HIPAA Covered entities across the country are updating their policies in advance of the September 23, 2013 compliance deadline for the HIPAA Omnibus rule changes. Covered entities – hospitals, physician practices and other providers – can reduce their risks with a simple adjustment to their intake paperwork and recordkeeping. For organizations with large numbers of patients, the financial savings can be large.
One of the biggest risks that covered entities face – which is quantified in a thorough HIPAA Security risk analysis – is the possibility of a major data breach. Generally, each patient must be notified via first class mail, which with postage, supplies and labor will cost in the vicinity of $1.00 per patient just for the notification. However, if patients agree in advance, the notification may be made via email, which is much cheaper. The only cost is the labor cost. So, a practice with 100,000 patients could potentially save $100,000 if patients agree to be notified via email. (Covered entities are also obligated to mitigate the damage caused by the breach – which often leads to other costs such as the purchase of identity theft protection for patients.)
Practices can adjust their intake paperwork in order to ask for patient approval with a simple checkbox. The second measure is to invest in customization of the electronic record intake screen to record whether permission was granted to use email for breach notification. With this flag in the demographic section of the record, a query can quickly dump the names and email addresses of patients willing to receive email notification, and a separate file for those who require costly snail mail. Checking with patients every year for updates in their email address will help keep your records accurate.
Doing this for only new patients will gradually reduce your risk as the percentage of patients who agree increases. Organizations can accelerate this risk reduction by inviting established patients to elect email notification when they return for service. In the hypothetical organization with 100,000 patients, if 50% of patients allow email notification then the savings would be $50,000.
Practices can reduce risk by implementing safeguards to prevent a breach in the first place. And, as this analysis shows, they can also reduce the impact of a bad event by implementing contingency plans.
