HIPAA COMPLIANCE ~ Use This 4-Step Plan To Plug Holes In Your Privacy Compliance Program
Published on Mon Jan 22, 2007
Find the holes where protected health information could leak. You can reduce your practice's HIPAA risks significantly if you follow our four-step plan. It's simply a matter of spotting and repairing places in your practice where patients' health information might leak.
Think of your practice as a big pipe. At one end, patients come in, take a clipboard, and give you health information. The health information then flows through the pipe to the doctor, who combines the patient's personal history with lab tests and physical exams to create more health information.
At the other end of the pipe, your billing office passes that health information on to insurance companies and other physicians.
The Health Insurance Portability and Accountability Act (HIPAA) is designed to keep the flow of health information from spilling out of your practice and into unauthorized hands, explains Dr. Lewis Lorton, chairman of HIPAAdocs Corp. in Columbia, MD. In other words, it's about making sure medical practices don't leak.
Chances are your practice isn't watertight. "Most small practices leak information like a sieve," Lorton laments. They tend to be "very casual about where they leave information and how they broadcast it." Staff members often leave people's names on records, on notes, on lists lying around their offices in plain view.
The solution: Lorton says you don't need to impose "draconian measures" that bludgeon staff members with the dangers of non-compliance and make it difficult for them to do their jobs. Instead, the solution is a simple emphasis on the confidentiality of their patients' files. Medical practices, he counsels, "have to learn not to leave information around, not to share it casually in the halls or waiting rooms. They just need to treat patient records with the same care that banks treat financial records."
HIPAA experts recommend this four-step process for sealing potential health information leaks in your practice.
1. Locate where your practice's health information is. Look for any information with identifiers that tie it to a particular patient," advises attorney Bill Roach of Gardner Carton & Douglas in Chicago. For the most part, he adds, the information is in the traditional medical record, though it can also include other personalized interactions, such as the sign-in record.
2. Create a health information map. Once you understand what you're looking for, Lorton instructs, you need to look at how you handle it. He suggests medical practices ask themselves the following basic questions:
• Where do we get our information?
• Who do we get it from?
• How do we manage it?
• When it comes in, do we handle it the same way each time?
• When we send it out, do we handle it the same way each time?
• Do we know we're sending it to the right person?
• [...]