Take These First Steps Toward HIPAA Compliance
Several everyday office situations represent noncompliance risks.
By Gil Weber, M.B.A., Davie, Fla.

You and your practice administrator may still not know exactly what HIPAA stands for, but I'll bet that you're keenly aware that it's coming and that it's most likely not going to be an enjoyable experience.

It looks as if the Health Insurance Portability and Accountability Act will bring with it volumes of complicated, expensive, and burdensome regulations regarding the collection, transmission, retention, and protection of confidential patient information.

And everyone is a bit worried by the news currently going around concerning the possible penalties for HIPAA noncompliance.

There's no doubt that third-party payers, especially HMOs, will become increasingly concerned with how their contracted physicians deal with records security. And, as final HIPAA regulations are clarified and reclarified in the next year or two, you can be sure that you'll see new provisions or amendments in provider agreements referencing the security mandates.

As part of a complete and credible compliance program, each practice will need to institute records confidentiality policies and protocols, and be able to demonstrate that it is monitoring HIPAA compliance and taking the necessary steps to correct any deficiencies.

The first and most obvious step will be to secure a signed records release authorization from every patient to be placed in the chart and used as needed. This release would be in addition to any other release(s) that the patient may have signed when first enrolling with the insurance carrier.

But that's just the simplest, first step to records security compliance. In this article, we'll look at several less-obvious scenarios: situations in which you or your staff members might innocently or unknowingly put the practice in technical or actual violation of HIPAA regulations. Hopefully, these points will give you a better appreciation for the breadth of possible HIPAA issues and push your thought processes toward a more open, all-encompassing perspective:

Speakerphones. They're ubiquitous, and as the sound quality increases, many of us use them almost without thinking. But office protocols should mandate that physicians and staff be cautious when using a speakerphone in the office, or when calling someone else who might be using one.

If your office takes a call, perhaps from another physician's office or from a lab or imaging center, you certainly don't want a patient overhearing a speakerphone conversation that may involve discussion of her or any other patient's confidential information. The most common example of this faux pas occurs when a call comes into the reception or appointment desk and patients are seated within easy earshot. But it also happens when a call is taken in the back-office area, nearby to examination rooms filled with patients. These overheard conversations simply can't be allowed to happen.

You should create and publish an office policy mandating that no incoming call will be taken on a speakerphone if any patient information is to be discussed. (You might even consider a total ban on office use of speakerphones while patients are present.) Similarly, your policy should state that when staff places a call to any other office or facility, before any discussion begins, your staff member should ask if the other party is using a speakerphone. If yes, staff should ask the other party to disable the speaker function for the duration of the call.

Computers and computerized equipment. When you decide to upgrade computers or computerized testing equipment, you must take certain steps to ensure deletion or destruction of confidential patient information. Your old equipment, whether destined for sale, trade-in, donation, or dumping, contains data on your patients' medical conditions and, in all likelihood, their names, addresses, phone numbers, and social security numbers.

Except if subpoenaed (always check with your attorney) none of that patient information should ever leave your office without the patient's authorization. And your obligation to protect confidential data extends to any information stored in a computer or exam gear that's leaving your office.

For example, if you send equipment back to the company from which you leased it, or you donate a computer system to a local school, and someone else accesses the data, you've probably left yourself exposed to an HIPAA violation (and, likely, a violation of your state's regulations on medical records security). Therefore, your patient records security protocols should include instructions to staff for destroying electronic data.

The best way to ensure that confidential data is gone is to destroy the storage medium. For example, you can break floppy disks and CDs. You can destroy hard drives and back-up tape cartridges. But simply pressing the "delete" key is never enough. (Remember Ollie North!)

There are also various electronic means you can use to render data unreadable and unrecoverable. For example, "degaussers" erase back-up tapes. Also, software programs called "incinerators" write over existing computer data and turn the files into nothing more than meaningless binary code.

Whatever method you employ, be sure to consult first with a security expert because some of the machines and software are significantly more robust than others. It's essential that any method you use does, in fact, render the data permanently unreadable and unrecoverable.

Note also that certain equipment, especially computerized exam equipment, may not allow users access to the storage medium. In such cases you might not be able to render the data unreadable on your own, and will have to call in outside help (e.g., the manufacturer's service technician). It that's the only way to be 100% confident that all data is permanently removed and the storage medium sanitized, so be it. You must incur that cost.

Faxing. Faxing is an office task so mundane and commonplace that staff could innocently or unknowingly put the practice at significant HIPAA risk if no protocols are in place, or if those protocols aren't followed. Here are some steps to consider as part of your patient records security program:

• Obvious:
  • Mark the cover sheet "confidential."
  • Verify the fax number before sending confidential information.
  • Fax confidential patient records only when absolutely necessary, and when time is of the essence.
• Not so obvious:
  • Mark every sheet "confidential."
  • Confirm that the fax went to the right number and that every page was received. If a fax goes to the wrong number, you should make efforts to contact the incorrect recipient and have them destroy the document. Also, ask your attorney for appropriate language to put on your fax cover sheet advising those who incorrectly receive your faxes that the document is confidential and meant only for the proper recipient.
  • Fax confidential patient information only after first confirming that someone is at the other end to receive the fax.
  • Send and receive confidential information from fax machines away from any possible public viewing.

Conversations in common areas. Your office protocols should also include something about exercising care when holding any discussions in common areas. This is closely related to the speakerphone issue discussed previously, but applies more broadly to any conversation involving doctors or staff conducted in any area frequented by the public.

Hallways, elevators, lobbies, and parking lots all fall into these common-area zones of concern. Therefore, all conversations that might be overheard by those not party to the conversation and subject matter should be avoided.

If you're proactive, you'll be better off

Look around your office and you'll probably discover many other situations where you're potentially exposing confidential patient information to those who shouldn't be able to see it. For example, when you bring in temporary clerical help, are those people restricted from accessing the medical records? Temporary help should only have access to patient information on an as-needed basis.

Or what about when manufacturers' technicians come into your office to work on the computer system? Are you taking appropriate steps to prevent such persons from viewing your confidential patient information?

I think the most important lesson to be learned here is that taking action now, proactively, can go a long way toward preventing problems down the road. If you conduct some brainstorming sessions with your staff members, I'm sure you'll come up with a laundry list of obvious and not-so-obvious issues that you can address as part of your compliance program. Doing that now is time and effort well spent.

Gil Weber, Ophthalmology Management's consulting editor, is a nationally recognized author, lecturer and practice management consultant to the managed care and ophthalmic industries, and has served as Director of Managed Care for the American Academy of Ophthalmology. You can reach him at (954) 915-6771, gil@gilweber.com or www.gilweber.com.