Q: The emergency department (ED) at the hospital where I work often becomes so busy that we do not have enough rooms for all of our patients. This occurred last weekend, which meant that several patients were brought into the ED on stretchers to be evaluated but could not be placed in a room. I witnessed a nurse perform a physical/abdominal examination on a patient who was on a stretcher in the ED hallway and discuss medical history and current treatment options with the patient in this open space where plenty of patients and staff members could see/hear the encounter. Is this a HIPAA violation?
A: What you are describing is an incidental disclosure, not necessarily a HIPAA violation. Organizations must take steps to limit incidental disclosures and mitigate the risks to the patient’s privacy and the security of information. In the case you describe, for instance, could a screen have been erected to protect the patient’s privacy even if circumstances led to no choice but to perform the exam in the hallway? Could a white noise machine have been brought over to reduce the chance of being overheard? Could the gurney have been moved to a private area (or even a slightly more private one) when the exam had to take place? Could the exam have been postponed until a more private space was available, or was it necessary to do it right then? These are the questions staff should ask themselves in these situations.
Editor's note: Simons is the director of health information and privacy officer of Maine General Medical Center in Augusta. She is also an HIMB advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Send your questions related to HIPAA compliance to Editor Jaclyn Fitzgerald atjfitzgerald@hcpro.com.
"Don't click on that link" is a common warning from security officers. That hasn't stopped many staff from clicking on suspicious links that at first glance appear to be valid, and the result can be a significant loss of PHI and other sensitive data. This type of hack, phishing, represents one of the more significant risks when it comes to breaking into networks and stealing data.
Documentation can be a headache for everyone, from the physicians who have to take precious time away from patients to document in the EHR to the case managers who have to track the physicians down to fill in gaps when information is missing from the medical record.
The case manager plays a crucial role in helping to make sure medical record documentation not only supports billing and coding to ensure accurate reimbursement, but also clearly communicates the patient's condition to the entire clinical team.
It needs to be complete, accurate, succinct, and effective, says Glenn Krauss, BBA, RHIA, CCS, CCS-P, PCS, FCS, CPUR, C-CDI, CCDS, director of enterprise solutions at Zirmed. However, it's often anything but. Krauss says he often comes across documentation that case managers could help clarify, and he recently offered some real-life examples (with details changed to protect patient privacy) to illustrate key points.
Case managers can help resolve common problems found in patient charts, including insufficient clinical information and missing basic information.
Over the past couple months, HIMB has had audits on the brain. We covered the progress of the 2-midnight audits and walked you through the pass-fail meaningful use audits in detail. Now it's time to get a bird's-eye view of the 2016 audit landscape to ensure you're prepared for whatever comes your way this year.
Recovery Auditors
With 2-midnight rule audits shifting to the BFCC-QIOs, Crump predicts the Recovery Auditors will likely spend 2016 focusing on diagnosis-related group (DRG) audits and medical necessity reviews. These audits will likely focus on reviewing medical necessity for procedures, tests, and treatments in relation to what the Payment Integrity Manual states should be captured in the health information. Records that do not capture information related to local and national coverage determinations will likely be the low-hanging fruit if the Recovery Auditors are approved to focus on these reviews, says Dawn Crump, MA, SSBB, CHC, vice president of audit management solutions for CIOX Health in Alpharetta, Georgia.
To prepare for the Recovery Auditors, HIM professionals should focus on analyzing the risk at their facility. In addition, they should ensure there is a continuous feedback loop not only within the department but outside of it as well. Coding, compliance, and medical staff should be in the loop too, Crump says. Solid communication and education can go a long way in ensuring everyone is well prepared for an audit.
Establishing good quality checks, especially with EMRs, can also help a hospital bolster its audit preparation. HIM should be involved in checking that the information in the record tells the patient's complete story, Crump says.
"Records are evolving and EMRs are evolving, so I think status quo needs to be checked on a regular basis," she says.
For example, EMRs don't always capture all of the needed information. As local and national coverage determinations change for high-risk procedures and admissions, HIM and coding should be involved in the process of ensuring the EMR captures the latest changes and meets the new requirements; this way, the hospital will be ready to present information in the event of an audit, Crump says.
Tips for small covered entities charged with HIPAA compliance
"OCR has bigger fish to fry than me."
You may have heard that before—or even said it. Maybe you're an employee in a tiny healthcare facility. Or maybe you've seen the big headlines on data breaches, noted how they seem to always involve large insurance companies and massive healthcare facilities, and thought, "That won't happen to us."
Know thy BA
BAs are a part of HIPAA life—no matter how big or small your entity is. So how far should CEs go to ensure their BAs are HIPAA compliant?
Roger Shindell, CHPS, the CEO of Carosh Compliance Solutions in Crown Point, Indiana, notes that things changed in the HIPAA Omnibus Rule, HHS' biggest set of modifications to the HIPAA Privacy and Security rules per the HITECH Act. Prior to 2013, if a CE had a valid BA agreement in place, and the BA had a breach, the CE had a safe harbor exemption for the breach, he notes.
Entities are required to conduct an "accurate and thorough assessment" of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI.
BA agreements stipulate that the BA will comply with all the requirements under HIPAA/HITECH, per the HIPAA Omnibus Rule. So BAs need to be ready, just like you.
Should CEs offer training to the BAs? No, says Shindell.
"The BA has their own obligation to conduct training," he adds, "and if training is on specific policies and procedures, the CE would not know what these are and what is appropriate."
OCR's long-awaited Phase 2 HIPAA Audit Program is finally in full swing. On March 21, OCR announced that it will begin verifying the contact information of covered entities (CE) and business associates (BA) selected for audits (www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/phase2a...). This shouldn't surprise savvy healthcare organizations. The audits kicked off after a flurry of activity from OCR and HHS, including pricey HIPAA settlement fines and the publication of user-friendly HIPAA guidance for providers, developers, and patients.
