Health Information Compliance Alert

Compliance:

5 Quick Tips to Quash Staffers' Common Compliance Mistakes

You can prevent your personnel's PHI transmission slip-ups-here's how

Do fax and e-mail blunders still rank as two of your staffers' most common violations? You aren't alone.

Fast-paced administrative and clinical environments are prime breeding grounds for rushed, frazzled employees to hit the wrong digit on the fax machine's keypad or send an e-mail containing health information to the wrong patient.

Bad news: Failing to address your employees' fax and e-mail mistakes can land you in regulatory hot water. Good news: Our experts have some quick tips that will help you eliminate these common compliance errors - before you wind up with a privacy or security rule violation.

Tip #1: Program frequently dialed numbers.

You'll decrease the likelihood of touching the wrong numbers if you program regularly dialed fax numbers, says Maggie Mac, a consultant with Pershing Yoakley & Associates in Clearwater, FL.

But you shouldn't stop there. Check in with your frequent fax recipients regularly to make sure their numbers haven't changed, recommends Jenny O'Brien, director of corporate compliance at Minneapolis, MN-based Allina Hospitals & Clinics.

It's not enough to let your staff members know there is an auto-dial list. Best practice: Post the list next to your fax machine so your staff can easily refer to it. Good idea: Help staff separate the numbers in your list by using an alternating shaded background or thick lines between each recipient entry.

Important: Before you send a fax to a new number, be sure to send a test page asking for telephone confirmation. And if you are sending highly sensitive information - think STD test results - "call first each time to make sure you've got the right number," Mac suggests.

Tip #2: Strip PHI from all e-mails.

Unless it's encrypted, e-mail is highly susceptible to interference, points out Margret Amatayakul of Margret AConsulting in Schaumburg, IL. As long as your employees are sending unprotected, plain text e-mails, they should not pack those messages with patients' health information.

However, there are instances in which a workforce member must plug PHI into an e-mail. For example, a doctor calls an outside specialist to consult on a patient with a knee injury. The doc sends the specialist the patient's most recent MRI results.

Don't rely on your staff members to know what information goes in the PHI category, Amatayakul cautions. Give them a list of identifiers to post by their computer monitors. That way, they can refer to the list as they send e-mails. Make sure your list includes these often-overlooked elements:
 

  •  Patients' street addresses
     
  •  Medical record number
     
  •  Health plan beneficiary number
     
  •  Certificate/license numbers
     
  •  Vehicle identifier
     
  •  Device identifiers
     
  •  Device serial number

    Bonus: You can find a full list of identifiers to be on the lookout for in "Use This Tool To Strip Your E-mails Of Patients' PHI" in our January issue. For a free copy of the issue, e-mail
    kellyq@eliresearch.com.

    Tip #3: Follow the minimum necessary rule.

    Whether sending a fax or an e-mail, your employees must only send the most basic information, Mac says. And they should never fax or e-mail patients' entire medical records.

    Instruct your staffers to ask patients to pick up medical records in person. That way, the patient can prove her identity and you can ensure no one intercepts the information before it gets to the patient. Good idea: Create a convenient request form for medical records that patients can either fill out online or fax in.

    Tip #4: Confirm that your faxes and e-mails went to the right place.

    Set up your fax machine to print a confirmation report after any fax is sent. Then you can check the number you meant to send information to against the number on that confirmation, Mac advises.

    Best: If the numbers don't match up, you can immediately mitigate the violation by explaining the mistake to the recipient and asking her to shred the information she received.

    E-mails aren't always that simple, experts warn. Most e-mail programs don't confirm what address the message was sent to. That makes it very important that you teach staffers to double check the address they put in the "To:" field. And, after they send the message, staffers should check
    their sent mail to ensure there was no mistake, Amatayakul says.

    Tip #5: Save patient e-mails that contain PHI - and any response to them.

    Storing and sorting e-mails can quickly drain your employees' time. Better idea: Train your personnel to print out all patient e-mails containing PHI and stick them in the patient's record, suggests partner Kerry Kearney, an attorney with Reed Smith in Philadelphia. Employees should then delete the electronic version.

    Next step: Teach your staffers to print out anything they send to patients, too - if the message contains PHI. That way, you have proof that your personnel followed the rules if a problem crops up.

    THE BOTTOM LINE

    It's not hard to eliminate fax and  e-mail blunders once you provide your workforce members with the right tools. And as staff members' confidence in their privacy and security rule know-how builds, they'll become adept at stopping PHI slip-ups before they happen.

    Important: Eliminating these simple slip-ups is a crucial step in the process of building a solid foundation for the government's goal of interoperable health information networks.

    Check out "Prepare Your Policies For A New Generation Of Health Information Regulations" later in this issue for more information on this process.