Q: The chief executive officer of the hospital where I work is talking about having our hospital coding done in India. What are the potential ramifications of this plan for our hospital? I know a prominent hospital in Palo Alto, California, was going to do this in 2011.
Have any U.S. hospitals actually outsourced their medical record coding to foreign countries? What are the liability risks? What do we need to be aware of in terms of HIPAA compliance?
A: Yes, many organizations send coding and transcription work overseas. Despite business associate agreements (which you must get with any such vendor, offshore or not), it may be difficult to ensure that these vendors are HIPAA compliant, although one could make the same argument about U.S. vendors as well. Be sure to do your due diligence by carefully checking your vendor's references (and documenting the results) should you choose to go this route. You might also discuss this with your organization's insurance carrier and/or attorney for an assessment of the risks.
Editor's note: Chris Simons, MS, RHIA, the director of health information and privacy officer at Maine General Medical Center in Augusta, answered these questions. Simons is also an HIMB advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Send your questions related to HIPAA compliance to Editor Jaclyn Fitzgerald atjfitzgerald@hcpro.com.
Q: I work in a behavioral health hospital and am looking for guidance relating to disclosures as part of the Clozapine REMS Program. In order for a patient to fill a prescription for Clozapine at an outside pharmacy (not our on-site pharmacy), the pharmacy is required to have a copy of the patient's latest blood draw (absolute neutrophil count). Is the patient required to sign a release of information for us to be able to send the latest blood draw results, or is sharing the results with the outside pharmacy considered part of the process when the patient is registered in the Clozapine program?
In addition, if the latest lab results contain more information than what is required for the Clozapine prescription to be filled, should we edit the results to only include what is specifically needed by the pharmacy?
A: Releasing this information is considered treatment, so the patient's authorization is not needed. Editing the results report to release only the neutrophil count would be a good practice, if it is reasonable to do that. If not, it would be acceptable to release the complete results containing the neutrophil count, since the minimum necessary requirement does not apply to treatment disclosures.
Editor's note: This question was answered by Mary Brandt. Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.
Faxing, like many other efforts to protect health information, comes down to basics. Call the recipient to ensure they are near the fax machine. Double- and triple-check fax numbers. Send a cover sheet that clearly addresses to whom the fax is intended. Follow up with a call.
"We try to call the recipient and tell them, 'Hey we're going to fax something to you. If you're at a public fax machine go stand by that machine,' " Wallach says.
Basic stuff, right? But for busy healthcare systems who can send a massive amount of faxes each day, the human error rate is high, says Frank Ruelas, MBA, who serves as principal at HIPAA College in Casa Grande, Arizona, and facility compliance professional at Dignity Health's St. Joseph's Hospital and Medical Center in Phoenix. Ruelas is also a BOH editorial advisory board member.
"Just because you're in a hurry doesn't make it right," says Ruelas. "Do we need something this sophisticated and scientific here? This is a process that should have a really low error rate. Or it should be much lower than it is."
Break down faxing policies into rudimentary steps where employees are comfortable and deploy them, he says.
