Patient Privacy + HIPAA
With all this talk about making patient records more accessible to care teams via the magic of the electronic record, HIPAA and HITECH— the two laws that govern patient privacy — might seem like a bit of a downer. They serve a very explicit purpose, however, and ensuring that you are always in compliance will not only save you legal woes, but money in the form of fines and penalties for breaches.
There are some obvious breaches of confidentiality that we must strive to avoid: you would never, for instance, post to all your Facebook followers the name, diagnosis and prognosis of a particularly difficult patient that you had today. What you might do instead, though, is go home and tell your spouse all about it.
That’s a HIPAA violation.
Is It Really That Bad?
Now, you might be shaking your head saying “It’s fine, they won’t tell anyone!” but that’s not the point. HIPAA policies explicitly state that patient information should never be given to any third party who is uninvolved in the patient’s care. Even releasing information to the patient’s own family requires stringent release of information guidelines. The patient’s own spouse wouldn’t have access to the records without explicit consent of the patient — so why should your spouse?
What Constitutes a Breach?
A HIPAA violation that occurs on a day-to-day basis may not result in a breach of enormous magnitude: if a breach involves more than 500 patients, for instance, the media must be notified. Otherwise it can be handled internally. Still, these breaches can make a hospital, and its patients, more vulnerable to identity theft and other breaches. Not to mention what could lower patient satisfaction scores more than feeling like you’re being snooped on by every nurse on the ward?
6 Ways You Might Be Making a HIPAA Violation Without Realizing It
Here are a few breaches you might not even realize you or your staff is committing when it comes to abiding by the rules of HIPAA.
- Looking up a patient out of curiosity: just because you have access to a patient’s chart, electronic or otherwise, doesn’t give you permission to view that chart unless you are directly involved in the patient’s care. Your cousin might come in for appendicitis — but you must remain none the wiser. No snooping in their chart. No checking their labs. Even if they ask you to print off their surgical report for them, you can’t unless they sign a release from the department of health information granting you the right to pick up a copy, to be printed by health information staff. Even if you think you’re just taking a quick peek, every click into and out of an EMR is tracked by auditing software. These audits are run by HIM staff on at least a monthly basis and various “triggers” are set up and automatically run against patient rosters and access logs. An example might that an alert is tripped when a staff member is in the chart of someone who has the same last name or address.
- Any information you do glean about a patient should be worn close to the vest: even if the information you have about a patient is justified, it doesn’t give you the right to disseminate that information to others. You might be discussing the patient with another doctor who is treating them, but if you’re doing it in the break room where several interns can overhear, you’re unwittingly giving out information to ears that should not be privy to it.
- Don’t share your logins: whether it’s for the EMR, your email or your network password, don’t give this information out to anyone. Additionally, when you’re triggered to update your password a few times a year, do it. Don’t put it off. The best defense against hackers is to remain elusive to their clutches. Also remember that if you’re working on a computer in an office space or out on the unit, you should completely log out not just of the patient’s chart, but anything that you were working in, before you leave the computer unattended. Even if you’re just hopping up to grab something from the printer or get another cup of coffee, either log out or securely lock the workstation before you do. All it takes is a few clicks by someone else to get an audit triggered under your organization.
- HIPAA and HITECH policies should be current, comprehensive and complied with: it’s up to the administrators to make sure that the hospital is reviewing their policies at least semi-annually, making sure to revise or include/exclude any changes made and also monitor and enforce compliance by all staff members. Audits should be regularly run and reviewed, investigations into possible breaches reported and completed in a timely manner without breaking the bank. Many hospitals have a warning system for employees who have violated these policies, but others have adopted a zero-tolerance policy for breaches — resulting in immediate termination.
- Be mindful of social media: before you hop on Twitter, Facebook or Instagram make sure to check your facility’s social media policy. It might be common sense to never use any identifying patient information in your posts, but even that picture you instagrammed of your lunch might contain a view of a patient’s chart on your desk. Or, a video you posted to Facebook could have audio from the patient room next door. The best policy about discussing hospital, patient or work-related matters on social media is to not discuss it.
- Know your release of information forms: each hospital has a method to the madness of releasing patient information and if you’re uncertain, ask the clerks in medical records or health information what paperwork needs to be completed before patient information can be released. Also be certain that you know what information can and cannot be given over the phone. Know where to locate Power of Attorney forms in a physical or electronic chart. Always ask for identification before releasing any information.
What if you goof?
If you think you have inadvertently ended up in a patient’s chart — like, the wrong John Smith — go to the health information department (or whoever is running the audits in your organization) and explain what happened. Often times, if you go straight away and explain what happened (I had the wrong date of birth for this patient and ended up in the chart of the wrong John Smith) and make sure that as soon as the mistake was realized you logged out (your time spent in the chart will be logged) and reported it, you can likely avoid disciplinary action. If it goes unreported, however, and turns up later in an audit, you could face consequences — perhaps even losing your job.
The best way to avoid a HIPAA violation is to know what they are, understand how to avoid them and then be diligent about doing so. You don’t want to be caught with your hand in the cookie jar — or, as it is, the patient record.