Patient privacy and confidentiality violations occur in the medical practice setting more frequently than one might think. A HIPAA compliance plan can help cut down on these accidental breaches.
You might not realize it, but patient privacy and confidentiality violations occur in the medical practice setting much more frequently than you would imagine. Most of these violations, says Todd Rodriguez, co-chair of the Fox Rothschild health law practice group, were unintentional — but they weren’t unexpected.
“From the very beginning under the HIPAA privacy rules, there was an acknowledgement that there would be inadvertent breaches,” Rodriguez says. “Not intentional, and in many circumstances, unavoidable. And the regulators were clear that they did not want or intend the HIPAA privacy rules to slow down the process or to impede the ability of a doctor to treat his or her patient.”
Though unintentional, it’s important for physicians to recognize where and how these violations may occur and to implement reasonable safeguards to protect patient health information.
The inadvertent breach
An example of an inadvertent breach that doesn’t necessarily rise to the level of a reportable violation would be a patient’s name on a waiting list in the doctor’s office in the waiting room. Imagine that there are 10 patients in the practice’s waiting room. Everyone signs in when they come in, and so there’s a list sitting out on the desk with everyone’s name on it. That, says Rodriguez, is protected health information because patients are there to be treated.
“You know it’s about their health care, and you know their identity,” he explains. “But we recognize that needs to happen as part of the treatment process. So it’s the kind of thing you wouldn’t get terribly excited about in terms of a breach. Yes, it’s a disclosure, but it’s part of the treatment process, and it’s sort of an unavoidable kind of disclosure.”
A second example might be if a doctor talks with a patient about their diagnosis while in the waiting room, or in the practice corridors. Could that be overheard? Of course.
“If you don’t have to have a patient sign-in list in the waiting room, don’t have one,” Rodriguez says. “If you can talk to the patient in a private room as opposed to talking to them in the waiting room, you should do that.”
Establish a system
Rodriguez says every medical practice should take steps to develop a HIPAA compliance plan to ensure that even inadvertent privacy violations are kept to a minimum.
The first step is to understand the rules and how they apply to your practice. For example, as a medical practice, you’re deemed a covered entity, and as such you have an obligation to implement reasonable safeguards, including electronic safeguards, in your office to prevent unauthorized or improper uses or disclosures of protected health information. And that obligation, Rodriguez points out, is scalable.
“If you’re a solo doctor and you don’t have a lot of resources at your disposal, you wouldn’t be expected to have a full-time privacy officer,” he explains. “But a large hospital or health system on the other hand would certainly be expected to have a full-time privacy officer, at least. And you kind of have to use your head; use some common sense. Don’t yell across the room to Mrs. Smith that it’s time for her endoscopy.”
The second step in developing a HIPAA compliance plan is putting in place policies and procedures that are appropriate to your setting. That includes the use of electronic media.
“Physicians use their Blackberries or iPhones to text information about patients, and that’s largely unsecured,” Rodriguez says. “That alone can be a HIPAA breach and should be avoided. Every cell phone that you use in connection with your practice should either be encrypted or be password protected.”
The third step is to train on those things and do them regularly so that the staff knows. And if you have any kind of violation, whether inadvertent or intentional, know the steps necessary to rectify the error. There are specific things you are supposed to when you have a breach, depending on the nature of the breach and what’s involved.
Rodriguez explains that having an appropriate HIPAA compliance plan for your medical practice is not only good medicine, but also good ethics and good patient relations.
“How would you feel if someone knew that you had a particular condition?” Rodriguez asks, rhetorically. “And just the fact that someone in the waiting room may hear, maybe it’s not a big deal, but suppose it gets back to your employer? Somehow that impacts your insurance coverage, because they find out you have a pre-existing condition, or you lose your job because of it. That’s why you should always try to avoid any breach of privacy.”