Each month you submit your questions to Eli, and each month we do our best to answer them. Take a look below at a few of the HIPAA questions your peers still ponder over, and read the answers provided by HIPAA experts and health care attorneys Brian Gradle with DC-based Hogan & Hartson and Robert Markette with Gilliland & Caudill in Indianapolis. For example, "if someone is brought in who's an IT consultant, if they have access to PHI, they should receive appropriate training for whatever information they're going to be receiving, and consequently, if they're made a permanent employee, it really shouldn't necessitate [more training]." Follow-up Question: But what if an employee moved from, say, a front line role to a more administrative role? Is re-training required in that situation? Answer: Remember: "[Training] depends on whatever role that person serves in the facility," says Gradle, and the employee should have training that's consistent with whatever role he or she performs. That means you'll have to re-train an employee if he takes on a more complicated role, for instance. Now, keep in mind that it's not always the privacy officer's role to ensure that HIPAA training is performed, and the privacy rule doesn't require only privacy officers to ensure workforce training. - Maine subscriber Answer: Not without their patients' permission, experts warn. Physicians can only share de-identified information, as the privacy rule protects all personally identifiable health information, according to Markette. HIPAA makes exceptions for disclosing PHI to health oversight agencies and law enforcement, but releasing it to legislative staffers "falls outside the scope of any permissible disclosure and so [requires] the authorization of the patient," Gradle says.
MOVIN' ON UP
Question: When an employee changes positions within your facility - say, from temp to permanent - what responsibility do you have as far as HIPAA training requirements are concerned? Is re-training necessary?
- Arkansas subscriber
Answer: If an employee went from a temporary position within your facility to a permanent full-time status but they're doing the same job within the organization, that wouldn't necessitate any additional training on your part, says Gradle.
That's because the employee should've received whatever training was appropriate for that role already.
"If a department manager is responsible for training his staff and a new person comes in, the manager should ensure that that person understands what the particular idiosyncrasies of that department are." And that includes any necessary training, says Gradle.
The Bottom Line: The scope and depth of any HIPAA training should be commensurate with the position to which the staff member has moved.
JUST SAY 'NO' TO LEGISLATIVE QUERIES
Question: Legislative staffers have contacted several of our physicians recently wanting to discuss patients' health information (i.e., status, treatment and payment arrangements) for the purpose of devising healthcare reforms. Are our physicians able to discuss this information?
The Bottom Line: No one has access to patients' PHI without approval, even legislative organizations. Take out the personal identifiers before sharing any PHI unless you ask your patients first.