Health Information Compliance Alert

Compliance Strategies:

6 Tips For Streamlining Your Accounting

Published on Tue Oct 27, 2009

PDF

Use this advice to ensure compliance during PHI leaks.

If you can't recognize an incidental disclosure of protected health information (PHI) from a wrongful one, you could be in big trouble when it comes to compiling an accounting of disclosures.

Luckily, Eli's experts are here to help you pin down what information must go into an accounting of disclosures. Use these accounting guidelines to make sure you maintain only the data The Health Insurance Portability and Accountability Act (HIPAA) mandates patients have a right to see.

1. List wrongful -- not incidental -- disclosures. An incidental disclosure is when PHI is shared inadvertently with unauthorized users during the performance of day-today operations, explains Kelley Meeusen, privacy officer for Harrison Hospital in Bremerton, WA.

A wrongful disclosure is when PHI is shared with unauthorized users outside of day-to-day operations.

2. Account for mandated disclosures. You must account for each state -- or federally-required -- disclosure of patients' PHI you make. This is where public health oversight reporting comes in, notes Susie Honeycutt, privacy officer and transcription supervisor at Cardiovascular Associates, Kingsport, TN. Some of the disclosures patients can expect to find on their accounting include reporting for communicable diseases and suspected abuse.

3. Document paper and electronic disclosures. "The important word to remember is 'disclosure,'" stresses Sue Miller of Sue Miller's HIPAA and Healthcare Services, Concord, MA. Any information you disclose -- whether it's through email, a fax or a privacy or security breach -- that falls outside of incidental disclosures must be listed in the accounting of disclosures.

4. Be specific -- but not too specific -- about the

disclosure. Any organization employee entering information into a disclosure log should be sure to give a "meaningful explanation of what was disclosed" without going overboard, Meeusen asserts.

Example: Harrison Hospital groups the information in its patients' medical records by episode of care. If a privacy breach or staff mistake led to a wrongful disclosure, staffers would note which episode of care was affected rather than all the information within that episode, Meeusen says.

Think of it this way: Apply the minimum necessary standard to your disclosure log, experts suggest. You should list the least amount of information needed for patients to understand what happened.

5. Remember to note disclosure dates. It's very important to log the date a disclosure was made, if you know it, Honeycutt assures. However, if you're recording a disclosure due to a privacy or security breach, you may not have the specific date. In those cases, you should note the date you discovered the disclosure along with some timeline of when the disclosure originated.

Example: Your system was inappropriately accessed in July, but your organization did not uncover the breach until late August. Your disclosure log should include both dates with a comment about why the exact disclosure date is unknown, Meeusen says.

6. Include your mitigation process. You don't have to write out exactly how you investigated and mitigated a wrongful disclosure, but you should note who led the investigation, the dates of the investigation and how you mitigated any fallout. Any relevant documentation -- such as a copy of the incident report -- should accompany the log.

This record can serve as another piece of evidence that you strove to protect your patients' PHI, Meeusen notes.

And if patients are upset about a certain disclosure, you can show them how your organization worked to ensure the disclosure did not lead to disaster for patients.

The bottom line: You must record all relevant information -- and only the relevant information -- in your disclosure tracking system so that those disclosures can be easily rounded up when a patient submits a request for an accounting of your PHI disclosures.

Health Information Compliance Alert

COMPLIANCE STRATEGIES:
Top 3 Reasons to Keep Your Patients' PHI on U.S. Soil
Is offshoring an option for you? Here's how to find out. Your first question when [...]

Security Strategies:
You Be The Security Expert: How Do You Handle An Onsite Privacy Rule Investigation?
Question: We're adding to our privacy compliance handbook a section on how to respond to [...]

Privacy:
Don't Rely On Aliases to Protect Your Patients' PHI
You can protect your patients' information without changing their names. Picture it: Brad Pitt is [...]

Compliance Strategies:
6 Tips For Streamlining Your Accounting
Use this advice to ensure compliance during PHI leaks. If you can't recognize an incidental [...]

Reader Questions:
Don't Throw Out Those Training Records
Question: Does the privacy rule mandate that we keep our training documentation, like sign-in sheets [...]

Reader Questions:
Spouse Gets Special Privileges Under HIPAA
Question: How does The Health Insurance Portability and Accountability Act (HIPAA) affect married couples? Does [...]

Privacy Compliance:
Defuse Patient Complaints With These Protocols
Putting a complaint on the backburner can land you in hot water with the feds. [...]

Clip 'N' Save Tool:
Help Staffers Combat Common Security Violations
Here are 10 security incident warning signs. Would you bank on your staff's ability to [...]

Sample Worksheet:
Zero In On Your Compliance Plan's Holes With This Tool
Staff members' input is vital to your self-evaluation's success. Your personnel play a huge role [...]

Industry News:
New Interim Rule on HIPAA Penalties Released by HHS
Watch Out: Maximum monetary penalty for HIPAA violations just increased by 6,000 percent. If you [...]

View All