Ophthalmology and Optometry Coding Alert

Patient Privacy:

Bring Old School HIPAA Rules Into the New Year With These Tips

Most likely, some staffers have completely forgotten the tenets of HIPAA.

The potential ways to accidentally expose patients' protected health information (PHI) continues to expand. From privacy violations at the reception desk to email phishing ploys to lost unencrypted mobile devices - the opportunity for you and your employees to bring censure and penalty down upon your practice grow exponentially as healthcare changes and evolves. But many staff members learned about HIPAA once - several years ago - and never revisited the topic.

That's why keeping your staff up-to-date on HIPAA is essential. Every existing and new employee must be fully educated on the HIPAA laws and rules and how to comply with them to protect both patients and your livelihood.

Consider this:  Most violations are caused by staff, who accidentally expose PHI or ePHI due to a lack of education on HIPAA. To help your office stay in the clear, consider the following eight tips that can help you stay on top of the regulations. While training methods and materials will vary from one practice to another, these eight parameters can help guide you through the compliance basics.

1. Explain HIPAA and what it entails. Your staff members should be able to articulate in simple terms what HIPAA is and what it aims to protect. You have to protect your patients' health information, and clinical and administrative staff should walk away from training understanding that everyone has the right to have his PHI kept secure.

2. Identify your practice HIPAA officer. It's vital that you and all staff members know who your practice's HIPAA compliance officer is. Otherwise, you won't know where to turn with potential privacy and security breaches that staff may cause, encounter, and report during the day.

3. Set specific PHI-access limits. At the end of your training, your staffers should know their level of PHI access. This knowledge will enable your employees to conduct "self-audits" regarding their use of - or exposure to - PHI.

4. Know where to get a copy of your privacy notice. You and your coworkers should know where to locate or obtain a copy of your notice of privacy practices. Anyone in the office should be able to point to the handout.

5. Discuss what to do when you see a privacy violation. Complacency is a threat to any HIPAA-compliant entity. Therefore, you and your entire staff must know your office protocols for reporting potential privacy and security violations or the accidental or inappropriate disclosure of PHI and ePHI.

6. Put the patient first. HIPAA wasn't ever meant to direct you on how to care for your patients. It was created to direct covered entities on how to keep patients' information secure. Protect patient information when you can, but remember that these rules were never intended to hinder patient treatment.

7. Don't stop at the top. If you're planning to educate only your managers in hopes that the crucial information will trickle down to your frontline staff, you need to reassess your strategy. The rule is very specific about having everyone in your organization trained on privacy.

8. Consider creating a script. There's nothing wrong with preparing responses in anticipation of certain patient questions about HIPAA. For example, when patients come into your office, your employees can use a script to present them with your notice of privacy practices and to answer common questions they may have regarding the form. You should tailor your scripts to your office's most frequently-asked questions and your staff members' comfort levels.

For instance, if a patient asks what their privacy rights are, you can hand them the form and say, "Your rights are set forth clearly in the notice of privacy practices. After you review the notice, I would be happy to have our HIPAA-compliance officer discuss them further with you."

Expert advice: "Your staff are your greatest asset, but can also be your biggest weakness," maintains Brand Barney, HCISPP, CISSP, QSA, security analyst with Security Metrics in Orem, Utah. "[HIPAA] security awareness training doesn't have to be a once-a-year event, or happen only when there's a new hire. Make sure your staff understand that they must reasonably and appropriately restrict access to only those persons/entities with a need for access to PHI and systems."


Other Articles in this issue of

Ophthalmology and Optometry Coding Alert

View All