Health Information Compliance Alert

Published on Wed Feb 28, 2007 PDF

Don't muddle your compliance with misinterpretations.

Is your organization still struggling to overcome those persistent HIPAA regulation misinterpretations? If you answered 'Yes,' you're not alone. Eli's experts will guide you through some of the most common interpretation gaffes and put you on the correct path to privacy and security rule compliance.

Let's Share

It's no surprise that hospitals are encountering strong resistance from smaller providers when they ask to see patient medical records. However, hospitals aren't the only healthcare providers coming up against this wall.

Home health agencies, nursing homes and other providers are consistently being turned away from accessing patient information, even when such access is required for treatment, says John Gilliland, a partner at Gilliland & Caudill in Indianapolis, IN. "The physician's office will make a referral, but not give these agencies any information about the patient," he explains.

"It is usually an employee who says HIPAA doesn't permit them to send or fax medical records," says Patricia Reilly, the privacy officer at Gracedale Nursing Home in Nazareth, PA. A call to the privacy officer usually remedies the situation, she asserts.

Try this: Document your policies and procedures for sharing patient information across organizations and then train your staff accordingly, experts advise.

While many record requests are flatly denied, just as many of those requests are met with demands for the patient's explicit permission for the release. "Many offices are under the assumption that they can no longer release this information to [other agencies] without a signed authorization from the patient," attests Sherry Wilkerson, compliance manager for Esse Health in St. Louis, MO.

The end result? It boils down to "delayed access to the information needed for effectively taking care of our patients," Wilkerson says.

Tip: When your organization makes referrals to--or receives a request from--an outside agency for the records of a shared patient, ask yourself: How is this agency going to care for my patient without this information? Gilliland suggests. By answering this question, you can easily determine how your organization should respond, he says.

Fill-In-The-Blank Forms

Rather than just putting your name on generic forms such as those in regulation guides, really read the material and customize it for your organization, advises Kevin Troutman, an attorney with Fisher & Phillips in New Orleans.

"It's critical that you read the notice and policies and make sure they fit your situation," Troutman warns. Providers have fallen into the habit of simply filling in blanks on policies designed by outside people or institutions, he says.

Warning: Failure to ensure that your documents accurately describe how your organization handles and safeguards PHI could land you in hot regulatory water.

"Fill-in-the-blank forms don't look like a good faith compliance effort and do look like a shallow attempt at compliance," Troutman counsels.

Losing Faith

Many facilities continue to wrongly interpret the privacy rule's mandate for the patient directory, Reilly says. These organizations have interpreted the rules to mean that "they may not release information to clergy unless [the clergy] ask for a person by name," she explains.

However, the privacy rule sets forth that as long as patients opt-in to the facility directory and disclose their religious affiliation, your staff can release information to members of the clergy.

Example: "A hospital may disclose the names of Methodist patients to a Methodist minister unless the patient has restricted such disclosure," the Department of Health and Human Services reminds in its Web site's FAQs.

Fessing Up

"Legitimate mistakes are made," but how your organization deals with those mistakes is crucial, Troutman says. While you may think that by sweeping HIPAA violations under the rug you are protecting your organization, the reality is that you're only making things worse, he asserts.

To establish a culture of compliance, you have to convince your employees to report problems and then fix those problems rather than hide them, Troutman explains. Otherwise, "it's just going to happen over and over again," he says.

Strategy: "You need to inform your employees that [your policies and procedures] are not punitive and that they'll get in more trouble for failing to report something than for making an honest mistake," Troutman advises.

When it comes down to it, employees will want to further your organization's goal of protecting patients' health information, experts say. "Most mistakes are good faith errors-- people don't go out and intentionally foul things up," Troutman asserts. By encouraging employees to confess their missteps, you can weed out those in your organization who are bad apples, he says.

Caution: What you don't want is to wind up telling an auditor that you've not had one single problem or violation, Troutman counsels. Auditors anticipate that you'll have encountered some difficulty, and "they're not going to believe that you haven't," he warns.

Lesson Learned

With the privacy and security rules becoming second nature to your organization, there are still some rumors floating around that could jeopardize your compliance. Refer to the HIPAA regulation and analyze your policies and procedures to ensure your organization's compliance efforts are as solid as they should be.