Poor Off-site Record Policies Put Practices at Risk of HIPAA Violations

June 25, 2014
Ericka L. Adler, JD
Ericka L. Adler, JD

Shareholder at Roetzel & Andress

Physicians sometimes fall behind in their paperwork and take work home to complete. Are you aware of the risks that raises for your practice?

Like other busy professionals, medical providers sometimes fall behind in their paperwork and take work home to complete.   But does your practice allow records to be removed from the office?  What precautions do you have in place to protect records that are taken off site?  What are the consequences for taking records without permission, or perhaps not returning records for long periods of time, or ever?

Two different practice clients contacted me lately with very similar fact patterns, so I can only assume that removal of records, medical and financial, without permission from a medical practice, may not be an uncommon event.  In one situation, a physician regularly took home copies of patient billing records, financial data, and referral information.  This routine came to light during a HIPAA training seminar when an employee asked whether this was compliant.  This particular physician had taken the records without practice knowledge and stated the papers had been shredded.  The practice has no way of knowing exactly what has become of the records.  Assuming the records were transferred and stored securely, and properly shredded, there is no clear HIPAA violation.  However, what is clear is that the practice lacks safeguards to prevent information from leaving their office without permission and, even though this practice claims to engage in HIPAA education and has extensive policies in place, there are evidently gaps in their compliance planning that have created risk for the practice.

In the second situation, it was discovered that a physician had horded hundreds of patient files in his home over a period of years.  Although it started out as an effort to keep up with record requirements, how these records were not missed by the practice, and why they were not promptly returned, is still unclear.  Of greater concern is how the records were stored and who may have improperly accessed them.

Although these situations may sound crazy, they are more common than you think.  What has your practice put in place to prevent such scenarios from occurring and to give you the ability to properly discipline employees when it does occur?  Here are some suggestions:

1. Make sure you have policies in place to allow access to records from home.  There is no question that workforce members of a medical practice can process electronic and non-electronic protected health information (PHI) remotely.  HIPAA does not prohibit this practice.  However, the rules do require adoption of appropriate remote access policies, procedures, and practices that include transporting the PHI securely and reasonably ensuring that it is secure when processed remotely.  With a proper policy, the practice should feel confident that its off-site records are secure and there should be no need for employees to sneak documents when their intent is proper. Of course, good safeguards should also catch employees who try to remove documents improperly!

2. Review your employment agreements.  Most physician contracts contain something called an “Entire Agreement” provision, which states the agreement is the entire understanding of the parties and no outside documents apply.  This can mean that reference to the practice’s HIPAA manuals and other rules and regulations must be made in the employment agreement for the provider to be bound. 

3. Be clear in your employment agreements about what happens if there is a violation of a practice policy.  Simply calling a HIPAA or other medical record violation a “breach,” when your contract allows for unlimited cure of breaches, can mean the practice is unable to terminate a provider as needed.  Careful drafting of provisions is required.

4. Be aware that there are many reasons providers take records home and usually the reasons are legitimate. For those times when the reason is not valid, it is important to make sure your confidentiality, non-disclosure and non-solicitation provisions (including non-solicitation of referral sources) are well written and protective.

Continuous education and review of practice policies will not only help you ensure compliance with HIPAA, but also to spot gaps in your practice’s policies and to catch those providers who put your practice at risk.  Don’t forget to make sure your practice contracts are properly written and coordinated with your policies, to allow for the best possible enforcement.