Oncology & Hematology Coding Alert

Patients’ data is often impermissibly disclosed due to a lack of staff training.

Start the year right. Complying with the Health Information Portability and Accountability Act (HIPAA) may seem challenging at times because your practice must learn how to wade through many different components. One particularly challenging area relates to incidental disclosures, especially the “reasonable use” of your patients’ protected health information (PHI).

Make sure your oncology practice, as a covered entity (CE), knows which steps to take when handling PHI to prevent incidental disclosures.

First, Define PHI Incidental Disclosure for Clarity

Incidental disclosure is a disclosure of PHI to somebody who’s not supposed to have it, but it’s incidental to performing your day-to-day operations.

One of the most common examples of an incidental disclosure would be one patient overhearing a PHI-laden conversation in an adjoining room between a physician and another patient.

Caution: Although such incidental disclosures are permitted under HIPAA’s Privacy Rule, you must meet two important conditions, according to the “Incidental Uses and Disclosures” part of the rule listed on the Department of Health and Human Services (HHS) website. These conditions are as follows:

• First, you must comply with the minimum necessary requirement, which requires entities to have already made reasonable efforts to limit staffers to the minimum amount of PHI needed to perform their jobs.
• Second, you must have policies and procedures to minimize incidental disclosures, implementing reasonable safeguards to protect patients’ confidential health data from incidental leaks.

Important: You must meet both of the above requirements to get a pass under the rule on incidental disclosures. Otherwise, it will result in a violation.

To help your organization minimize incidental uses or disclosures — and potential privacy violations — review these five steps.

Step 1: Establish Meaning of ‘Reasonable’ Within Your Practice

A CE must have reasonable administrative, technical, and physical safeguards in place that will limit incidental uses and disclosures, according to the HHS Office for Civil Rights (OCR) guidance.

So, when it comes to preventing incidental leaks, the question for many CEs should ask “What constitutes a reasonable safeguard?” which includes reasonable use of PHI in the office and in coordination with business associates (BAs).

OCR’s privacy guidance also specifically states entities need not implement safeguards creating undue financial or administrative burdens. For example, you don’t need to rebuild your office to create private, soundproof rooms.

Note: What’s deemed reasonable will largely depend upon the individual entity, type of disclosure, and context of the disclosure.

“For example, a biller needs to know what are permissible ways of communicating with insurance companies and what are not. An IT person needs to know how to properly transfer PHI from one system to another,” says Adam Kehler, CISSP, principal consultant and healthcare practice lead with Online Business Systems. “These are topics that may not be in the general training but are critical for how workforce members handle PHI in their day-to-day activities.”

What you can do: You should discuss what safeguards your practice considers reasonable and then document those decisions. This way, you can support documented rationalization should any of your safeguards or policies be questioned.

Step 2: Enhance Staff’s HIPAA Knowledge

Use training time to orient your workforce with their organization’s policies concerning PHI incidental uses and disclosures. Trainers could pose various examples and have staff discuss and decide whether the use or disclosure would be deemed sufficient under the rule.

Patients’ data is often impermissibly used and disclosed due to a lack of staff training and human error. “Consider your workforce’s privacy knowledge” and train your employees accordingly, suggest healthcare counsel Elizabeth Hodge, and partner attorney Carolyn Metnick, with national law firm Akerman LLP.

Step 3: Continually Educate Employees About Privacy

Just because you’ve already given your workforce members their one-time required HIPAA privacy training doesn’t mean you’ve completely catalogued and contained all incidental uses and disclosures that may be facing your facility.

You should be able to establish that not only has appropriate training been done to sensitize your staff about the possible issues — but hold training on an annual and as needed continual basis to provide updates regarding emerging HIPAA requirements and concerns. These types of scenarios remind them about the potential dangers of incidental PHI disclosures and how best to avoid them.

Your primary aim should always be to protect patients while creating an environment reinforcing appropriate handling of PHI.  For example, employees should know better than to talk about PHI in an elevator, on the street, or any other inappropriate venue where the conversation may be overheard by an individual who may not have the need to know the information being shared.

Get creative: You can also raise privacy and security awareness within your organization by providing regular updates on privacy matters, including email blasts, posters, and/or in-service lunch training sessions, Hodge and Metnick maintain. Centralize information about policies and procedures and helpful links and consider sending emails about opportunities for additional training and learning.

You should also keep track of news reports for real examples of privacy violations or inappropriate disclosures at other facilities. Then, bring those reports to department meetings where you can determine how such occurrences might be prevented within your own organization.

Ultimately, management needs to cultivate and support a privacy culture, and the privacy message should filter down into the workforce ranks.

Step 4: Ensure Breach Reporting is Accessible

Any CE eager to keep tabs on its incidental uses and disclosures of PHI should implement — or already have in place — a mechanism for staff to identify and report any such incidents.

Most unintended disclosures of PHI result from a lack of training or supervision than intentional information disclosures. That’s why it is essential staff feel comfortable reporting any mistakes or privacy breaches they may make, perceive or witness.

One way to both educate and involve your workforce when it comes to reporting incidental disclosures is to use staff discovery tools. The tools would instruct employees to be on the lookout for issues and to record any incidental disclosures they may spot.  You should also continually monitor the feasibility and effectiveness of these policies and procedures.

Tip 5: Self-critique to Improve

Incidental disclosures may be permitted under HIPAA, does your organization consider improved methods to minimize occurrences?

For instance, anyone who visits a busy hospital unit is sure to see whole banks of electronic monitors labeled with patients’ names. Anyone walking through the area might see heart rates, EKGs, and other respiratory monitoring output on virtually every patient.

While the regs might allow for the incidental disclosure of PHI on these machines, simply repositioning patient monitors out of public view, could potentially avoid a majority of such disclosures altogether with minimal cost and effort.

Consider this: Does your organization leave patient charts in open areas, such as at a nursing station or outside the door of a doctor’s office? If so, then maybe you could flip the chart upside down and have it face the wall. Or simply take the charts off the top of the counter and put them below in a desk drawer would also help minimize incidental disclosures.