All healthcare professionals would agree that maintaining confidentiality and privacy of patient information is of utmost importance. The requirements for maintaining confidentiality and privacy are strictly mandated under the HIPAA laws.
The privacy and security regulations apply equally to all covered entities and business associates and have been in effect for over 10 years. Based upon your experience, how would you rate your compliance IQ? Check out these actual scenarios (Note: real names not used). How would you have responded?
Samantha emailed a copy of Mrs. Preston’s orthodontic consult to the referring dentist. Unfortunately, Mrs. Preston had requested that none of her information be transmitted via unencrypted email. Samantha realized her error, but did not admit it until her boss questioned her. To make matters worse, Mrs. Preston had specifically discussed her email preferences during her consult with the orthodontist.
What should you have done if you were in Samantha’s shoes? Should the patient be notified?
When Mrs. Johnston called to inquire about her husband’s upcoming dental appointment, Eileen explained the treatment plan and fees to her. Mrs. Johnston became irate as she felt her husband was being overcharged for treatment he did not need. At that point, Eileen realized there was a note buried in the electronic record that Mr. Johnston had requested his treatment not be discussed with anyone, including his wife.
How should this have been handled? How could it have been prevented?
Both of these situations deal with the patient’s right to confidential communication under the Privacy Rule. Once you agree to a patient’s request such as not emailing their protected health information (PHI) or restricting whom you can talk to about their care, you are obliged to comply.
In Samantha’s case, perhaps she did not review the electronic chart prior to sending the email or the chart was not appropriately marked with an alert not to use unencrypted electronic communication. Either way, she should have notified the doctor so it could have been addressed with the patient. Electing to ignore the situation could prove problematic if the referring dentist happened to mention the email to Mrs. Preston.
Initially, Eileen thought she was being helpful. It didn’t cross her mind to check the administrative notes about Mr. Johnston’s HIPAA request; after all, they were under the same account. Eileen should have taken a few extra seconds to review any electronic administrative notes or the HIPAA forms indicating the patient’s preference.
What would you have done in each scenario? Or are you wondering, “What’s the big deal?”
In the end, small HIPAA hiccups could result in a “big deal” if the patient exercises his/her right to file a complaint with the Office of Civil Rights (OCR). Even if the OCR only conducted an informal investigation and no fine was levied, the headache and potential loss of patient trust and your reputation carries indirect as well as direct costs.
Maintaining patient confidentiality and privacy throughout your practice necessitates a comprehensive approach. It’s a mistake to believe compliance consists of just conducting annual team training or taking a CE course. Nor is it limited to a checklist provided by your IT vendor related to technical safeguards. And you are not in compliance if you purchased a manual, but have not customized the policies.
Being fully HIPAA compliant first and foremost means understanding the legal requirements of the security and privacy laws, then adhering to those requirements. Start by reviewing the directions and table of contents of your current manual to ensure you completed everything as directed. Next, review the prior blog post titled “Maintaining Readiness in the Dental Office” for compliance tips. Lastly, refer to the this link to read more about the regulations.