Key: Train staff on Privacy Rule's minimum necessary requirements.
When health care providers think of the HIPAA Privacy Rule, they mostly think about what happens to patients when they're at a doctor's office or health care facility. But there's a whole slew of problems that could arise when there are no patients in sight.
And while considerable time is being spent hashing out what doctors can and can't do and say under HIPAA, health care organizations must remember that frontline employees such as receptionists are just as responsible as physicians for maintaining patient privacy.
First and foremost: Covered entities must keep in mind that the law requires that you familiarize all employees with HIPAA, notes consultant L. Michael Fleischman with Gates Moore & Co. in Atlanta. As part of their training, provide every employee with a copy of your policies and procedures, so everyone understands "every little nuance that could possibly impact them," he suggests. Also, require each employee to sign a confidentiality agreement stating that they won't violate any part of the HIPAA rules, he instructs.
Tailor tips to staff duties: And take time to highlight areas that could be particularly problematic for receptionists and other front-line employees, experts suggest.
For example, make sure your receptionists understand the minimum necessary requirements, so they don't give away too much information if a payor requests additional information about a patient in order to process a claim. That's just one of many potential landmines for front-line staff members, Fleischman says.
Another potentially dangerous area is something as simple as "two front desk people going out to lunch and talking about whom they saw in the practice and what they had," Fleischman warns. If the wrong person overhears that conversation, you could have a whistleblower case on your hands before you even know what hit you.
Big blowup: And if it comes to light that receptionists are being too loose-lipped because they were never trained on HIPAA, "that's a big problem," Fleischman warns. Then not only is your organization facing a whistleblower suit, but you're also clearly out of compliance with HIPAA's training requirements.