Health Information Compliance Alert

Published on Fri Jan 14, 2011 PDF

Address privacy breaches now or risk $10K per incident.

You may have invested significant time creating exemplary privacy and security rule policies, but you can't afford to ignore your best resource for maintaining compliance -- your staff.

Use this professional guidance to make sure that your policies are effectively translating into your staffers' daily routines.

Complaints are your top source of information on how well your compliance program is working. Your employees may also have complaints of their own -- and those complaints are usually about their coworkers' inappropriate behaviors, says Daniel Shepherd, privacy officer for Singing River Hospital System in Ocean Springs, Miss.

Best practice: If your employees have not voiced any concerns to you, ask them to meet with you privately to air any suspicious behavior they have witnessed. You can also create anonymous forms that staffers can use to report their grievances.

Private meetings are also a great time to ask employees if customers have made any informal complaints or comments that they failed to report. Make sure staff is aware that you are asking to assess compliance, not punish them for their oversight.

It's easier for your workforce members to remember what they should do than it is to keep track of each thing that they shouldn't do, says Chip Nimick, project director and security officer for the University of Rochester Medical Center/Strong Health.

Get started: Decide what behaviors you want from your staff members, then make a checklist that you distribute to each department. Your department heads can make additions and then train employees according to the list.

Examples: Some key behaviors you may want to include on your checklist are logging off of the network at the end of the day or going to private areas to discuss patients' PHI. Good idea: Supervisors can make copies of the checklist for staff members to keep at hand.

E-mail reminders can be great tools for reaching employees quickly and efficiently. You could note any compliance no-no's you've encountered or use a current news item as a reminder of best practices.

Many offices are developing newsletters and other publications that are distributed to all employees quarterly. The materials are an excellent vehicle for issuing security reminders and keeping staffers up-to-date with your policies and procedures, Shepherd says.

You can also use it to explain any policies and procedures that your personnel seem to have a hard time with. For example, if you've received various questions about how to put together a strong password, you could discuss what makes a strong password and give employees a few tips on how to create one.

Even with all of these efforts to educate staff members thoroughly, compliance questions will inevitably arise. "To me, the key is to make sure that one person in the office becomes the compliance expert for the practice," says Barry Mullen, DPM, compliance adviser for the AAPPM, and podiatrist with Footcare Associates in Hackettstown, N.J. Having one recognized resource for information can help maintain consistency in compliance practices.

This individual should be fully versed in compliance policies and can conduct regular seminars to remind staff of best practices and address any needed protocol changes. He is also responsible for monitoring staff to address mistakes as they occur.

"You don't have to stop at simply complying with the privacy and security rules," says Kelley Meeusen, privacy officer at Harrison Hospital in Bremerton, Wash.

Now that your employees are comfortable with your privacy rule policies and are getting the hang of your security rule policies, ask them to suggest how you can improve your efforts to protect patients' PHI. You can then incorporate staffers' comments with your own thoughts to strengthen your overall compliance program.

You'll also curtail any staff members' hesitance to make changes if you make them feel as though they are part of the reason for change, Meeusen says.

Bottom line: Your personnel are the key to your compliance program's success, and the investment you make for maintaining your compliant status has never been more important. "Fines can be severe, in some cases $10,000 per incident, including license expulsion, censure or even revocation," Mullen says.