Hospitals were struggling this summer to comply with the Notice of Observation Treatment and Implication for Care Eligibility (NOTICE) Act, which was signed by President Barack Obama August 6, requiring hospitals to provide a verbal and written notice of outpatient status to any patient in observation who has been in the hospital for more than 24 hours.
When I look back on 30 years of involvement with HIM, it's hard to believe that I was also passionate about another profession at one time. But I actually came to my career as a coder by way of my associate's degree in veterinary science.
Q: What recommendations do you have for handling medical records for staff members who are also patients at the organization where they work? Should we provide extra protection for these patients? What can we do to ensure that staff members are not accessing their coworkers' records without permission or need?
A: I am a firm believer in not adding special protection to any record, because it implies that some records are more confidential than others. In fact, all records are confidential and staff should not access any record unless it is necessary to do so to do their jobs. And, if it is necessary, they should only access the minimum necessary to do the job. HIPAA requires access monitoring, so your organization should conduct routine audits to determine whether staff are accessing records without a work-related reason. There is now software available that can conduct routine audits by staff member and department. This software can be used to reassure staff that their information is not being accessed by coworkers and to hold accountable those who are not following the policy/law. When a staff member raises a concern, an audit should be run to determine whether inappropriate access has occurred, and if it has, sanctions should be applied. Organizations should also consider having a policy that staff should not handle coworkers' (or family members') records (except in an emergency) without the permission of their supervisor.
All of these points should be reviewed at orientation and during (at minimum) annual training to ensure all staff understand that the organization takes such transgressions seriously and will take action as needed to protect the privacy of every patient's information.
Physician advisors (PA) are an important ally for case managers at many organizations when it comes to ensuring proper patient status. But one organization has greatly expanded the role of PAs to include performance improvement and as a result has seen improvements in everything from readmissions to length of stay.
Observation hours start accruing not when the patient comes into the hospital, but when the physician writes the order for observation. Observation hours end when all medically neces¬sary services related to observation are complete.
Cyber threats continue to grow and evolve, but most share a similar origin: phishing. Phishing emails, seemingly innocuous or legitimate emails used to infiltrate an organization, are a common source of malware and are used for scams in which a criminal impersonates another individual to obtain sensitive information. A study released in March by PhishMe estimated that up to 93% of phishing emails contain ransomware.
Although the damage phishing emails can do is tremendous, security officers can help their organizations turn the tide by using a combination of technical controls and targeted education.
The danger and the success of phishing emails lies in their ability to manipulate the individual on the receiving end. Phishing emails may be sent from domains that are a near-identical match for an organization's and come with what appear to be legitimate and urgent attachments or links. It's a simple scheme that criminals can use for a variety of purposes.
"They hope to get malware installed so they can control the computers they infect or even the entire network. They hope to get network or application login credentials. They hope to trick people into performing certain actions, i.e., a wire transfer of money," Kevin Beaver, CISSP, independent information security consultant at Principle Logic, LLC, in Atlanta, says. "The possibilities are endless."
