HIPAA, quality specialist warns against complacency
HIPAA, quality specialist warns against complacency
'People have to be reminded'
If ensuring compliance with the privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA) has moved way down on your list of priorities, you might want to reconsider, suggests Barbara Disher, JD, president of Chicago-based LogiSpan, a company that specializes in risk management and quality control software.
"People have to be reminded," Disher says. "If you don't constantly remind, it gets off the topic list until something negative happens." Those who are complacent, she adds, "will be unpleasantly surprised."
Giving weight to her assertion is a recent survey by the American Health Information Management Association (AHIMA). The percentage of respondents who said they believed their institution was more than 85% compliant with HIPAA dropped to 85% in 2006 from 91% in 2005.
Lack of resources and competing priorities have led some hospital and health system staff to slack off regarding all aspects of the privacy rule, according to the survey report. It went on to say that privacy officers particularly need support for education and training of new staff.
Disher will address HIPAA concerns this month at a seminar in Brookfield, IL, sponsored by the Association of Illinois Patient Access Management and the First Illinois Chapter of the Healthcare Financial Management Association.
HIPAA provisions call for periodic training, Disher points out, noting that attending seminars can serve as a means of fulfilling that requirement. Those receiving the training can, for example, write a synopsis of the material for the staff newsletter.
In working with clients or doing a presentation on HIPAA, Disher says, she usually focuses on a few of the most important parts of the rule — what to remember while registering a patient, for example.
Apply common sense test
She emphasizes the importance of applying the "common sense" test when looking at a situation to which HIPAA may apply.
"For example, when the security rule first came out," Disher says, "the security officer at a large health system we were working with had gone to a seminar and gotten the idea that you had to verify who you were talking to before you could release information."
That meant that, per his instructions, when someone from a physician's office called the registration desk, following up on whether a patient had made an appointment to get a CAT scan, registrars had to hang up and call the office back to see if that was in fact where the call had come from.
When one considers extending that policy throughout a huge medical center, to nursing and laboratory and diagnostic imaging, among other areas, Disher adds, the logistical challenge is obvious.
It's also one that doesn't need to be battled, she points out, noting that a closer reading of the rule indicates that simply asking the person on the phone to confirm that they are calling from a particular physician's office is sufficient.
Another situation that has caused providers to jump to unnecessary conclusions, Disher says, came out of the fact that many individuals leave their primary residence for certain parts of the year. While away, she adds, they may want to follow up on an upcoming appointment.
"What a lot of folks would like to do is [make arrangements by] e-mail, but the danger of e-mail is that it is an extremely open universe," Disher says. The provider's initial reaction, she says, was, "We can't do this."
What she suggests, instead, is to consider that communicating by e-mail can be a benefit for both parties, and to ask the patient to sign off on it.
A recent query came from a client associated with a hospital that has a long-term care facility attached, Disher notes.
"One of the biggest [privacy] issues in long-term care is that pictures of the patients are often put on the door of their rooms, which helps them find their home," she adds. "If the facility has more than one hallway, [residents] can get lost, and if they are on another unit, staff members there may not know them."
There is a book of resident photos, Disher says, so that employees can identify these wandering patients and get them back to their rooms.
The client had been in a seminar where participants were cautioned about using photographs in hospital nurseries and during surgery, and so had asked about the appropriateness of the photos in the long-term care facility, she says. "He said, 'Do we have to eliminate this, because it is difficult to get permission from these patients?'"
In that case, Disher says, she highlighted a HIPAA provision that allows such practices when there is a legitimate reason behind them, but that the provider should explain the photos in its privacy notice.
"The biggest thing to remember about HIPAA is that it is like a living regulation," she points out. "It's not a regulation that tells you to create a form and put it in place, and then there is a limited set of people who fill out the form and send it in. It applies to every single person who works in health care — every situation where there is any interaction with a patient, a visitor or protected health information."
Adding to the challenge, Disher notes, is that the Department of Health and Human Services seems constantly to be tweaking the rules.
While HIPAA doesn't require providers to be perfect, she says, it does require them to do the best job they can at being perfect.
"If you have processes in place to protect [patient privacy] and you demonstrate that you try to do your best to follow them, and if there is a misstep, you appropriately follow up so it doesn't happen again," she continues, "then you have not violated HIPAA. But if you ignore [that misstep], then you are violating it, even if it's an accident."
(Barbara Disher can be reached at [email protected]. The company's web site is www.logispaninc.com.)
If ensuring compliance with the privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA) has moved way down on your list of priorities, you might want to reconsider.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.