You can significantly reduce your practices HIPAA risks if you follow our four-step plan. Its simply a matter of spotting and repairing places in your practice where patients health information might leak. Think of your practice as a big pipe. At one end, patients come in, take a clipboard, and give you health information. The health information then flows through the pipe to the doctor, who combines the patients personal history with lab tests and physical exams to create more health information. At the other end of the pipe, your billing office passes that health information on to insurance companies and other physicians. HIPAA is designed to keep the flow of health information from spilling out of your practice and into unauthorized hands, explains Dr. Lewis Lorton, chairman of HIPAAdocs Corp. in Columbia, Md. In other words, its about making sure medical practices dont leak. Chances are your practice isnt watertight. "Most small practices leak information like a sieve," Lorton laments. They tend to be "very casual about where they leave information and how they broadcast it." Staff members often leave peoples names on records, on notes, on lists lying around their offices in plain view. The solution, Lorton says, isnt the imposition of "draconian measures" that bludgeon staff members with the dangers of non-compliance and make it difficult for them to do their jobs. Instead, the solution is a simple emphasis on the confidentiality of their patients files. Medical practices, he counsels, "have to learn not to leave information around, not to share it casually in the halls or waiting rooms. They just need to treat patient records with the same care that banks treat financial records." 1. Locate where your practices health information is. Look for any information with identifiers that tie it to a particular patient," advises attorney Bill Roach, of Gardner Carton & Douglas in Chicago, Ill. For the most part, he adds, the information is in the traditional medical record, though it can also include other personalized interactions, such as the sign-in record. 2. Do a health information map. Once you understand what youre looking for, Lorton instructs, you need to look at how you handle it. He suggests medical practices ask themselves the following basic questions: This kind of "information-mapping" shows you where your work processes allow information to escape, says Donna Bailey, Ph.D., RN, director of the Teaching Assistant Development Program in the Center for Teaching and Learning at the University of North Carolina at Chapel Hill. 3. Perform a gap analysis. Its important to remember that in any process the information begins to flow the moment the patient enters the office. So to assess any potential vulnerabilities you need to begin in the waiting room, Bailey says. "When you recognize that, for example, people are signing in when they first arrive, you need to ask whether thats a vulnerability" in other words, a hole in your pipe that shouldnt be there or an "incidental disclosure" Thats HIPAAs term for something unavoidable and therefore permissible under the circumstances. If its a vulnerability, she says, "you need to think about the kinds of processes and technologies you have in place" that can plug the hole. If you dont have anything, she continues, you need to brainstorm. As you brainstorm, reminds Lorton, never forget that your purpose is to minimize the amount of personal information that unauthorized people might see or hear. In some ways, this kind of "gap assessment" is trickier in a small private practice than in a large institutional one, says Mikel Lynch, Chief Compliance Officer for University of Missouri Health Care in Columbia, Mo. In a hospital or big practice, staff members are asked to focus on a core task and isolating information flow and individual responsibilities is much easier. In a small practice, however, the M.O. is usually "all hands on deck" and everyone wears multiple hats. One tool that can ease the process is EarlyView, an Access-based application created by the nonprofit North Carolina Healthcare Information and Communications Alliance, Inc. (NCHICA). EarlyView is designed to help medical practices assess their compliance status and formulate compliance strategy and runs about $150. 4. Educate your practices physicians and staff. When theyre complete, a practices information map and gap assessment become a database, a way for staff members to learn how information flows through their pipe. In some ways, Bailey says, having the map is as much a question of good basic organizational management as protection of personal health information. Knowing how information flows within an office makes quality improvement possible.
HIPAA experts recommend this four-step process for sealing potential health information leaks in your practice.
Where do we get our information?
Who do we get it from?
How do we manage it?
When it comes in, do we handle it the same way each time?
When we send it out, do we handle it the same way each time?
Do we know were sending it to the right person?
What if we send it to the wrong person?
A practice cant begin to figure out where it leaks until it figures out how and where its health information flows.
"What the leadership in a medical practice needs to do is pick their top five processes, the things they do routinely," advises Bailey, who is also an adjunct professor in UNC-CHs School of Nursing. For example, a practices most common process might be the way it handles children with head colds. "Take that process and map it out and see where the vulnerabilities are in terms of the privacy and confidentiality of patient information," she says.
"When people tell me I dont have time, I tell them they dont have time not to," Bailey insists. "They need to understand their work processes anyway."
Despite peoples worst fears, sometimes this kind of assessment reveals not only failures but successes, observes attorney Michelle Kennett, of the Michelle Kennett Law Offices in Columbia, Mo.
"A critical thing medical offices might not realize is that theyre already doing a lot of the things they ought to," she notes, adding that medical offices need to "identify those things theyre doing right, tweak them, and document them." "This is manageable," she says. "Even with only five people in your office, you dont need to tear down the building or do anything weird. You can work with what youve got."