We continue with our series of general educational articles penned by one attorney, an MD, JD, giving you a view of the world through a malpractice plaintiff attorney’s eyes. This attorney is a seasoned veteran. The series includes a number of pearls on how to stay out of harm’s way. While I do not necessarily agree with 100% of the details of every article, I think the messages are salient, on target, and fully relevant. Please give us your feedback – and let us know if you find the series helpful. Finally, these articles are not intended as specific legal advice. For that, please consult with an attorney licensed to practice in your state.
“That’s a HIPAA Violation!”
We’ve all dealt with them – the facilities, physicians and office workers so zealous about HIPAA regulations that they bring your practice to a grinding halt.
In reality, most time-sucking things they mandate is based on their misunderstanding of the law.
Let’s look at a few tales from the trenches to see how you can make your own life easier and still stay on the right side of HIPAA.
1. My partner says that because of HIPAA we can’t have a sign-in sheet at the front desk. Even if it is not left out, the next patient can still see the names of the prior sign-ins when it is handed to them for them to sign in. This is making it harder for the admin to track patients and for us to follow how we are doing in terms of seeing patients on schedule. So now everyone is annoyed.
HIPAA requires you to take reasonable precautions to minimize the release of Protected Health Information (PHI) in the course of your office’s work. But it does not require absolute confidentiality because that would make it literally impossible to function. So it all depends on what your sign-in sheet says. A medical fact only becomes PHI when it can be identified as being associated to a given patient. As long as the sheet only lists the name and time, only the most minimal PHI is revealed – that that person is a patient of yours. It is the written equivalent of seeing the person come in the door or sitting in the waiting room but knowing nothing else about them other than that they are there to see you. That level of disclosure is seen as merely incidental to medical care and generally not considered a HIPAA violation.
Taken together with not leaving the sign-in sheet out, recording only the name and time will more than satisfy HIPAA’s requirement that you limit even incidental exposures of PHI.
But, if you have a practice in a sensitive area of medicine, such as high-risk pregnancies or oncology, in which just the fact that the patient is your patient speaks volumes about their medical issues, then you could switch to just logging patients into the computer and skip the sign-in sheet. This will still let you do the tracking you need without any disclosures at all other than to staff.
So, your partner is unnecessarily restricting your work flow. You should instead treat HIPAA’s basic allowance of incidental disclosures of PHI as a floor and let the facts of your own practice set the ceiling.
2. My new admin refuses to call patients by anything other than their first name in the waiting room. She will say “Joe” but not “Mr. Smith” when asking a patient to come with her. She says that at her previous job she was told that this is a HIPAA requirement but I have a lot of patients who consider this disrespectful.
She is over-doing the requirement to minimize incidental exposures of PHI. She can certainly say, “Mr. Smith, come with me please.” What she should never say is “Mr. Smith” – or “Joe” – “the doctor is ready to see you about your syphilitic rash now.”
That Mr. Smith is your patient is an acceptable level of PHI disclosure as long as no other medical information is attached to it.
3. We brought in a HIPAA compliance expert who told us that there should be no discussion of patients outside of a closed room and that even if I have to tell my admin something routine like “Let’s get an LS spine MRI on Mrs. Jones” I have to go into my office and close the door to do so.
I hope that you did not pay too much to that “expert.”
This is again an example of the incidental disclosure of PHI that HIPAA permits, as long as you take reasonable efforts to limit it.
An open crawlspace between rooms that allows sound to easily travel between rooms (so that an entire conversation between you and a patient can be overheard by anyone) can create a HIPAA problem. At the other end of the spectrum, speaking quietly in the open with your admin would not be a HIPAA problem.
4. My office manager instructed the front desk staff to never leave a phone message for a patient about lab results or even to confirm an appointment because if it is overheard by someone else it is a HIPAA violation. The problem is that many of our older patients do not want to use our secure patient portal and ask us to call them.
Your office manager is correct that care should be taken to not leave PHI where it can be accessed by unauthorized individuals. But she is wrong that HIPAA bars leaving a phone message that the patient has agreed to receive.
Just get an authorization from the patient that states the designated number they want messages left. Then you can leave a message.
Of course, you should still take reasonable precautions to make sure that you come under the protections of HIPAA’s allowance for incidental releases of PHI.
First, the caller should not be speaking loudly enough to be heard in the waiting room or by passers-by because the combination of a patient’s name and a clinical fact is PHI. Just tell your staff to speak no more loudly than if they were giving their own credit card information over the phone.
The caller should not plunge in with “Mrs. Green, your A1c level is 5.2” and instead start with “This message is for Mary Green. If you are not Mary Green please hang up.” You obviously cannot control what happens on the other end but this is part of your obligation to minimize the risk of PHI being inappropriately disseminated.
5. I referred a patient with persistent tinnitus to an ENT. Now the ENT refuses to send me her report unless I send her a release from the patient because she says that her findings are new PHI beyond what I sent her.
She is wrong and HIPAA specifically addresses why.
In “Uses and Disclosures for Treatment, Payment, and Health Care Operations” (45 CFR 164.506) the law states that because “Ready access to treatment and efficient payment for health care, both of which require use and disclosure of protected health information, are essential to the effective operation of the health care system…the Privacy Rule permits a covered entity to use and disclose protected health information, with certain limits and protections, for treatment.”
“Treatment” is defined as “the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.”
Sending your patient for evaluation by the specialist and the specialist then communicating the findings to you comes squarely under that provision.
This also applies, for example, in the all-too-common situation of the ER physician who is told by the Records office at another hospital that they will not provide a needed copy of the patient’s prior records without an authorization.
Unlike the ER physician who then has to trudge to the Legal Department to get the matter straightened out, you are in a position to deal preemptively with this problem. Rather than passive-aggressively sending the impeding practitioner a copy of the law – to which he will passive-aggressively reply that that is not his “policy” (remember that HIPAA is permissive on this, not mandating) – just have all your patients sign a release for the consultant to send results and records to you. Have the patient hand that document to the consultant.
6. Our practice’s lawyer says that under the new Omnibus Rule, we have to get Business Associates Agreements with our cleaning company and trash hauler. Is he just trying to create billable work for himself?
I can’t speak to his motivation – he might simply be confused – but he is wrong about what he told you.
HIPAA requires covered entities like your practice to have written agreements with other entities that are not themselves under HIPAA but that intend to receive or work with your practice’s PHI. Your attorney, for example, would be a Business Associate if he works for you on a case in which he comes in contact with PHI, such as a billing matter or a malpractice defense.
The purpose of the Business Associates Agreement is to get those entities to agree they will appropriately safeguard the PHI they receive or create on behalf of the practice. It is why you do not have to personally track every piece of PHI once it leaves your office and goes to a billing company or to your practice’s accountant or to a storage facility.
The most recent Omnibus Rule did increase the scope of which business associates you must have these agreement with. It now includes those entities that merely store the PHI without ever accessing it (any entity that “creates, receives, maintains, or transmits” PHI on behalf of a covered entity) and also now extends to their subcontractors. But the updated Rule is still only directed to entities that receive the PHI on purpose to deal with it as such as part of their work for you.
A worker for a company that cleans your office or one that dumps your trash may accidentally encounter some PHI but that material was not sent to him as PHI. By contrast, for example, you would need a Business Associate Agreement with a shredding company because the material they are working on is PHI.
If you really wants to dot your i’s and cross your t’s, what may be appropriate for the cleaning company and the trash hauler (although not as lucrative for your attorney) is a confidentiality agreement that says that if their workers come across any medical or financial information, they must immediately return it to the practice and may not copy or use it in any way. This creates a civil right of action for you if it later turns out that a worker misused PHI they happened to encounter and your practice was damaged. Although not required by HIPAA, it is also the sort of belt to go with the suspenders of your Business Associates Agreements that would be good to show to an OCR inspector as proof of how seriously you take these issues.
Of course, you and your staff should be doing all that you can to make sure that PHI is locked away when you leave and is rendered unusable, such as by shredding, when it goes into the garbage.
In summary: Over-zealous HIPAA enforcement usually reflects a lack of understanding of the law, which permits incidental exposures of PHI in the course of practice, communication of PHI to patients by means the patient agrees to, and sharing of PHI with other treaters. HIPAA does not require Business Associates Agreements with every entity that may encounter PHI. However, a practice is responsible for minimizing the risks of a breach in all of these settings.
*** Medical Justice Notes: [HIPAA gets harder and harder to parse each year. It can seem like torture by a thousand paper cuts. Our general counsel, Mike Sacopulos and his organization – Medical Risk Institute, routinely helps clients in a cost effective way with HIPAA audits – before there’s a problem – to keep you out of harm’s way. Mention you subscribe to Medical Justice or Dental Justice to obtain a member discount.]