Do observation patients belong in their own unit? The answer is debated at many organizations. Some say establishing a separate unit brings numerous advantages, from improved ED throughput to shorter lengths of stay. Others say some facilities may not need one.
While organizations should focus on performing regular risk assessments and analyses, there are also other ways in which they must review their systems for compliance. Often, these other evaluations are overlooked despite their value, says Kevin Beaver, CISSP, an information security consultant in Atlanta. In particular, organizations should be careful not to forget about performing vulnerability assessments and penetration tests, which are components of an overall risk assessment or analysis, says Beaver, who is a BOH editorial advisory board member.
Preventing readmissions is a hot topic these days. CMS has imposed new financial penalties for organizations that don't successfully prevent 30-day readmissions for patients with certain medical conditions, and organizations are always looking for new strategies to ensure patients are successfully able to move to the next level of care.
Q: My facility no longer registers patients under aliases, but will allow them to opt out of the patient directory. However, opting out of the registry will not exclude our patients from the operating room (OR) list. At one time, the facility's CEO received the daily OR list with full patient names so he could visit board members, donors, or others whom he knows at our facility. HIM changed this practice so that patients' names would not be on the OR schedule provided to the CEO. The CEO took this matter to the hospital attorney, who said the names could be included because the use of PHI by the CEO to determine whether and when a patient visit is appropriate is permitted by HIPAA as it is part of healthcare operations. Is it a violation of HIPAA for the CEO to use PHI to track patients in this manner?
Q: If someone calls a facility to schedule an appointment for a patient, is it a violation of HIPAA to admit the patient receives care at the practice? For example, the practice where I work often helps victims of domestic abuse. We received a call from a patient's estranged spouse who asked to schedule an appointment for the patient when, in reality, he was trying to determine the whereabouts of his spouse so he could harm her. I realize this is a safety issue but wonder whether it is also a HIPAA issue.
