in HIPAA Headlines by John Brewer

Let’s face it, all the good intentions in the world don’t matter if you are breaking the law.

Over the last few years, I’ve done hundreds of risk assessments at private medical practices.

During our process I try to make it clear that I am not doing this to “beat you up”…really I’ not.

BUT – you would much rather me be the one telling you what you are doing wrong than an HHS auditor telling you what you are doing wrong.

Quite often during the risk assessment process, the practice representative gets a little…defensive.

This defensiveness generally falls into two areas:

  • We are trying to do the right thin for our patients
  • We are too small of a practice to do that.

Fine…I understand…but really, it doesn’t matter.  For the most part, once you stuck out your hand to receive medicare/medicaid money, you also “said” you play along with all the reindeer games.  And as we all know, the government can change the rules to the game anytime they want.

Many times during a risk assessment, I discover that there is not secure “barrier” between the waiting lobby and the back office area.  Either there is no door, or the door has no lock…or the staff just doesn’t like using the lock.

When I point out that this is an issue I usually hear, “come on, we are a small practice, besides, who’s going to just walk back here?”

Side note: I’ve had practices with as many at 8 providers use the “we’re just a small practice” claim.

This week, The Wall Street Journal had a great article about Walgreen’s being investigated for whether a new store design is “properly safeguarding sensitive patient information”.

In short, Walgreen’s has been rolling out a new store design where the pharmacists to have consultations with patients where they come around from behind the counter.

It is claimed that when the pharmacist comes around the count and meets with a patient, that “…private medical data gets disclosed or compromised…” because it is being left “…visible on desks or prescription drugs are left unattended”.

Here’s something every medical business need to be aware of: this was not discovered by the HHS, but by a consumer advocacy group that spend 32 hours and visited 100 locations monitoring how Walgreen’s was working.

Hopefully that sentence perked you up a bit…if not, read it again…I’ll wait.

So why is that sentence so important?  Mainly because it reiterate the point that ANYONE can become a whistle blower about how YOUR practice functions.  If “they” see you violating HIPAA regulations, they can report you.  So, suddenly any pain-in-the-@$$ patient can become a huge problem.

As Walgreen’s points out that the new store design had been “given approval from pharmacy boards in more than 30 states….”  So 30 state pharmacy boards said they are doing the right thing…but nobody consulted a HIPAA expert.

You see, Walgreen’s is just trying to do the right thing here…but it doesn’t matter if that “right thing” creates other problems.

What should you take away from this?

  • You should ensure your HIPAA policies are solid…not just some manual you bought that sits on a shelf
  • You should ensure your HIPAA training is solid…not “some stuff you found on the internet”
  • You should make sure the smallest of details is mapped out and a policy a process exists.  Some of these small details include:
    • Faxing: do you call the person you just sent that fax with PHI in it to confirm it actually went to them?
    • Is the door from your waiting lobby to the back office locked?
    • Do you have a shred box that sits for days until someone finally gets around to shredding it?
    • Do you call out a patient’s name when it is their turn to see the doctor?

Yep, this stuff seems ridiculous, it seems goofy, it seems like you have more important things to worry about…until you have an issue when a box of your paperwork is discovered in a dumpster or a vacant lot…yes, this stuff happens and when it does, that time and effort you should have spent to prevent these issues will look like a lovely walk on the beach compared to what you will be going through.

About John Brewer

This author hasn't yet written their biography.
Still we are proud John Brewer contributed 177 great entries.

2 thoughts on “Good Intentions Are Not the Point
  1. Stephanie Thompson says:

    I am the fairly new compliance officer at a private practive of 10 physicians 4 NP. I have worked very hard to put a compliance plan into place that includes billing,coding and documentation. I recently tried to explain the documentation rule of the NP and physician and who should billing. It was met with argument and basically told me they had done this for many years and the other CPC’s did not say anything. It was very defeating and worrisome and I still do not have a solid plan in place. Any suggestions? And thank you for this article.

  2. John Brewer says:

    Being a compliance officer is never easy, but it has to be done. When you explain compliance rules you should always have ready the fines for failure to comply. Additionally you need to continually document when you train and discuss these rules. Your job is to understand the rules, implement policies and procedures at your practice, train for these policies, then police the policies.
    You need to continually document all of this. When (not if) an audit occurs, the quick answer by those not following the rules is generally “I didn’t know”.
    With that response, all eyes turn to the compliance officer.
    So, in order to CYA, you need to ensure you document all training and discussions (and maybe even reactions) because the day will come that your efforts will be put to the test.

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *