by Kelly Ogle, BSDH, MIOP, CHOP, CMPM
February 19th, 2016
As you probably know, HIPAA stands for the Health Insurance Portability and Accountability Act. This means that as healthcare professionals, we must hold ourselves accountable when handling patient information. This goes beyond having conversations with unauthorized people about what we see or hear in the office. Unlike OSHA, patients, employees, visitors, employers, etc. can be fined if they break HIPAA laws. A series breach could cost someone up to $1.5 million for one violation. Because of this, steps must be taken to ensure that patient information stays safe while it’s in our possession. Patient information can arrive to us in various forms, including electronic, written and even verbal. Are you and your office taking the necessary precautions for your protected health information (PHI)?
To Ensure Your Compliance:
Be sure that your office HIPAA policy and procedure manual is up to date and that all forms are in compliance.
Compile an inventory of data hardware and software that is accessible in your office. A list of all equipment that has the ability to store information should be kept and updated as needed. Also, keep software stored safely away from anyone who could possibly tamper with it. This way, in the event anything was stolen or destroyed, you will have a record of it.
Perform and document updates on hardware and software. Each time updates are completed on a computer, there should be a written acknowledgement. Serves that are on your property should be locked up at all times to minimize access by unauthorized persons.
If you use an electronic medical record program, collect access logs, including unsuccessful login attempts. Be sure that your program has a way to identify who has been accessing electronic charts and if the access was for work purposes only. Some attempts may be made by an outside source to gain access to the office's records, which is why unsuccessful logins should be recorded.
If office employees have access to use the internet, restrictions should be made to limit access to websites used for work purposes only.
Prepare a contingency plan. Test it and revise it as needed. Your plan should be kept on hand in the event of an audit.
Have a safe place to store data so that it is retrievable in the event of a disaster. Some servers are maintained offsite by a hosting company.
Keep PHI discussions among employees to a minimum. Employees should be aware of their surroundings and keep their voices low and conversations to the point. Music or television can be used to help prevent eavesdropping.
Whether your office is old or new, concessions can be made to ensure that the office is HIPAA friendly:
1. Always escort patients and visitors from the waiting room and through the clinical area.
2. Keep doors closed at all times between the lobby and the clinical area, as well as when patients are in exam rooms.
3. If nurse's stations are close to patient areas, make phone calls about appointments and test
results elsewhere if you are able to be overheard.
4. Music or television in quite areas can prevent eavesdropping where PHI might be overheard.
5. Install privacy screens on computers that are visible by patients. Be sure to logout or lock your computer if leaving the room.
6. Closed windows are best at check in and check out areas to ensure privacy. If either area is crowded with patients, inform additional patients to have a seat and they will be seen shortly.
Erring on the side of caution is always best when it comes to patient information. A medical office can be a very busy place, but we cannot allow ourselves to be careless. If someone were to complain, it is likely that it will not be the patient that you are speaking with, but the person who accidentally heard the conversation or received your email or fax by accident.