I recently received a complaint from a patient saying that I violated their privacy by asking questions when their family members were in the room. I thought if they let their visitor walk back with them before I saw them, they were allowed to hear our conversation. Am I in trouble?
Signed, Hounded by HIPAA
We are all aware of HIPAA’s existence and probably have done training on it for our hospital. Yet due to its complexity, many of us will violate some patient’s privacy during the course of a shift. Here are a few practical tips for keeping compliant.
In its simplest sense, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted to ensure the security of the certain patient information, called Protected Health Information (PHI). The goals of this program were to insure that health organizations organize and protect PHI against non-permitted disclosures, and ensure compliance of its workforce. Physicians are a part of this whether they’re employed or contracted. As someone whose family member had their identity stolen from a hospital information system, I appreciate how serious this can be.
PHI encompasses just about everything that would be on a patient’s face sheet, plus anything else that might identify them, such as a diagnosis. This is where providers (covered entities) get into trouble when they post cases on Facebook—the homeless drunk who comes in three times a day is now identified based on his diagnosis. The same would apply to the VIP who came into the hospital and was identified in the newspaper. If you disclose medical information and others can identify the patient based on secondary information, you’ve crossed the line.
Not only is it easy to violate a patient’s HIPAA rights, but the fines can be significant. Each individual violation can result in a fine with the four tiers of violations ranging from $100/violation (offender didn’t know and wouldn’t be expected to know that they violated the law) to $50,000/violation for willful neglect. The most egregious offenses can result in even higher fines, and even imprisonment. Lower tier violations may have their fines mitigated if the organization takes corrective action within 30 days from the violation. This is why the hospital privacy officers need to be notified immediately if there is a problem, and why they so aggressively reach out to department directors to address potential problems as soon as they hear rumors of them. Be aware that these fines come out of your pocket and are not protected by malpractice insurance.
Where we screw up
Given the amount of PHI that we have access to, violations can be as simple as giving information out over the phone without the patient’s consent or leaving our patient log in our backpack and then losing it or having it stolen. Each of those patient stickers on our log would count as an individual violation of PHI if our log is lost or stolen. Pretty scary.
One of the most common HIPAA land mines that we step on is when we discuss medical problems with patients and they have visitors in the room. While it would seem that if a patient brings family or friends into the room with them prior to their evaluation they would be implying consent that those people can hear the discussion, this is not the case.
The burden of patient privacy is clearly on us as the provider and the law entitles patients to privacy. This means that even if visitors are in the room with the patient when we walk in to do our evaluation, we are obligated to ask them if it’s okay if their visitors stay. Only they, the patient, have the authority to say yes or no. While the law allows us to waive their authority on some patient privacy issues (primarily billing or communication with PMD, etc…), we do not have the authority to waive their privacy rights when it comes to having someone in the room, even if that visitor is a spouse. This rule has exceptions such as for legal guardians (for minors or incapacitated patients).
The main HIPAA violation that we usually come across is either intentional or incidental disclosure, which happens when we’re not being sensitive to sensitive issues. While a patient may not care about a co-worker being in the room with them when we discuss their sprained ankle, they might take great offense if we go on to say that we won’t treat their pain with narcotics because old records show they used to use heroin.
For this reason, every interaction essentially needs permission from the patient when we are about to discuss potentially sensitive issues while others are in the room. The patient may ask a question without realizing that our answer will reveal sensitive information so we need to use our judgment if we’re going to discuss a topic that is off issue and considered sensitive (i.e. previous drug use, STDs, pregnancies, HIV or cancer). If we’re about to touch on a subject that the patient may not expect (such as an ER visit two years ago that showed cocaine in the tox screen), it is best to let the patient know that you may be discussing sensitive and personal information and ask them again if they are still OK with their visitors in the room.
Even if others are in the room with the patient’s permission, if you’re going to speak on a sensitive issue, the gravity of which the patient may not have fully appreciated, it is best to speak in hushed tones to the patient. Then, if others hear you, because you took reasonable safeguards to protect the information, it is now considered incidental disclosure, which privacy principles do not prohibit, versus intentional disclosure. That small shift is critical. The key is balancing the objectives of confidentiality while engaging in the kind of clear communication necessary for effective health care.
Here’s a best practice for starting a patient encounter. Knock on the cubicle and, when given permission to enter the room, introduce yourself to the patient. Once you’ve confirmed their identity, introduce yourself to others in the room and ask how they are related to the patient. Then let the patient know that you may ask some sensitive and personal questions and will it be okay if the visitors in the room hear the answers or should they step out for a few minutes.
None of this should take a long time and it’s infinitely easier to comply with the law and protect patient privacy by using a couple of extra questions than it is to deal with the complaints and the potential penalties of not doing so.
HIPAA in the Digital Age
Not a day goes by that I don’t need to discuss a case with one of my providers or have patient information that needs to be emailed out to my group. However, sending PHI over routine email channels puts you at risk of hackers, making email correspondence one of the riskiest areas for HIPAA violations outside of the clinical area. Unless you are on a secure email (most hospitals’ intranets are considered secure), any patient information you email needs to be encrypted or password protected. There are programs that encrypt and password-protect documents. If you use Windows, it’s as easy as going to your start menu, clicking on “prepare” and then click “encrypt document.” Assign a password, email the document or spreadsheet (you can even click “send” straight from the start menu), and then send a second email with the password. I send out biweekly incomplete chart spreadsheets to our docs with tons of PHI. Because most of our docs use email addresses outside of our hospital intranet, I need to sen
d the spreadsheet password protected. By doing so, I’m HIPAA compliant and it only takes them about 10 extra seconds to open the spreadsheet. If you’re responding to a complaint or something else that requires PHI, it’s just as easy to write it in Word and then attach it to an email as a password-protected document.
VIPs: Another HIPAA Hurdle
VIP patients who come to your hospital also open the door for HIPAA violations. Unless you’re directly involved in their care, you have no business clicking on their medical records to see the results of their latest tests. Despite everyone knowing that your computer click leaves a finger print on the chart, and that most hospitals audit who accesses charts, particularly of celebrities, people continue to lose jobs over inappropriately accessing medical records. Allowable reasons to review the chart would be for quality, peer review, or auditing. From my point of view, even when I could review a VIP’s chart for one of these reasons as the chairman, I don’t want my electronic finger prints on the record; I try to avoid any perception of impropriety unless it’s truly medically necessary. Also, keep in mind that there are many VIPs in hospitals, including when employees or their family members are patients. Although you might just want to check the record to make sure one of your colleagues is doing well after their cardiac cath, unless you are the doctor involved with their care, this is off limits.
The general privacy principles found in the HIPAA Privacy Rules are not intended to prohibit the treatment team from taking care of patients, whether that’s talking to the patient or others on the treatment team. However, we need to be aware of the information that we have access to and who might be within ear shot on every patient interaction. Get to know your hospital’s privacy officer and get issues worked out ahead of time with their help. Above all, use common sense when interacting with patients and use technology to your advantage when sending PHI electronically.
Michael Silverman, MD, is a partner at Emergency Medicine Associates and is chairman of emergency medicine at the Virginia Hospital Center.