Health Information Compliance Alert

PRIVACY:

When Charts Go Home, HIPAA Rules Must Follow

2 strategies help prevent leaks when physicians take charts out of the office.

Picture this: A medical office receives an irate call from a patient's mother who is threatening to go to the feds because somehow word leaked in her child's classroom about an embarrassing condition he recently visited the doctor about. Clearly, there has been a breach of privacy, but how did it happen?

Now rewind to last night, as one of the physicians in the practice walked out the door bearing his customary pile of charts to be completed at home.

The doctor is working on the charts at the kitchen table, decides to take a break, and leaves the room. His children wander in, recognize one of the names in the pile of charts as their classmate and have a closer look. The rest, as they say, is history.

This is just one of many disastrous situations health care organizations could face if they allow physicians to remove charts from the workplace willy-nilly, warns attorney Rebecca Williams with Davis Wright Tremain in Seattle.

Physician practices and other health care organizations should take a long, hard look at their policies on physicians taking charts home, Williams warns. Unless handled very carefully, covered entities could become prime targets for whistleblowers out to nail someone for a privacy violation.

While HIPAA certainly does not prohibit physicians from taking patient charts home, it's an issue to consider, says attorney Abby Pendleton with Wachler & Associates in Royal Oak, MI. And it's a decision each covered entity will have to make for itself, Williams adds.

Strategy: If you decide to allow physicians to take charts out of the office, it's a good idea to implement a log-out system, Pendleton suggests. That way, you'll know where each patient's information is, and "there's some accountability," she says.

You also should have a policy that says physicians must safeguard any patient information when they remove it from the office, Pendleton instructs. As with the rest of HIPAA's privacy requirements, physicians must simply take reasonable steps to ensure that the information is kept confidential.

For example: The policy could require that when physicians take charts home, they keep the charts in a closed-off room where friends and neighbors won't see them, Pendleton suggests.

A most sure-fire way to ensure that you're treating patients' charts with a reasonable degree of security is to imagine it's your own chart being removed from the office. "If you ever have a sinking feeling about how the chart is being handled, you have your answer," Williams says.

Other Articles in this issue of

Health Information Compliance Alert

View All