to charge the beneficiary. In the case of the 1 percent cut for failing to do PQRS, the result would be that the Medicare allowed charge for the $100 service would be cut to $94.05 instead of $95.
When the provider charges the patient the full limiting charge, the total would be 115% of $94.05, which is $108.16, instead of the previous $109.25. 

A non-par provider who is being penalized for both PQRS and EHR would see the allowable for the $100 shaved down to $92.64, with the limiting charge dipping down to $106.54 instead of $109.25.

CMS will maintain fee schedules with the correct amounts for providers who face either or both payment adjustment in 2015. Providers are also reminded that the penalty for charging a patient an amount in excess of the limiting charge can be as high as $10,000 per violation.

Your action items

The struggle to collect money directly from patients already made the decision to go non-par for Medicare a difficult one, as noted by Jennifer Searfoss, principal consultant with SCG Health. That’s why the participation rates for providers in the Medicare program are historically over 90 percent.

The calculations required to make sure you charge the patient the correct amount if you failed to successfully achieve either EHR meaningful use or PQRS adds another complicating wrinkle. 

While it is helpful that CMS will maintain separate fee schedules to give guidance on how to properly charge this service, you may want to question the worth of being a non-participating provider, as opposed to other revenue-generating ideas, such as further diversifying your payer mix or trying to attract more self-pay elective procedures when possible.

Remember, the risk for overcharging a patient is potentially $10,000 per violation. While CMS rarely fines offenders the maximum – especially for a first time violation – the threat makes it critical you are prepared to understand how these seemingly minor financial adjustments could profoundly affect your practice.

SCG Health blog by Email

Recent Posts



SCG Health is a tradename of the Searfoss Consulting Group, LLC. You may reproduce materials available on this site for your own personal use and for noncommercial distribution. For more information, please read the Content Sharing Policy. Art & design by SCG Health. DISCLAIMER: You should consult an attorney for individual advice regarding a particular set of facts and circumstances. SCG Health reserves the right to change the information on this website without notice.