October 2009

New Federal Rules Address Patient Record Breaches

By Brian McCurdy, Senior Editor

   Podiatry practices already spend a great deal of administrative time complying with the rules of the Health Insurance Portability and Accountability Act (HIPAA). However, practices will now need to adjust to new patient privacy provisions that ensure no personal health records are breached.

   The new regulations, which are part of the American Recovery and Reinvestment Act (ARRA), require “vendors of personal healthcare and related entities” to report to consumers any breaches in their personal health information, according to the Federal Register. The rules affect HIPAA-covered entities such as hospitals, physician offices and health insurance plans. The rules took effect Sept. 24 with full compliance required by Feb. 22, 2010.

   The rules define a security breach as acquiring a patient’s identifiable health information without the patient’s authorization. Examples of breaches include: theft of a laptop that contains personal health records; unauthorized downloading or transfer of records by staff; and remote electronic break-ins by hackers. As the Federal Register notes, if a breach in medical records affects more than 500 people, organizations must report the incident to the media as well as the Department of Health and Human Services.

   Bruce Werber, DPM, FACFAS, compares the new regulations to rules for credit card records and transactions. As he says, if there is a breach in such records, credit card companies must report it immediately to the affected customers.

Keys To Improving EMR Security

   In the wake of the new privacy rules, Dr. Werber advocates that podiatric practices reevaluate the electronic medical record (EMR) systems in place for the front and back offices. He says the evaluation should include ensuring the digital system is approved and certified by Certification Commission for Health Information Technology (CCHIT), and that the system documents who has accessed patient records. One should also limit the availability of records to those who have a demonstrable need for access, according to Dr. Werber, a Past President of the American College of Foot and Ankle Surgeons.

   Dr. Werber says physician practice owners should ensure that their staff has been given instruction on proper patient record protections and how to answer the phone without giving away diagnosis or procedure information. When there are third-party requests for patient records, the staff should double-check that the patient has authorized such a release.

   Dr. Werber also suggests secure log-on procedures, regularly changing passwords and restricting off-site access. He also says staff should turn off all computers when they go home and not hide user names and passwords in easy to discover spots.

   In addition, if all records are still in paper format, Dr. Werber says the practice needs to have logs to show who accessed records and when. As he suggests, this may require restricted physical access to the records. He says it may be sufficient just having proper office procedures to prevent staff from taking charts off site.

   Podiatrists cannot neglect training their staff to adhere to the regulations, according to Dr. Werber.

    “No longer is it sufficient to buy a manual and put it on the shelf,” maintains Dr. Werber. “Every staff member must document that he or she understands the rules and will comply with office policies.”

Can Nasal Swabs Help Identify MRSA In The Foot?

By Lauren Grant, Assistant Editor

   With the rise in methicillin-resistant Staphylococcus aureus (MRSA), physicians must be vigilant in screening for the infection in the lower extremity. A recent study assessed whether nasal swabs could be helpful in identifying MRSA in diabetic foot infections (DFI).

Add new comment