NEW YORK—Consistent, detailed record keeping and patient communication are key to avoiding legal complications and navigating HIPAA requirements, Dr. Noah Scheinfeld said at meeting on medical and surgical dermatology sponsored by Mount Sinai School of Medicine.
One area where record keeping is especially important is clinical photographs of patients. If you're going to take patient photographs, retain them as part of the patient's medical record because patient images are considered medical records and as such are legal evidence. In the event of a lawsuit, if the photos that were taken are not available, the court assumes that the missing records are in the plaintiff's favor, said Dr. Scheinfeld of Columbia University in New York, who also holds a law degree.
With the advent of digital photography, it's easy to take many images of the same area. Physicians do not need to save 10 images of the same thing, he said, but at least 1 of each should be kept in the records.
Under federal law, records must be kept for 5 years, but individual states may have more rigorous standards. For example, New York requires that medical records be kept for 7 years, he said.
But one area that physicians can worry a little less about is HIPAA enforcement, Dr. Scheinfeld said. Despite more than 20,000 complaints since HIPAA privacy provisions went into effect in 2003, there has not been much in the way of enforcement.
“Lots of complaints—very little action,” he said.
Only a few hundred HIPAA violations have been referred for criminal action and so far only three cases have resulted in criminal charges. In 2004, a Seattle man who worked at an area cancer center was sentenced to 16 months in jail for using a cancer patient's personal information to obtain credit cards. In 2006, a Texas woman who worked in a physician's office was convicted of selling the medical records of an FBI agent. Most recently, the U.S. Attorney for the Southern District of Florida brought criminal charges against a woman who worked as the front desk office coordinator for a Florida clinic for allegedly selling patient information.
In general, it is important to notify patients of their privacy rights and the use of their personal health information, adopt and implement privacy procedures, and train employees in those procedures. Physicians also need to designate an individual to be responsible for ensuring that the office privacy procedures are followed. Patient records must be secured so that individually identified health information is not accessible to those who do not need it for treatment or payment reasons.
However, HIPAA regulations do not prohibit common practices such as keeping waiting room lists or leaving charts on exam room doors, he said.