HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > Privacy Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

Living Day-to-Day With HIPAA Privacy:
The Top 10 Most Inappropriate Responses Overheard in the Healthcare Workplace

By Randa Upham, Principal, & Amanda Dorsey, Director, Phoenix Health Systems

The real-world practicality of the HIPAA Privacy Rule has been widely and vociferously argued since the first version of the Rule was proposed in late 1999. With the passing of the final Privacy Rule's compliance deadline in April, 2003, the days of court challenges and formal pleas for gentler requirements seem to be over. However, operational questions, misconceptions and frustrations remain for many of us. So it's not surprising that some staff charged with applying HIPAA Privacy in the healthcare delivery and business workplace are responding in a very human manner -- resorting to operational solutions that are more convenient or comfortable than genuinely compliant.

As consultants in information management and process change within healthcare provider organizations covered by HIPAA, Phoenix staff members have an opportunity every day to observe the work routines of healthcare staff and listen to their HIPAA Privacy-related concerns. In attempting to respond to patients and their families, and comply with HIPAA, healthcare workers often exhibit surprising, erroneous and potentially worrisome perspectives regarding their Privacy responsibilities. Here is our countdown of the TOP 10 most inappropriate quotes concerning HIPAA privacy we've heard – and our response to each:

NUMBER 10: "So I made an inadvertent disclosure. Everybody does it!" (Comment by one nurse to another after realizing she had disclosed information without proper authorization.)

OUR RESPONSE: Although HIPAA understands that sometimes improper disclosures of PHI do occur even with the most sound privacy practices, the regulations require that there be an accounting of such instances. Disclosures that are not for treatment, payment or operations (TPO) and that have not been authorized by patients must be recorded in the Accounting of Disclosures Log. Although it is likely that some inadvertent disclosures will not cause harm to the patient, it is important that staff understand that they are a serious matter and all must be reported to supervisors and, as appropriate, to the Privacy Officer. The importance of establishing an environment that is committed to minimizing the occurrence of inadvertent disclosures should be an organizational objective.


NUMBER 9: "Because of HIPAA, I cannot give you copies of your deceased mother-in-law's medical records, even if she is dead. I need her authorization to do so!" (Comment by Medical Records clerk to woman asking for copy of her mother-in-law's medical files.)

OUR RESPONSE: Well, if that doesn't confuse the family member! The matter of obtaining patients' authorization to disclose their PHI is complex and requires a sound understanding of the regulations by staff who must handle such requests. Explanations to those making requests for PHI disclosure can be simplified. In this case, a more appropriate response to the requestor would be to explain that a written authorization from the patient is required for the disclosure of the medical records unless the requestor happens to be the patient's personal representative (which should be defined) or state-prescribed guardian; and the fact that the patient is deceased does not change this legal requirement.


NUMBER 8: "Mrs. Smith, this is the New Visions Fertility Clinic calling to remind you of your exam tomorrow morning at 9:00 AM." (Message on the answering machine of a couple who happen to live with the in-laws.)

OUR RESPONSE: Some things never change or, at least, don't change easily. It is a well-established practice in the healthcare delivery world to call and remind patients of upcoming appointments, thereby preventing the extra cost of missed office visits and generating the thanks of many patients. The problem with this practice, in relation to HIPAA, occurs when too much information is left on the answering machine. Often such messages are harmless but when a patient does not want other members of the household to know specifics about the healthcare being received, then privacy violations occur.

The most obvious remedy is to discontinue this practice; however, many providers and patients do find appointment reminders valuable. If a covered entity does maintain the practice of leaving messages on answering machines/services, it must indicate such in the Notice of Privacy Practices. Further, it must exercise discretion about the extent of information left in the message. The patient then also has the right to ask that no messages ever be left for him or her.


NUMBER 7: "We understand your frustration, Miss Jones, but your father is no longer in this hospital. We can't tell you where he has gone but here is a list of hospitals in the county. You could call them to see if he is at any of them." (Comment by the nice lady who greets visitors at the hospital's Information Desk, responding to a distraught woman who found a message on her answering machine from her father saying he was being taken to the hospital.)

OUR RESPONSE: The issue of the facility directory as it relates to patient privacy creates frustration for visitors and staff alike. Some covered entities have gone so far as to eliminate the use of the directory altogether to avoid the hassle. Covered entities need to provide their workforce members who greet visitors or handle the patient information phone line with sound training on how to properly respond to inquiries. It is also helpful to provide visitors with a brief written statement on the organization's practices for maintaining the facility directory and how patient information can be disclosed.


NUMBER 6: "What happened to Mom, apple pie, football, and reading the weekly birth announcements in the local paper? HIPAA even goes after that!" (Comment by head nurse on the maternity wing to the Privacy Officer after learning that she could no longer post pictures of the new arrivals on the unit bulletin board without parental authorization.)

OUR RESPONSE: Many who work with newborns and their families have expressed dismay over the intrusion of HIPAA into what some consider the sacred practices and joyous activities surrounding the arrival of newborns (e.g., birth announcements in local papers/hospital newsletters, announcements over the loud speaker and posting of pictures of new babies on bulletin boards). The fact is that information about the new babe's arrival is PHI, as are their facial images. Fortunately, healthcare workers and parents need not despair that they can no longer celebrate newborns publicly. Very simply, authorization for their disclosure of their PHI is required. The organization can establish practices to inform parents that they may sign an authorization for use of their baby's picture for such "community spirit" purposes. The hospital can also arrange to have the local newspaper provide a valid release form to new parents should they want to have announcements published. Such changes from tradition may create some grumbling but can't really be considered "intrusions into patient care."


NUMBER 5: "No, you don't need to shred those reports because of HIPAA. That information is not really PHI because it doesn't have diagnoses listed for the patients." (Comment by one billing clerk to another.)

OUR RESPONSE: Most of us who work in healthcare understand that the medical record represents PHI and must be protected. What is often not understood is how often PHI shows up in other documents. Covered entities include PHI in many reports, lists, and administrative materials that may not be disposed of properly. Staff should understand the basic PHI concept that if an individual can be identified from demographic information and linked to any information about healthcare services received, then PHI is present. Just because a document does not include a patient's diagnosis does not mean there is no PHI contained in it, or that it may be thrown in the regular trash. Management must help all staff understand the concept of PHI so they will properly handle it, including appropriate disposal.


NUMBER 4: "Mr. Smith, you must put your age, Social Security Number, and phone number on this sign-in sheet. Otherwise, your insurance won't cover your visit here today!" (Comment by a receptionist at the Cancer Treatment Center to patient in waiting area.)

OUR RESPONSE: Unlike some dilemmas created when trying to comply with HIPAA privacy while maintaining healthcare operations, the patient sign-in sheet need not create major difficulties. It is true that many insurers require sign-in sheets for verifying services delivered, but is there any reason why personal information must be captured on sign-in sheets that others in the area can see? Innovative organizations have tackled this issue with various creative solutions that do not compromise patient privacy. For example, consider handing the patient a numbered ticket upon his completion of a separate sign-in sheet or having a sign-in sheet with tear-off sections that the office staff will then attach immediately to a "master" sheet.


NUMBER 3: "I am not supposed to give out confidential information unless the patient has authorized it, but maybe you can give me some information that will verify that you really are Mrs. Hudson's daughter - then it would be all right for me to tell you about her condition. Can you give me her address? (Comment by the Unit Clerk responding to phone call from unknown individual inquiring about her mother who is in the hospital.)

OUR RESPONSE: Obviously, many individuals may know a patient's address, and using it as criteria for verifying the identity of a family member could seriously compromise the patient's privacy. Covered entities who do not establish clearly defined practices for responding to phone callers (and other inquiries from family or the general public) are placing their staff in uncomfortable and risky positions. Caregivers should be responsive to the needs of a patient's family but need specific guidelines on how to respond to inquiries and still maintain compliance. An effective strategy is to prepare simple scripts for responding to inquiries (from patients, family members and visitors) that can be easily learned and understood by your staff. The scripts should provide clear explanations to the inquirer about how the organization protects patient privacy.

NUMBER 2: "MORE privacy training? We already did all that last spring and there are no more training funds in the budget! I am sure that our new employees had training on privacy at their last job. Ask them to submit some documentation from whatever HIPAA training they have had and put it in their files." (Comment by VP of small facility in response to request from Human Relations Director for additional funds for training for new employees.)

OUR RESPONSE: One of the most disturbing misconceptions about HIPAA privacy training is that it should be "finished by now." Too many believe that initial Privacy training, which was required to be completed by April, 2003, is sufficient to ensure that all workers in the healthcare industry henceforth will have the HIPAA privacy knowledge they need to perform their jobs.

In relation to the particular situation described above, much has been argued on the HIPAAlive listserve about whether privacy training received from former employers satisfies the HIPAA requirement for workforce privacy training. Such a practice does NOT satisfy the HIPAA requirement that you need to train your staff on YOUR privacy practices!

Further, privacy training overall cannot be a one-time event and be effective. Each covered entity must continue to grow the HIPAA culture within its organization so that the workforce understands appropriate methods to handle the many unexpected complexities of complying with the Privacy Rule. It is unlikely that all such practical issues have been covered in any organization's initial HIPAA privacy training program. Also, staff who are transferred within the organization or given additional responsibilities may very well need updated privacy training that relates to their changed roles. Accepting documentation or verification of training received at other covered entities to serve as evidence of adequate training on your organization's practices is not the intent of the HIPAA Privacy Rule.


AND, the NUMBER 1 Most Inappropriate Quote Overheard Concerning HIPAA Privacy is:

"Here is your HIPAA notice -- you have to sign here. What? Oh, it is something the government makes us do now." (Comment by the receptionist as she registers patients who come to the busy office of prominent Cardiologist.)

OUR RESPONSE: Any covered entity's staff should be able to explain, at least in brief, the content and intent of the covered entity's Notice of Privacy Practices to any patient, so that he or she understands what the Notice is, and that it is being provided to benefit the patient. The purpose of the Notice of Privacy Practices is to clearly define how the privacy of patient health information is protected by the organization. If a covered entity has in fact implemented processes to protect PHI, staff should be aware of them and be able to respond to questions that a patient might ask. Acting as if the Privacy Notice is yet another annoying governmental regulation is not giving the patient the right message, nor does it reflect the intent of HIPAA privacy.

HOW TO PREVENT INAPPROPRIATE PRIVACY-RELATED BEHAVIOR AMONG STAFF:

Impulsive or lighthearted reactions – even about HIPAA – are commonplace human responses to stressors in the work environment. But off-handedness or humor should not replace sensitivity to privacy, nor be allowed to hide the seriousness of many healthcare workers' frustration and confusion concerning their privacy responsibilities. Most of the scenarios above might have been prevented if staff knew how to appropriately respond to work situations involving privacy matters.

Helping the members of your staff integrate HIPAA privacy practices into their daily routines should be a key objective for your organization. Although HIPAA is complex in language and interpretation, it need not be experienced as a major distraction or impediment to the delivery of care. Too often, policies/procedures are written and conceptual training on them provided, but the last step in the learning process – guidelines and scenarios for applying privacy concepts to everyday (and unique) situations – are ignored. As a result, staff members resort to responses that feel safest or easiest, like the extreme (but real) examples reported above. Discussing such examples with your team members can effectively help them cope with perceived on-the-job HIPAA dilemmas. Providing authoritative guidelines, explanations, scenarios and scripts will show workers how they can meet their HIPAA privacy obligations, as well as minimize frustration for themselves, patients and their families. Practical, forward-thinking education and attentive supervision will help to convert old habits and inappropriate behaviors into appropriate, HIPAA-compliant actions – and transform your organization into a genuinely privacy-sensitive healthcare delivery operation.

Randa Upham, M.A., Principal, with 23 years' experience in the Healthcare and Information Services industries, is in charge of Program Development at Phoenix Health Systems, and oversees Phoenix' e-learning and other educational services. Amanda Dorsey, Director, Phoenix Health Systems, delivers HIPAA consulting solutions to physician practices and hospital clients. Ms. Upham and Ms. Dorsey recently teamed up to present Phoenix' Audio Conference, "When Good Privacy Policies Create Operational Dilemmas: How to Live with HIPAA Privacy in the Real World," the tape of which is available at HIPAAudio.com.

Go to TOP