Health Information Compliance Alert

Published on Thu May 01, 2008 PDF

You can open your organization to visitors -- here's how.

Whether you allow anyone to look around your organization, or you only open your doors for job shadowers and other trainees, you must figure out how to deal effectively with visitors without risking your facility's privacy and security rule compliance.

Eli's experts suggest you follow these steps to protect your patients' PHI when non-workforce members are present:

1. Separate visitors into categories.
You can't work with visitors as a lump group, says Kelley Meeusen, compliance officer for Harrison Hospital in Bremerton, WA. Better approach: Your vendors and consultants can go in a "business customer" column while your patients and their guests can go in the "personal customer" column. "We group job shadowers, temporary employees and volunteers in with our workforce," Meeusen says.

Next step: Your volunteers should go through the exact same training as your regular employees. And be sure to direct business guests to a proper check-in point, Meeusen notes.

2. Issue badges to personnel and planned visitors.

The best identification system is a badge that features a picture of the wearer, but that isn't feasible for all your visitors, says John Boyer, compliance coordinator for the HIPAA DC Program Management Office in Washington, DC.

Rather than giving planned visitors -- like consultants or tour groups -- a photo ID, issue them a color-coded badge when they first enter your facility, he suggests. Example: If a tour group checks in at 8 a.m., give the visitors a one-day badge that you will collect when they leave. Bonus: Track the number and type of badges issued each day. That will help you keep count of how many people should be in a group or on a certain floor.

3. Determine which areas visitors cannot enter.

"We only allow strict access to our data hub, and that's never given to visitors," says Kelly Moore, privacy and security officer for Cogent Health Care in Daytona Beach, FL.

Any highly confidential sections -- such as where you keep your main computer system or sensitive medical areas -- should be cordoned off from visitors unless it's absolutely necessary to allow them in, Moore advises. Example: Tour groups don't need to enter an AIDS ward or operating room, but there's no reason to keep them out of the emergency room.

Tip: Any time a non-employee is found in an off-limits area, report it to the department supervisor. The supervisor should then determine how the slipup happened and take steps to ensure the error doesn't occur again.

4. Emphasize privacy and security training with visiting and part-time doctors.

These physicians are typically the most resistant to following each facility's policies and procedures. That's not because they aren't concerned with patient privacy, Boyer affirms.

Rather, they may visit several facilities in a day and often forget how each policy differs. Tip: Reinforce your policies and procedures through quarterly newsletters and e-mail reminders.

5. Ask business visitors to sign a confidentiality agreement.

"Any guest in our hospital for business purposes must sign a confidentiality agreement saying they'll protect the integrity of our data," Meeusen explains.

The agreement serves multiple purposes: It gives a working definition of both patients' and the facility's confidential information and it lists rules the business visitor must follow.

Important: Be sure to renew visitors' agreements on an annual basis or as the rules change, Meeusen stresses. "We tell our staff to check the date and signature each time visitors return to the hospital," he says.

The Bottom Line: You don't have to invite security or privacy breaches in with your visitors. Rather, map out the logistics of non-employee access by both department and location so you can spot and curb any violations before they happen.