Inbox: Is Your Practice Violating HIPAA?

April 24, 2017
Dylan Fisher

In our recurring blog "Inbox," we get reader feedback on adhering to HIPAA laws and whether or not DPC is a fit for your practice.

Editor's note: We work hard to write about issues that will help physicians run their practices in a manner that is both prosperous and efficient, while still delivering quality patient care. And we are delighted when our readers let us know what they are thinking. This month we are excerpting an article on adhering to HIPAA and a column on the pros and cons of subscription medicine. The articles have been edited for space and are followed by comments made by readers at PhysiciansPractice.com.

Is Your Practice Violating HIPAA Regulations?

Corpus Christi Medical Associates (CCMA), a family practice in Corpus Christi, Texas, has always found it difficult to comply with HIPAA's privacy and security regulations.

"We struggle to have enough resources to dedicate to the ever-changing environment," said J. Stefan Walker, MD, a family medicine physician at CCMA. "There is always something new and regulations are constantly evolving. It's a moving target, and cyber-liability is probably the greatest risk, added Walker."

Despite this sentiment, Walker was determined not to be one of the practices listed on the "Wall of Shame" webpage maintained by the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services. Practices are listed there if they report a data breach that affects 500 or more patients.

Walker said that CCMA has been the target of a few breach attempts already. "For a small practice like ours, dealing with the fallout from a breach could literally bankrupt us. We are looking at how to minimize the risk," he says.

Leann says: "We recently had a patient's attorney aggressively subpoena us for medical records. We tried to point the lawyer and the patient to our standard medical request form, as well as to HHS.gov, which states clearly that a HIPAA-covered provider may disclose information to a party issuing a subpoena only if the notification requirements of the Privacy Rule are met (in this case, they weren't), but they just kept pushing the subpoena. Eventually the patient completed our standard form and I rushed the records in less than a day to avoid having to go to court. My question now is: Should I file a complaint against the attorney or just let it go?"

Jonathan replies: "Don't fall for lawyer games. Just send them notice that you don't release protected information without the patient's signed agreement or a court order signed by a judge. I simply ignore them after giving them notice of this, though I do also contact the patient right away and let them decide if they want to fill out a HIPAA compliant form to release the records to the law office. Sadly, too many practices think the subpoena means they have to release protected records. In our area, most offices don't even use a compliant form even though they are owned by a local hospital that uses a compliant form itself."

Pros and Cons of Switching to A Subscription Practice

Doctors are burning out. They are tired of working for insurance companies instead of patients.  They are tired of spending more time looking at computer screens than listening to patients.  They are frustrated at the ever-increasing rules that dictate how they must practice and afraid of the consequences should they step outside those rules, even in error. While one option is to quit practicing medicine altogether (and many doctors are doing so), there is another option that an increasing number of doctors are choosing: Subscription medicine.

Four years ago, I was faced with this dilemma when I had a "divorce" from the other partners in the practice I had worked in for 18 years.  Do I join another practice or a hospital system and jump back into the insanity of healthcare? Do I go to a "safe" practice, like the VA, where the conditions might not be great, but the payment system isn't as chaotic?  Or, do I start a solo practice, and make my own kind of practice in the form I want it to be? 

K asks: "Is this a realistic model for a specialist whose practice is 90 percent Medicare?"

Robert replies: "The specialist part is harder than the Medicare part. Strangely enough, my Medicare patients are the ones who understood the practice model first and the ones least likely to move on. If you are a specialist who relies on procedures, though, the model just doesn't work. If you are a specialist like endo, rheum, or other non-procedural specialties, it CAN work, but it's not as easy as it is for primary care. There are some specialists doing this, though."

Vahe asks: "I thought about direct pay/cash only model when I opened my micro practice five years ago, but was dissuaded in part by the prospect of my patients being forced to pay for tests or procedures I ordered that their insurance plans would not cover. This is because I would be a non-par physician, resulting in delay or failure of diagnosis and treatment. How does that work?"

Scott replies: "Many DPC practices make arrangements with private imaging facilities to provide services at much lower cost, since payment is provided at the time of service and payment delay by insurance is not an issue and billing and collecting isn't necessary. A $2000 MRI, might be negotiated to $400 for cash on the spot. Reference labs, like LabCorp and Quest will significantly discount, so routine labs might be $5-20. And generic drugs can be prescribed costing $4, goodrx.com can be used for significant discounts, and some practices buy common cheap generics (for pennies) and dispense right at the practice (for free, or a small service fee). Other expenses are covered by the patient's insurance - they need to keep a catastrophic or wraparound plan - but premium savings offset incidental expenses. Google 'direct primary care' to learn more."

Robert says: "The reality is that the vast number of insurance companies will accept my orders/referrals even though I am not participating in their plan. Certain HMO products are the only exception."