MDS Alert

Published on Thu Oct 01, 2009 PDF

Proactive documentation management has taken on new urgency.

New HIPAA breach notification rules now require your facility to report impermissible disclosures of unsecured protected health information that pose a significant risk of harm to the affected individual(s). Not only do you have to notify the individuals whose privacy has been breached, but also the Department of  Health & Human Services (HHS) and the media, in some cases.

Action: Your facility might want to shore up its paper documentation management, especially if nurses doing preadmission assessments transport any written patient-related information to the facility.

Beware: The consequences of allowing your paper records to get out of hand can land your facility a spot on the local news. "If the breach of unsecured PHI involves more than 500 individuals in any jurisdiction, then the facility has to notify HHS and the media," says Jim Sheldon- Dean, principal and director of compliance services for Lewis Creek Systems LLC in Charlotte, Vt. And the facility will end up on the HHS Web site. "If there are more than 10 affected individuals for whom you  have no contact information, you may need to post a notice on your Web site or notify the media, providing a toll-free telephone number."

As a first step, identify where all your paper documentation containing PHI is "and where it's going," advises Sheldon-Dean. "Who has it, how does it move around, and what information is contained in the documentation? Once you understand that, you can identify what you need to lock up at night, for example, or restrict from moving around." It's extra important to control specially regulated health record information,such as mental health issues, HIV, or substance a buse, he points out.

Good question: "If there are some loose stacks of paper sitting around, what's on them?" asks Sheldon-Dean. You will need to know that in case they get lost.

If your facility does preadmission assessments of residents in the hospital or elsewhere, the nurse should pass along any information she brings back in paper form as quickly as possible, advises Sheldon-Dean. Once the team no longer needs the papers containing PHI, then shred or incinerate them, he advises.

"The interim final rule makes clear that you can't just cross out sensitive information in the record and throw it in the trash can," says Sheldon-Dean. "It has to be shredded so it comes out like confetti. You have to make sure that the shredder doesn't leave pieces of paper big enough to reconstruct. The goal is to make it hard enough for the bad guys to want to look elsewhere."

Another must-do: Nurses or other caregivers carrying paper PHI offsite should secure the papers in a locked container that's kept out of view in the car, adds Sheldon-Dean.

Watch out: Some hospitals or nurses doing preadmission screening fax information from the hospital to the nursing home. But this can be problematic, cautions Nemcy Cavite Duran, RN, BSN, CRNAC, director of MDS at Dr. William O. Benenson Rehabilitation Pavilion in Flushing, N.Y. Duran has heard of instances where nursing homes don't receive faxed records from the hospital -- and the person at the hospital has a confirmation that the fax went through. Someone could have taken the faxed information or someone from housekeeping, etc., could have mistakenly thrown it away, she says.

Perform regular audits to make sure staff are following the facility's privacy requirements.

Cautionary reminder: CVS got hit with a $2.25 million penalty because the drug store chain wasn't following its policy of shredding labels on pill containers, says Sheldon-Dean. "Instead, people were throwing the labels into the dumpsters. Channel 13 in Indianapolis investigated and publicized the problem. You don't want a channel 13 doing the auditing for you."