Anesthesia Coding Alert

Set practice thresholds and train employees to potentially prevent breaches.

Ensuring that your practice complies with the Health Information Portability and Accountability Act (HIPAA) guidelines is nothing new, but some aspects can still be tricky to navigate.

Case in point: Many practices might need to build a stronger understanding of incidental disclosures, especially concerning “reasonable use” of protected health information (PHI). Read on for real-world tips that will help your practice, as a covered entity (CE), take the right steps in handling patients’ PHI to forestall incidental uses or disclosures.

Know the Background

So, what is an incidental use or disclosure? In short, it’s a disclosure of PHI to someone who’s not supposed to have it, but it’s incidental to performing your day-to-day operations. One of the most common examples of an incidental disclosure would be one patient overhearing a PHI-laden conversation in an adjoining room between a physician and another patient.

Important: Such incidental disclosures are permitted under HIPAA’s Privacy Rule, but only if two very important conditions are met, according to the “Incidental Uses and Disclosures” part of the rule listed on the Department of Health and Human Services (HHS) website.

First, you have to comply with the minimum necessary requirement, which requires entities to have already made reasonable efforts to limit staffers to the minimum amount of PHI they need to perform their jobs.

Second, you must have policies and procedures that seek to minimize incidental disclosures, which includes implementing reasonable safeguards to protect patients’ confidential health data from incidental leaks.

You have to meet both of those requirements in order to get a pass on incidental disclosures under the rule. Otherwise, it could constitute a violation.

To help your organization minimize incidental uses or disclosures — and the potential for privacy violations — consider these quick HIPAA compliance tips.

Tip 1: Decide What Constitutes ‘Reasonable’ in Your Practice

A CE must have reasonable administrative, technical, and physical safeguards in place to limit incidental uses and disclosures, according to HHS Office for Civil Rights (OCR) guidance.

OCR’s privacy guidance also specifically states that entities need not implement safeguards that would create undue financial or administrative burdens. Therefore, you don’t need to rebuild your office to create private, soundproof rooms, for example.

Note: What’s deemed reasonable will largely depend on the individual entity, the type of disclosure, and the context in which the disclosure is made.

“For example, a biller needs to know what are permissible ways of communicating with insurance companies and what are not. An IT person needs to know how to properly transfer PHI from one system to another,” explains Adam Kehler, CISSP, principal consultant and healthcare practice lead with Online Business Systems. “These are topics that may not be in the general training, but are critical for how workforce members handle PHI in their day-to-day activities.”

You should discuss what kinds of safeguards your practice considers reasonable and then document those decisions. This way, you should be able to produce a documented rationalization if any of your safeguards or policies are ever called into question.

Tip 2: Boost Staff Knowledge

Use training time to orient your workforce with your organization’s policies concerning incidental uses and disclosures. Trainers could pose various kinds of examples and then have the staff talk it through and decide whether the use or disclosure would be deemed okay or not under the rule.

Patients’ data is often impermissibly used and disclosed due to a lack of staff training and human error. “Consider your workforce’s privacy knowledge” and train your employees accordingly, suggest healthcare counsel Elizabeth Hodge, and partner attorney Carolyn Metnick, with national law firm Akerman LLP.

Tip 3: Continue Education on Privacy

Just because you’ve already given your workforce members their one-time privacy training required by HIPAA doesn’t mean you’ve completely catalogued and contained all incidental uses and disclosures in your facility.

What you should be able to establish is that not only has appropriate training been done to sensitize your staff about possible issues — but that campaigns are done on a continual basis to update your workforce on new HIPAA requirements and concerns. These types of scenarios remind them about the potential dangers of incidental PHI disclosures and how best to avoid them.

Your primary aim should always be to protect patients while creating an environment that reinforces the appropriate handling of PHI, such that employees will always know better than to talk about PHI in an elevator, on the street, or any other inappropriate venue.

Get creative: You can also raise privacy and security awareness within your organization by providing regular updates on privacy matters, including email blasts, posters, and/or in-service lunch training sessions, Hodge and Metnick maintain. Centralize information about policies and procedures and helpful links, and consider sending emails about opportunities for additional training and learning.

You should also keep track of news reports for real examples of privacy violations or inappropriate disclosures at other facilities. Then, bring those reports to department meetings where you can determine how such occurrences might be prevented within your own organization.

Ultimately, management needs to cultivate and support a privacy culture, and the privacy message should filter down into the workforce ranks.

Next month: Three more tips to round out your knowledge of combatting incidental disclosures and keeping your patients’ PHI as safe as possible.