HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAA Compliance Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

Patient Access: "Getting HIPAA Right"

by John Thompson, Phoenix Health Systems
July 2002

In health care organizations (HCOs), almost every department will be affected by HIPAA compliance. However, few departments will be impacted as directly as those that provide patient access services, particularly with regard to Privacy. This is primarily due to patient access areas' front-end role in collecting billing and demographic data, as well as general consents. Fortunately, there are practical, inexpensive solutions that access managers can deploy to achieve HIPAA compliance, some of which have an added benefit of enhancing delivery of customer service.

Consent: Keep it Simple

The Privacy Rule requires written consent by a patient before covered entities may use or disclose the patient's protected health information (PHI) to perform treatment, payment or healthcare operations (TPO). Most HCOs currently have language in their general consent forms that authorize release of information to insurance companies and other parties involved in billing and collections activities.

One suggestion for patient access managers: determine how simple modifications may be made to existing general consent forms, for allowing the use and disclosure of PHI in order to perform treatment, payment or healthcare operations. Keep in mind that while the Privacy Rule indicates that consents can be combined, section 164.506 requires that you must make HIPAA "visually separate", and that they must be separately signed. Implement your changes sooner rather than later -- certainly before the 2003 Privacy compliance deadline -- so that this critical compliance feature will be firmly entrenched in procedures, and any "bugs" can be worked out early on.

Minimum Necessary: Do it "Right," Reasonably

The minimum necessary standard requires that covered entities make "reasonable" efforts to limit access to PHI based upon the minimum information necessary to perform a particular role. This could include field level access based upon the role and an employee's "need to know." Or, for a small provider or an HCO with paper-based records it may be reasonable to permit access to an entire record to all employees. Compliance can be achieved in such instances without purchasing new information systems or redesigning registration areas.

However, larger HCOs with information systems that allow role-based menus cannot expect to remain on the sidelines. It is not unusual for systems with such capabilities to be "under-implemented" with fairly generic access granted to many roles for the sake of convenience. Practical solutions in this case would simply involve thinking through the true information needs of the role and limiting access through the use of restricted menus.

For example, it is not uncommon for the "Information Desk" role to be staffed by volunteers or security staff who have computerized access to a health information system's (HIS) "alpha census" in order to direct friends and families to patient locations. However, a typical alpha census not only includes patient location information but also includes information such as provider name, admission service, diagnosis, financial class and insurance information. This is clearly more information than is necessary to perform a general information desk role.

Working with a Washington, DC suburban hospital client, our staff recently solved this problem by creating an Information Desk menu. The menu replaced the alpha census with a simple "phone list" that only listed the patient's name, room number and telephone extension.

Right to Request Restrictions: Be Practical and Cost Effective

Patients have the right to request HCOs to communicate health information to them by "alternative means" or at "alternative locations". A reasonable solution for small providers may be to add an additional address section on registration forms that states: "You may contact me at _______." The section would also include alternate email addresses and telephone numbers. Larger providers could reasonably build this section into customer-defined" registration system screens.

It is important to recognize that in most HCOs, recording the above information is not as big a challenge as is making sure the information is used correctly thereafter. Attention should be given to how the information will be stored, and to ensuring that the system will use it for all future correspondence and contacts.

Patients also have the right to be "de-listed" so that their names don't appear on system or printed patient listings. The Information Desk menu example cited above solved this problem by excluding patients who make such a choice. Patient Access staff flags these patients as "confidential" during the admissions process. Like many hospital information systems, the MEDITECH system used by the client hospital above can restrict the ability to view "confidential" patient information by menu and by profile. Since the Information Desk menu was designed as a restricted menu, patients who choose to be de-listed do not appear on any viewable or printable list generated from this menu. Similarly, building "minimum necessary" profiles for nursing unit staff restricts their ability to view the information of patients on other nursing units. It is important to note however, that this functionality was not designed to make systems "HIPAA compliant." The functionality is typical of today's health information systems and representative of a cost-effective means of leveraging what is for many, existing functionality.

The Physical Environment: Combine Better Service with HIPAA Solutions

SIGN-IN LOGS

Though the Privacy Rule is still ambiguous on this issue, you can take steps now towards HIPAA compliance that will also enhance customer service. One solution we recently implemented was to replace sign-in logs with individual sign-in sheets that include seating maps of the waiting area. The front-desk staff will continue to greet patients and request that they print their names and appointment times. But check-off boxes have been added to the form so that patients can indicate the department they intend to visit without being asked. To avoid having to call out patient names, once patients are seated, the front-desk staff now note their location in the waiting room on the seating maps and places the sign-in sheet in a "to be done" bin for the registration staff. Access staff then uses the seating maps to locate the patients in the waiting room, and without announcing their names, approaches and escorts them back to the registration area.

In offices that offer less mobility for access staff, include a consent line on sign-in sheets that authorizes the staff to call patient's names in the waiting room.

A less personal but effective solution might involve the use of "silent" paging systems to alert patients and families. Not only can such systems help protect patient confidentiality but they also provide the following added customer service benefits:

  • Noise reduction in waiting areas
  • Alerts to families when a patient's surgery is finished
  • Freedom for families and patients to use hospital amenities while waiting
  • Elimination of mispronounced names

INTERVIEW BOOTHS AND TREATMENT ROOMS

A variety of solutions exist for providing confidential registration interviews. If feasible, a patient registration interview area would optimally include rooms or "booths" with doors that could be closed to conduct interviews. Attractive modular units can be erected in as little as one day. HCOs that conduct bedside registration, such as our suburban DC client, are considering individual treatment rooms in the redesign of their emergency department. But a low-cost alternative might be to install sound reducing partitions between registration windows while training access staff to speak quietly during their patient interviews.

INTERVIEW DO'S AND DON'TS

What if you work in a small office that collects most patient information at a "front desk?" Observation of a few simple "dos and don'ts" will help you to achieve compliance even when the setting is not very privacy-friendly:

  • DON'T verbally collect patient information while patients are queued up in lines at the desk.
  • DO use individual patient sign-in/seating map sheets such as the one cited earlier to allow patients to silently sign themselves in.
  • DO ask each patient to be seated. Patients may then be either called or escorted to your desk (one at a time) to be quietly and confidentially interviewed.

LOOSE DOCUMENTS: RE-THINK OLD METHODS

Many paper records originate in the patient access department. Original copies of facesheets, prescriptions and consent forms are collected by patient access staff and forwarded to medical record departments for permanent storage. Other departments such as Case Management and Patient Accounting may want copies of insurance cards and managed care referral forms. These documents are copied, collated and temporarily stored at a patient access front desk or on an open file on the desk of the typical access clerk. When the access clerk excuses herself to make copies, the documents obtained from previous patients are at risk of being viewed by her current patient.

One solution to consider: go paperless. Scanners have become very low-cost. Staff will not only spend less time on a close-at-hand desktop scanner than at a centrally located copier, but will not need to abandon their post to create the scanned copies. An added benefit of scanning is that with many document imaging programs, "minimum necessary" workflows can be built that automatically archive scanned documents and route them directly, only to the users that need them.1

A simple, but practical solution for small providers might be to use hanging desk drawer files for temporary storage of paper documents. The drawer can be closed when that inevitable trip to the copier must be made.

Shredders can also be used effectively to destroy documents that are no longer needed. But they can be expensive if you must destroy volumes of documents at numerous points of service. A practical solution may be to purchase one or two high quality, high volume shredders. Access areas can be provided with covered "shred only" containers that are emptied daily by housekeeping staff who are trained to properly dispose of materials using the high-volume shredders.

Provider Scheduling of First-Time Patients with HCOs: Build on What You Already Have

The Privacy Rule does not allow covered entities to use PHI prior to obtaining written consent for TPO. This poses problems when providers must directly schedule first time appointments or procedures with HCOs. As with consent, a practical solution would build upon systems that are already in place. For example, since many HCOs provide order forms and pre-registration forms to local referring providers, the HCO's consent form could be incorporated into these documents and be signed by the patient prior to scheduling appointments or procedures. Again, remember to make these HIPAA consents visually separate, and provide a space for a separate signature.

Thinking Ahead: Training, Training, Training

Probably the most reasonable and cost-effective measure that you can take right now to ensure patient privacy would be to send a clear message to your access staff by beginning training, and consistently reinforcing it. Start with sessions to raise the staff's awareness of the privacy requirements. Awareness training can help raise their privacy antenna, and get their mental wheels turning, thereby encouraging staff to begin thinking about potential, practical solutions for their particular environment. Early staff meeting awareness sessions will also "grease the skids" for the enterprise's more formal, official training program. Your smaller, department-based sessions can be done informally and interactively at weekly staff meetings, where incremental bits of learning can be provided, perhaps for just 20 minutes at a time, covering specific, critical features of patient-access privacy issues. You might leave user-friendly written material - such as a relevant HIPAAnote - with your staff to reinforce the goals of the session.

A high-impact prelude to your first training session might be to have a person from another department walk through your department and document or collect every piece of PHI that they can get their hands on. All of the collected PHI could be brought to the first meeting to sensitize the staff to the risks faced in their own work areas. Consider ending these sessions with a bit of brainstorming; you'll generate good ideas and solutions, while at the same time reinforcing staff buy-in to the need for and value of better privacy practices.

"Getting it right" on the front end in patient access is often a critical component of good revenue cycle management. Getting HIPAA right" will be no different, because HCOs will depend heavily on patient access staff to meet many of the challenges of compliance. Fortunately, as the examples cited above illustrate, these challenges can be met in reasonable and cost effective ways that build upon what many HCOs are already doing and enhance service delivery in the process.

John Thompson, Director, Phoenix Health Systems, is currently leading a longterm outsourcing engagement as Patient Access Director for an integrated health system, responsible for directing major departmental systems and process enhancements. Phoenix is expert in HIPAA change management, strategic planning, and procurement, implementation and integration of state-of-the-art health care information technology. www.phoenixhealth.com

Go to TOP