We've always been HIPAA compliant

Do a good job of guarding patient confidentiality and you'll have nothing to fear from HIPAA regulations, says this physician.

By Pepi Granat, MD
Family Physician/Coral Gables, FL

The medical community has been in a dither over the privacy provision of HIPAA (Health Insurance Portability and Accountability Act) ever since the law was passed. But HIPAA isn't changing our practice much.

Since we opened in 1971, we've been acutely aware of our patients' right to privacy and of the confidentiality of their medical records. It's simply the right thing to do. The HIPAA privacy rule simply echoes what we've always tried to do. If other doctors followed these basic precepts, they wouldn't have to worry about HIPAA either.

I'm in solo practice and often have medical students or residents doing preceptorships. I employ two full-time staffers, and one part-time file clerk, and occasionally hire temporary help. Everyone associated with my practice is informed of our rules about patient confidentiality. Now, with HIPAA, we'll insist they sign a statement saying that they understand them.

Here are our rules:

1. From the moment of employment, no staffer mentions any patient's name within the hearing of another patient. If we need to discuss or question something in the presence of another patient, we show the written name to each other, then discuss briefly.

2. Telephone conversations that require the mention of names are held in a private room or in a lowered voice. This includes calling in prescriptions and making appointments. Speakerphones aren't used without express permission of those on the phone.

3. Charts are never left unattended or where others can see them. We keep charts in the office only for patients we've seen within a two-year time span. If patients haven't been seen in two years, their files are moved to dead, locked storage. If records are disposed of, they are shredded.

4. Patients have the right to review their own charts. We like the physician to be present to interpret notations, though, so patients aren't unnecessarily alarmed.

5. Patients have the right to ask for copies of their records. We like to send them directly to other physicians, for the reason above, but if patients insist, we give copies to them.

6. No chart copies leave the office without express written (or authorized telephone) permission from the patient or patient representative.

7. No one except the transcriber and physicians (and then only if unavoidable) is allowed to take charts out of the office.

8. A transcriptionist keeps all materials in a safe and delivers typed reports and progress records on gummed paper that's placed in the patients' charts. She's been educated as to confidentiality and professionalism, and no one else has access to her work.

9. Staffers never discuss patients outside the office. Staffers don't tell anyone the identity of a patient, or any information about him or her, without specific permission from the patient. This policy extends to relatives, including parents of teenagers, and public figures.

We encourage teenagers to share information with their parents, but we recognize that this is not always desirable. We inform parents of our policy before treating teenagers, and parents are given the opportunity to go elsewhere if our policy doesn't meet with their approval.

10. HIV testing and counseling records are kept in a separate file.

11. Regarding electronic transactions: We use companies for transmitting electronic claims, and we depend on their written assertions of confidentiality regarding patient information to which they might gain access. The policy applies likewise to companies who can access our computers remotely to correct breakdowns or to enhance software.

12. We use computer-blurring screens so persons standing nearby can't read the screen.

13. We have never used multiple sign-in sheets because they could violate patients' privacy. Instead, we use a single-sheet, sign-in pad on which a patient writes his or her name (along with address change, chief complaint, and other information). The patient then tears off the sheet and hands it to the receptionist through the window separating the waiting room from the business office.

14. The office manager, who's been enforcing these policies since we adopted them, is now our "privacy officer."

Are we perfect? Not quite. Sometimes, despite our efforts, conversations can be overheard. But it's usually when patients themselves are announcing personal experiences to all who will listen!

 

Pepi Granat. We've always been HIPAA-compliant. Medical Economics Jun. 6, 2003;80:80.