Let’s face it, all the good intentions in the world don’t matter if you are breaking the law.
Over the last few years, I’ve done hundreds of risk assessments at private medical practices.
During our process I try to make it clear that I am not doing this to “beat you up”…really I’ not.
BUT – you would much rather me be the one telling you what you are doing wrong than an HHS auditor telling you what you are doing wrong.
Quite often during the risk assessment process, the practice representative gets a little…defensive.
This defensiveness generally falls into two areas:
- We are trying to do the right thin for our patients
- We are too small of a practice to do that.
Fine…I understand…but really, it doesn’t matter. For the most part, once you stuck out your hand to receive medicare/medicaid money, you also “said” you play along with all the reindeer games. And as we all know, the government can change the rules to the game anytime they want.
Many times during a risk assessment, I discover that there is not secure “barrier” between the waiting lobby and the back office area. Either there is no door, or the door has no lock…or the staff just doesn’t like using the lock.
When I point out that this is an issue I usually hear, “come on, we are a small practice, besides, who’s going to just walk back here?”
Side note: I’ve had practices with as many at 8 providers use the “we’re just a small practice” claim.
This week, The Wall Street Journal had a great article about Walgreen’s being investigated for whether a new store design is “properly safeguarding sensitive patient information”.
In short, Walgreen’s has been rolling out a new store design where the pharmacists to have consultations with patients where they come around from behind the counter.
It is claimed that when the pharmacist comes around the count and meets with a patient, that “…private medical data gets disclosed or compromised…” because it is being left “…visible on desks or prescription drugs are left unattended”.
Here’s something every medical business need to be aware of: this was not discovered by the HHS, but by a consumer advocacy group that spend 32 hours and visited 100 locations monitoring how Walgreen’s was working.
Hopefully that sentence perked you up a bit…if not, read it again…I’ll wait.
So why is that sentence so important? Mainly because it reiterate the point that ANYONE can become a whistle blower about how YOUR practice functions. If “they” see you violating HIPAA regulations, they can report you. So, suddenly any pain-in-the-@$$ patient can become a huge problem.
As Walgreen’s points out that the new store design had been “given approval from pharmacy boards in more than 30 states….” So 30 state pharmacy boards said they are doing the right thing…but nobody consulted a HIPAA expert.
You see, Walgreen’s is just trying to do the right thing here…but it doesn’t matter if that “right thing” creates other problems.
What should you take away from this?
- You should ensure your HIPAA policies are solid…not just some manual you bought that sits on a shelf
- You should ensure your HIPAA training is solid…not “some stuff you found on the internet”
- You should make sure the smallest of details is mapped out and a policy a process exists. Some of these small details include:
- Faxing: do you call the person you just sent that fax with PHI in it to confirm it actually went to them?
- Is the door from your waiting lobby to the back office locked?
- Do you have a shred box that sits for days until someone finally gets around to shredding it?
- Do you call out a patient’s name when it is their turn to see the doctor?
Yep, this stuff seems ridiculous, it seems goofy, it seems like you have more important things to worry about…until you have an issue when a box of your paperwork is discovered in a dumpster or a vacant lot…yes, this stuff happens and when it does, that time and effort you should have spent to prevent these issues will look like a lovely walk on the beach compared to what you will be going through.