Anesthesia Coding Alert

Remember that patient care is always your top priority.

Incidental use — also known as incidental disclosure — is disclosure of a patient’s protected health information (PHI) to someone who’s not supposed to have it, but it’s incidental to performing your day-to-day operations. For example, a patient might overhear a conversation in an adjoining room between a physician and another patient that included PHI.

Last month’s issue of Anesthesia Coding Alert looked at three tips for keeping compliant with Health Information Portability and Accountability Act (HIPAA) regulations regarding incidental disclosures (see “Don’t Let Incidental PHI Disclosure Lead to Bigger Compliance Issues” in Anesthesia Coding Alert Vol. 21, No. 12). Those tips were:

1. Decide what constitutes “reasonable” in your practice.
2. Boost staff knowledge.
3. Continue staff education on privacy.

Now our experts return with three more tips to help you minimize your risk for disclosure and the potential for HIPAA privacy violations. Read on for advice from Adam Kehler, CISSP, principal consultant and healthcare practice lead with Online Business Systems, and healthcare counsel Elizabeth Hodge and partner attorney Carolyn Metnick, with the national law firm Akerman LLP.

Tip 1: Ensure Breach Reporting Is Accessible

Any covered entity (CE) eager to keep tabs on its incidental uses and disclosures of PHI should implement — or already have in place — a mechanism for staff to identify and report any such incidents.

What’s important for entities to keep in mind is that most unintended disclosures of PHI have more to do with bad training or lack of supervision than with a disgruntled employee who releases information. That’s why it’s essential that your staff feel comfortable reporting any mistakes or privacy breaches they may make or witness.

One way to both educate and involve your workforce when it comes to reporting incidental disclosures is to use staff discovery tools. These instruct employees to be on the lookout for issues and to record any incidental disclosures they may spot, and also allow you to continually monitor the effectiveness of your policies and procedures.

Tip 2: Self-critique to Improve

Incidental disclosures may be permitted under HIPAA, but is your organization constantly thinking of low-cost ways to minimize their occurrences?

For instance, anyone who visits a busy hospital unit is sure to see whole banks of electronic monitors labeled with patients’ names. Anyone walking through that area might see heart rates, EKGs, and other respiratory monitoring output on virtually every patient that’s up there.

And while the regs might allow for the incidental disclosure of PHI on these machines, simply by repositioning patient monitors out of public view, entities could avoid such disclosures altogether with minimal cost and effort.

Consider this: Does your organization leave patient charts in open areas, such as at a nursing station or outside the door of a doctor’s office? If so, then maybe you could flip the chart upside down and have it face the wall. Or simply take the charts off the top of the counter and put them below in a desk drawer. These are all low-cost, easy steps any entity could take to help minimize incidental disclosures.

Tip 3: Prioritize Patient Care

While it’s necessary for CEs to employ reasonable safeguards to curtail incidental disclosures, it’s also vital that your safeguards don’t interfere with the efficient delivery of care.

The key is balancing incidental disclosures with the idea that you still have care to provide. You don’t want to let HIPAA policies and procedures get in the way of providing care; but, you have to look at how you use information and how you might disclose it in an incidental fashion — and find ways to decrease your risk factor.

Resource: Review HHS “Incidental Uses and Disclosures” guidance at  www.hhs.gov/hipaa/for-professionals/privacy/guidance/incidental-uses-and-disclosures/index.html.