HIPAA Regulatory Alert: Multifaceted approach builds compliance culture
HIPAA Regulatory Alert
Multifaceted approach builds compliance culture
How to engender compliance with HIPAA
One of the most difficult challenges in a health care setting is creating or changing culture, and this certainly applies to HIPAA compliance. Experts agree that engendering a culture of compliance requires a delicate combination of several strategies:
assessing the state of your culture;
ongoing staff education, starting with orientation;
leadership that sets a good example;
proactive monitoring of employee performance;
clear policies for addressing HIPAA breaches.
"There are several things that are clues as to whether you have a culture like this in your organization," says Wendy Mangin, MS, RHIA, director of the medical records department and privacy officer at Good Samaritan Hospital in Vincennes, IN. "Certainly, if you have a lot of HIPAA privacy complaints coming into the facility, that would be a good clue that your staff do not have a good understanding of HIPAA."
In addition, she notes, most hospitals also survey patients about privacy practices after they leave, as part of their patient satisfaction questionnaire. "My hospital has questions in the survey relating to how good a job the patient felt your staff did in protecting their privacy," she says. "For example, are we shutting the door when we leave the room and pulling the curtains closed around the patient? Are we being careful not to have conversations in their room about other patients?"
If the hospital's score in such areas begins to fall, or negative comments are written by patients, "we will drill down to where the problem occurred with a particular patient," says Mangin.
"You can run audits every month to look for breaches," adds Sandra L. Joe, MJ, RHIA, regional director-health information management for Provena Healthcare's Northern Illinois Region; privacy officer at Provena Saint Joseph Hospital in Elgin, IL; and compliance liaison at Provena Mercy Medical Center in Aurora, IL.
"For example, if a nurse is working on one and viewed a medical record on a behavioral health unit, and they are not responsible for caring for that patient, they should not be viewing that patient's medical record." Joe explains that when the audit is run, "we can see which module the employee went into; it will indicate the date and time and the name of the patient whose records they were viewing."
"It's a lot easier with our current technology," adds Mangin. "If there is an alleged breach, we have the tools to go in and tell who looked at what, when, and for how long."
This can be an involved process, notes Joe, as there are monthly random audits. These audit reports typically are 400 pages long. "You have to go through it page by page if there's a potential breach," Joe says, adding that she conducts these audits in conjunction with the risk management department.
Avoiding breaches
Of course, privacy officers would prefer to prevent breaches before they happen. To that end, says Mangin, she uses a number of different strategies. "For all new hires, we have new employee orientation; every other week there is a new class coming in," she notes. "The security officer and I take turns doing a half-hour session on HIPAA."
These sessions, she continues, cover real-life issues for example, if you're walking down the hall and see a patient you know being wheeled on a gurney, what is the appropriate behavior? "We teach them that they should smile, say 'hi,' and keep on walking," says Mangin. "You do not approach them and ask them what they're doing here or what they're having done; that could be interpreted as a privacy breach."
Mangin and the security officer also talk about how staff should behave when they're out in the community and people ask about what's going on with a particular patient in the hospital. "We teach them to say they are not allowed to ever discuss patients outside of the hospital," she says. "Or, if they are not comfortable with that, then they should just say they have no idea."
Of course, computer access also is discussed. "We remind them that just because they have a user code, that does not give them access to any patient in the computer," says Mangin. They also let the employees know that they periodically conduct audit trails and that they can tell whose files they are reviewing. "We tell them that up front," she emphasizes. "We even take the position that employees are not allowed to look at their own files online; it's just too easy a step from there to look at your spouse's records."
Education does not stop there. At least once a year, every hospital employee has to participate in an "education day." "This involves an online educational packet they have to complete that covers many areas, including privacy and security," Mangin explains. "Each department director checks everyone's answers to see if they are right or wrong. If they get something wrong, we encourage them to re-read specific sections of the guidelines."
"In order to maintain a culture of compliance, leaders have to reinforce the message at monthly meetings, in addition to ongoing education," says Joe. "I've encouraged leaders to have a standing agenda item for every meeting to go over compliance, and I encourage them to ask me about any questions of compliance that come up."
In staff meetings, Joe will regularly address specific issues perhaps something that has appeared in the media. "I also pull positions off of the OIG [Office of the Inspector General] web site and show them that this was a true case; so these things do happen," she adds.
In addition to providing education as part of orientation, Joe states that Provena Health System has mandatory education on compliance training, which is taken online.
Set clear policies
Since, unfortunately, breaches do occur, it's important to have clear policies in place not only to address the employee who has made the breach, but also to reinforce the message to the rest of the staff that violating the privacy policy does have consequences.
Joe says when a breach is discovered, she first meets with the manager of the department to go over the report. "Then we meet with the employee and ask them a few questions; usually they will be very up front and admit what they did. Some, however, will skirt the issue and say they never did it."
If the employee admits to committing the breach, they will receive a "first and final" written warning, and if a violation occurs again they will be immediately terminated. "If the issue is very flagrant and malicious, they are immediately terminated," adds Joe.
If the employee doesn't admit guilt "we tell them we will consult with human resources and that we will conduct a further examination," says Joe. "Usually, when we come back a second time, they cave under the pressure. We remind them that we do these audits, and we know exactly what screens they have been in."
Employees who have worked in other health care facilities probably will have gone through a HIPAA education process, "But we still have to stress our policy, so it's covered in orientation," adds Joe.
"Every hospital should have a security privacy violation policy," adds Mangin. "We tie ours into the hospital's progressive disciplinary policy; we try to give examples of different levels of violation 1, 2, or 3 and suggest different steps that would be taken." For example, for a very minor violation, she notes, the employee might get a first written warning. A second written warning goes into the employee's permanent file. If a problem occurs after an employee has already been given a first written reminder and a second written reminder, they are given a "decision-making day," where they are sent home to decide if they still want to work at the hospital and to ponder what they would need to do it if they decided to stay.
Set a good example
Last but not least, it's critical for a hospital leader to set a good example when establishing a culture of compliance. "Walk the talk lead by example," advises Joe.
"This is really, really important," adds Mangin. "I encourage, and receive, lots of calls from other department directors asking how they should deal with certain situations. In these cases, I try and do a little 'just-in-time' education. I tell them, 'This is how I would handle it; this is what I would say.'"
Even within her own area, she continues, when a patient comes into the office and is clearly upset, she will go out and help the staff. "I try to be as compassionate and as helpful as possible to let the patient know we're on their side and that we'll do whatever we can to help them today," says Mangin. "When the staff see you do that, they'll do it, too. They also know it is my expectation of them to do the same thing."
One of the most difficult challenges in a health care setting is creating or changing culture, and this certainly applies to HIPAA compliance. Experts agree that engendering a culture of compliance requires a delicate combination of several strategies:Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.