Vol. 18 •Issue 7 • Page 18
Test Your HIPAA Knowledge
Do you have a policy to respond to these scenarios? Maybe it’s time you should.
The following HIPAA scenarios are based on real events, with some details changed to protect patients’ and facilities’ identities. ADVANCE spoke to three women representing four different health care sectors—acute care, ambulatory care, research and behavioral health—to learn the unique response each would take.
We’d like to thank our panelists: Nancy Davis, MS, RHIA, director of privacy/security officer at Ministry Health Care in Milwaukee, WI, who answered from an acute-care perspective; Elisa R. Gorton, RHIA, MAHSM, manager of health information services/privacy officer at Hall-Brooke Behavioral Health Services, Westport, CT, who answered with the stringent regulations of mental health and substance abuse in mind; and Aviva Halpert, MA, RHIA, CHP/S, chief HIPAA officer at Mount Sinai Medical Center, in New York City, who represented ambulatory care and research.
While reading these HIPAA scenarios, be sure to ask yourself: “Do we have a policy to deal with this situation?” If not, it might be time to revamp your policies before one of these stories becomes your real HIPAA nightmare.
Treating an Impaired Provider
A medical record passes by your desk of a patient seeking treatment for a drug problem at your facility. Your problem is you know this person—she’s a nurse at another facility. You’re now left with a huge weight on your shoulders. You fear for the safety of other patients in the hands of a nurse with a drug addiction, and consider reporting this to her employer or the state licensing board. However, you also feel an obligation to protect her privacy because she’s your patient. What do you do?
DAVIS: This comes down to your obligation to protect patient safety vs. your obligation to protect the privacy of the patient. Patient privacy is more important here and you should not report this for two reasons. 1) The patient sought treatment in a confidential care setting and therefore the communication was confidential. 2) You do not have any evidence that the patient’s addiction will impact her ability to carry out her job. Had it been an impaired provider in your own hospital, rather than from another system, you’d have much more obligation to report.
HALPERT: You’re in a very difficult position. You know that letting this person out there might be risky, but you can’t call her hospital and say, “Hey, this person has a drug problem, you shouldn’t let her care for people in general.” This person has come to you for help and expects confidentiality. If you know a specific individual is at risk because of this person, however, you’d have to report it.
ADVANCE: In what situation would that happen?
HALPERT: Let’s say you saw a provider on his way to the operating room and you know he’s under the influence. That would be a situation where you know a specific individual is in immediate danger. This is when you’d have an obligation to report.
ADVANCE: So if the impaired provider is working at the time he or she is impaired, you have an obligation to report, but if the impaired provider is your patient you have to keep that confidential?
DAVIS: Exactly. If you see someone who you think is an impaired provider and you pull him aside from surgery, and human resources (HR) gets involved, that’s a whole different ballgame, because it’s identified through operational information, not personal health information (PHI) protected under HIPAA. In either case, I would go to the state licensing board Web site and look at the obligations to report. I’d also contact legal counsel. It’s a really tricky area. When you start playing around with someone’s reputation and licensing, you have to be careful.
Too Close for Comfort
A young man comes to your hospital for a check-up with his doctor. While there, he asks for an HIV and hepatitis blood test. He’s sent to a medical technician who, it turns out, is his girlfriend. His girlfriend now has access to all of his PHI, and he is mortified that she knows he is getting tested. How can you make sure a patient is never in this situation to begin with?
HALPERT: The young man’s privacy is really breached in this situation. Some might say that the patient should just refuse care, but in doing so, there are all kinds of subtle pressures. What does he say, “No, I don’t want you to do the test because I don’t want you to know what I’m doing”? The policy should be that you should never treat anyone with whom you have any first degree personal relationship. Not treating a first degree relative is a professional practice standard for physicians or nurses, but most places don’t think to apply such standards to individuals in the ancillary departments who have access to all of the information as well.
ADVANCE: In other words, don’t leave it up to the patient to refuse care but to the provider to deny care?
HALPERT: Yes, the provider has to know to stop the care. Let’s say a 20-year-old goes to the doctor and his mother is there and the doctor asks, “Have you ever taken any drugs?” What does he say, “Mom step out of the room so I can answer this question”? No. You have to take that pressure away at the beginning by saying, “I’m sorry our policy is we see the patient alone when we take a history and physical.” The same goes with the HIV test. The medical technician should say, “I’m sorry I can’t treat you,” and take that pressure off of the patient.
But, It’s Already Out There
Your local newspaper just ran an interview with a man who claimed to have been mistreated while in your hospital. In the article, he talked about what illnesses he had and what medications he was given, adding they had a bad reaction to one another. The next day, a physician from your hospital appears on the news to defend himself. He starts going into depth about the sickness the man had and why he received the treatment he did. You cringe. You know this is a violation of HIPAA, but why?
HALPERT: People often think that once something is out in the public domain, it’s OK to talk about it, but that’s not the case. This physician can’t say, “Well it’s public already,” because as a physician the information he has, has been given to him in confidence. He would have to just stand there—there’s no response. The only response he would be able to give would be to information he’s learned entirely from the press.
ADVANCE: What do you mean by that?
HALPERT: Let’s say a movie star says, “I was just discharged from X institution and I was there having a baby.” The newspaper asks you about it. In this case the only thing you’d be allowed to say is, “I can’t release any information, but I did read in the newspaper she said she was here having a baby.” In this case, you are only reiterating information already in the press, and nothing that you would know through PHI.
A Bit Too Clear
Your marketing department took a photo of a patient going through its new MRI scanner for its company brochure that goes out to your hospital’s CEO, administration and staff. The department took all of the right steps to ensure patient privacy—they received permission from the patient beforehand, and made sure only the patient’s legs and feet could be seen. However when the brochure came out, the resolution was much higher than the proofs had been, and the patient’s name and phone number were visible on a nearby screen. How can you make sure this doesn’t happen to you?
DAVIS: In the future, I’d say to get out the magnifying glass and check the proofs. You should also educate all public relations, marketing staff and photographers of HIPAA policy regarding publication. It’s easy to forget: you concentrate on making sure the person isn’t identifiable, you forget about the boards or objects in the background.
ADVANCE: Would you suggest notifying the patient?
DAVIS: There’s always that chance that someone will tell the patient so in the best case scenario, I’d say notify the patient.
Not For Your Eyes Only
A patient comes to your behavioral health clinic for an addiction to pain killers. He tells you his treatment should fall under workers’ compensation insurance because he became dependent on pain killers after hurting his back on the job. You know that if he goes through workers’ comp there is a slight risk the information could get out to his employer. You also know that by telling him this, he might refuse to seek treatment. What should you do?
GORTON: This is kind of a sticky wicket in behavioral health. Patients sometimes don’t understand the details of workers’ compensation—that it filters through a workers’ compensation board and could show up in some way with an employer. Even though we trust that it won’t, we feel the need to inform them that workers’ comp is entitled to all of the information, should they request it, because they’re paying the bill. Sometimes the patient would rather pay out of pocket than put a behavioral health admission through a workers’ compensation board.
ADVANCE: In what other situations would you have to warn someone their information might not stay as private as they thought?
GORTON: All of our patients receive a notice of privacy practices at the time of each admission. Our patients inform us who they would like contacted regarding emergencies and restraints. Or they may decline to have anyone contacted, and that information is recorded so that no information is released. Sometimes people aren’t thinking of that when they present for an admission. In a behavioral health environment, you’re always watching out. Our patients really expect all of their information to remain confidential at all times, and their privacy to be maintained to the highest level possible.
Disappearing Flash Drives
An IT person downloads your hospital’s master patient index (MPI) on his flash drive to use as a dummy for a database he’s creating. Somewhere on the way from the office to his house, he loses it. Sensitive patient information is now out there. How do you respond and what is your hospital’s policy on using flash drives?
DAVIS: Flash drives are a huge problem because they’re so casual—they’re easy to use and portable. Organizations should restrict their use as much as possible and absolutely forbid their use to store patient information.
HALPERT: Exactly. Even if you get the flash drive back and use IT forensics to determine if the information had been accessed, it’s still a good idea to notify all of your patients. Send out letters and offer them all free credit checks for a year. Don’t succumb to not having to tell them by law—victims will be grateful to be informed, and you’ll have much better rapport with them.
GORTON: I agree that flash drives are very scary. We don’t use them here. We also have strict policies on e-mailing from employee to employee. Everything should be encrypted or password protected. We also don’t use the patient’s full name, but instead use initials, the medical record number or their account number.
ADVANCE: What are your policies on sending e-mails to providers outside of your clinic? I’d imagine a mistake such as hitting “Reply All” and sending patient information to 50 of the wrong people would be a nightmarish lawsuit in behavioral health?
GORTON: Yes, we don’t e-mail patient information outside of our Intranet e-mail at all. We only send things through the mail, and we don’t send anything with our organization’s return address. We use a P.O. box.
ADVANCE: What about in an emergency situation? Mail would be much too slow in that case.
GORTON: If someone needs information from us right away, as in an emergency, we never confirm or deny anyone as a patient here. We take the caller’s name and number, then we pull the record and call back to verify the caller is who they say they are, and give them the information they need to treat the patient. We do this over the phone only; never in e-mail.
Ainsley Maloney is an assistant editor with ADVANCE.