We see it in the news every few weeks: another hospital paying millions of dollars in fines or settlements for HIPAA violations.
Occasionally, the violation is the result of malice – someone intentionally looking at information they shouldn’t see. But more often, it’s simply a mistake; patient privacy laws are long and complex and when hundreds of employees and contractors share information, it’s not hard to see how someone could accidentally fax a report to the wrong number or not realize they can’t send patient IDs in an email.
So how to you avoid security breaches? It’s an old cliché, but it’s true – knowledge is your best defense. A comprehensive HIPAA training program will teach your staff how to avoid simple mistakes. And “comprehensive” doesn’t have to mean “time-consuming” or “expensive.” The basic safety rules can be taught in a couple of hours and a Google search of “HIPAA compliance classes” will turn up a variety of schools that offer online HIPAA training programs and tests for health information professionals. Better yet, check your specialty’s professional journals and associations for a list of approved classes.
The second step is to create a policy and stick to it. A clear-cut policy listing expectations and penalties will help everyone know what they need to do. Any good policy should be based on education and counseling. For minor and isolated mistakes, employees can be given verbal or written warnings and required to retake the class. Serious or repeated violations may call for tougher measures but regardless, an established policy with documented follow-through will help protect your business.
The real key, however, is education. Most employees want to do their part to protect patient information – they just need to know how. One of the easiest things you can do is to give your staff a list of the most common violations in an easy-to-read format that they can keep for quick reference or even tape to their workstations.
For instance, in clinical documentation, we see eight specific mistakes more often than any others:
- Picking the wrong CC on an email containing protected health information
- Picking the wrong patient name
- Picking the wrong dictator
- Picking the wrong account number, medical record number or subject ID
- Entering the wrong supervising or attending physician
- Sharing information about a patient with others who have no reason to have it
- Failure to immediately report any potential breach or security incident to the compliance officer or your supervisor
- Improper disposal of materials containing protected health information.
And there’s one other mistake that needs to be mentioned: going into a patient’s chart for no reason. While it’s not a common violation, it’s a serious one. Even employees who have rightful access to a patient’s chart can’t look at it without a valid reason. And while they usually know that, it bears repeating often because it’s the kind of thing that gets all types of workers, from MTs to nurses, doctors and administrators, into trouble.
There are, of course, many other costly mistakes and whether you work for a hospital, an IT-provider or a medical transcription firm, everyone in your company is responsible for avoiding them all.
The bottom line? Education. Teach your staff the rules, keep repeating them and help them stick to it. Your patients, your clients and your employees will thank you for it.
No related posts.