You answer the phone and an investigator with Health and Human Services’ (HHS) Office for Civil Rights (OCR) is on the horn. What you say and do during this phone call could mean the difference between a slap on the wrist and a visit from the OCR’s investigators.
First: Answer All Correspondence ASAP: In cases for which OCR suspects an entity of a violation, the enforcement agency will make direct, verbal contact with your organization. Make sure you get in touch with OCR immediately upon receiving their message, advises William Pierce, a spokesperson with HHS. If you receive a message from OCR, contacting them immediately to address the complaint will earn you some good credibility.
Second: Don’t Panic–Just Cooperate: The worst thing you can do if you receive a call from OCR is panic. Sure, it’d be frustrating to receive a call like this; but, remember, OCR knows that sometimes a violation reported by an angry patient really isn’t a privacy rule at all. The agency’s first goal is to determine what violation, if any, occurred.
If a violation did happen, they want to know why. The best thing you can do is answer OCR’s questions as honestly and as fully as possible. After that, OCR will work with you to fix any problems and to ensure that a privacy breach doesn’t occur again. After all, the complaint could’ve arisen from “a simple mistake or error—or it could be a lack of knowledge [about the privacy rule],” says Pierce.
Also, keep in mind that OCR must show “clear cause and motivation” when it submits a complaint to the DOJ. As long as you cooperate with the agency and answer all of the investigator’s questions, you shouldn’t have to worry about any on-site investigations, much less incurring a fine, assures Pierce.
Advice Straight from The Source: Pierce sums up OCR’s enforcement goals with some advice for covered entities: “What [OCR] really wants to do is they want you to know what the rule is—to know what you’re supposed to do—and to implement it. Remember, “The ultimate goal of the privacy rule is to protect an individual patient’s medical record. Everyone shares that goal. Nobody’s working at cross-purposes here,” Pierce says.
Some Real Life Situations
About HIPAA on the Net
Question: “If a recipient wishes to have results sent to him via e-mail and has signed a consent form for this communication, with the understanding that our office does not encrypt the message, are we still permitted to send this information along to him? Do we have any other responsibilities under HIPAA with regard to this request?”
Answer: In this type of a situation, it would be advisable to have the patient sign an authorization to disclose protected health information via e-mail, says Laura Scallion, president and CEO of AllSource Technical Solutions, Inc., in Portland, OR. “The authorization should include language that clearly informs the patient that the e-mail is not encrypted and the internet is not secure. If the patient authorizes, it’s permissible to send the results via e-mail,” she notes. These forms should only be given on request, she advises.
The Bottom Line: You are permitted to send non-encrypted documents containing Patient Health Information (PHI) to patients via e-mail, as long as you first obtain a signed authorization from the patient, explaining that transmissions sent over the internet have vulnerabilities or are not 100% secure.
Can we share?
Question: “One of our office employees moonlights at a long-term care facility. Under what circumstances can he share PHI with our staff about a patient he cared for at another facility?”
Answer: Sharing PHI is “not appropriate, unless it’s particularly for treating the patient,” Kirk Nahra, a partner in the D.C. office of Wiley Rein & Fielding, advises. If both facilities have an established treatment relationship with the patient, the employee could provide valuable information that would benefit all parties. However, if he is sharing the information simply because he is aware of it, or for the purposes of gossip, that is inappropriate and violates the patient’s privacy, he says.
If the employee has information about misconduct or abuse of a patient, then he should address those concerns to his supervisor at the facility where the behavior is occurring or, if necessary, to law enforcement. This disclosure is protected under HIPAA’s whistleblower provision.
The Bottom Line: If your employee is sharing infor-mation about patients for reasons other than treatment, payment or health care operations, that behavior violates HIPAA and must be reported and corrected before it adversely affects your facility. Any whistle blowing should happen internally, unless law enforcement must be involved.
Dr. Eric S. Kaplan is CEO of Multidisciplinary Business Applications, Inc. (MBA), a comprehensive coaching firm with a successful, documented history of creating profitable multidisciplinary practices nationwide. For more information, call (561) 626-3004.