By Pamela Miller, OD, FAAO, JD
Here are eight critical checkpoints to assess if your staff-patient interactions bring you in full compliance with the privacy goals of the Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accounting Act (HIPAA) mandates that healthcare providers protect patient information. That general mandate requires that doctors zero in on the specifics of their office operations. Examine your patient-staff interactions from the time a patient calls the office for an appointment to the time they check out and you may be surprised at how often you inadvertently release protected information.
The key to HIPAA compliance is based on the concept of preserving and protecting the patient’s privacy and dignity. It simply isn’t as easy as it sounds and we need to be constantly vigilant. Here is a checklist to assess how well your office operations comply with HIPAA. Keep in mind that doctors should always consult their own attorney or state board for clarification.
Don’t Repeat Sensitive Info with Others Present
How many times have you overheard your receptionist verifying personal information such as name, address, phone number, date of birth, and reason for an upcoming appointment, by repeating the information back to the patient? If you’ve overheard this happening even once, it’s one time too many. Unless your receptionist or appointment-booker is stationed in his own cubicle or office, far from the ears of others, he should not read back personal information.
HIPAA safeguard: Have the staff member taking down appointments ask the person who has called to repeat back the information that person has just given your staff member–rather than the other way around. That way the person calling for the appointment is saying her personal information out loud rather than the office saying it out loud with others waiting in the reception area.
Use Discretion when Verifying Insurance Information
Once the patient checks in at your front desk, your receptionist probably verifies insurance information. You would be surprised at the personal information that can be revealed during this process by a staffer asking out loud, by name, for the person’s particular insurance card. For example: “Good afternoon, Mrs. Jones. Do you have your Medicaid card with you today?” The receptionist has just let everyone in the waiting area know that Mrs. Jones is on Medicaid, which by extension, lets all those listening to deduce a tremendous amount about Mrs. Jones, including her financial situation.
HIPAA safeguard: Simply ask for her “insurance card” without specifying what type of insurance card it is. Or, provide Mrs. Jones with a print-out of her insurance information for her to look over to confirm it is correct.
Turn Over Sensitive Documents and Turn Computer Screen Away
Think about how easy it is for a patient to peruse another patient’s personal information on a print-out lying face up on the table where pre-testing is done. The print-out containing the next patient’s medical history was meant solely for the eyes of the technician but has now been accidentally shared with another patient. Or, how about when your staff has electronic records on an office computer screen and that screen happens to be within view of numerous patients sitting in close proximity? Any of those patients could read the electronic records on the screen and tell their friends about Mrs. Jones’ glaucoma.
HIPAA Safeguard: When moving around print-outs of patient information, don’t leave the documents unattended and when placing it down on a table or counter, turn it face down. Keep all computer screens turned away from patients’ view.
Keep Personal Information Off Sign-In Sheet
Your sign-in sheet may become a gossip tabloid if patients signing in can see what others who have signed in before them have visited the office for that day. Some of your patients may even be irked that other patients even know they’re there.
HIPAA Safeguard: Never ask a patient to reveal on a sign-in sheet the reason for their visit or their insurance information. To make it harder for patients to peruse a list of who else is in the office at the same time as them, use a sheet to cover up the sign-in sheet and use a marker to black-out with the names of all patients once they have gone in for their appointment or after they have left the office.
Ask Whether Elderly Would Like Caretaker to Accompany in Exam Room
Don’t assume an elderly person with a caretaker will automatically want the caretaker to accompany them into the exam room or have the doctor share information about their diagnosis with the caretaker. In these situations, the elderly person usually gives permission for the caretaker to be in the exam room and to hear the diagnosis and doctor recommendations, but ask anyway.
HIPAA safeguard: Ask: “Mr. Jones, is it OK if Mrs. Jones comes with us into the exam room?” Once the exam is complete, confirm: “Mr. Jones, is it OK if I share with your wife my treatment plan for you?” Most of the time, if the husband has given permission for the wife to be in the exam room with him, he won’t object to her hearing his treatment plan, but to be sure, you might want to double-check.
Always Debrief Parents of Minors–Even When Parents Not in Exam Room
Since children and teen patients sometimes are more relaxed without their parents in the exam room, I usually ask older children and teens whether they want their parents to accompany them.
HIPAA Safeguard: Always debrief parents of minors about your diagnosis and treatment plan–whether or not the minor wants you to do so. There may be an exception–for example, if the teen has a lice infestation of the lids. So, be discreet and remember that the privacy privilege is the patient’s. Parents do not legally have to be in the exam room with their child, but they do need to be informed of the doctor’s findings and recommendations.
Conduct Parent or Caretaker Debrief in Private
Your reception area, or any other public area of your office, is not a good place to conduct a debrief with parents or caretakers. When you walk out of the exam room with the patient to return them to their parent or caretaker in the reception area, don’t stop there to do the debrief–even if that is the easiest thing to do.
HIPAA Safeguard: It may seem like an inconvenience, but either leave the patient (if it is safe to leave them unattended) in your exam room while you go get the parent or caretaker and bring them back to the exam room, or walk with the patient to the reception area to rejoin the parent/caretaker and then ask the guardian to walk back with the two of you to the exam room or another private room for the debrief.
Don’t Publicize Diagnosis and Treatment Plan at Check-Out
When the patient is at the reception desk to check-out, your receptionist may accidentally reveal to all in the waiting room the doctor’s diagnosis and treatment plan: “Mrs. Jones, I see here the doctor wants to see you back every six months to monitor your glaucoma. Do you want to set that six-month appointment now?”
HIPAA Safeguard: Leave out the diagnosis: “Mrs. Jones, I see that the doctor wants to see you back in six months. Do you want to set that appointment now?”
Related ROB Articles
Vendor Agreements: Understand Terms, Adjust Policies
Effective Billing Policies to Limit Collection Problems
Guard Against Malpractice Lawsuits for Medical Eyecare
Pamela Miller, OD, FAAO, JD, DPNAP,has a solo optometric practice in Highland, Calif. She is an attorney at law, holds a therapeutic license, is California State Board-certified and glaucoma-certified to prescribe eye medications, and offers comprehensive vision care, contact lenses, visual therapy and low vision services. To contact her: drpam@omnivis
