Eli's Rehab Report

Published on Tue May 24, 2011 PDF

Just make sure you maintain your HIPAA compliance on the road.

Protecting your clients' private medication information may seem like old hat, but breaches continue to make headlines.

Consider this: The Office for Civil Rights reported 16 privacy breaches affecting at least 500 individuals in the past month and a half. On average, the OCR has reported an average of 18 breaches per month since February of last year -- and the majority of those were the result of stolen laptops or misplaced files.

Example: OCR recently fined the General Hospital Corporation and Massachusetts General Physicians Organization Inc. in Boston to the tune of $1 million after a Mass General employee left files on a subway train that were never recovered. The last thing you need is for a staffer to accidentally expose a client's confidential information to an unauthorized person. Unfortunately, if you work with patients in their homes or several patients back-to-back in your office, your likelihood for a breach skyrockets.

Use this expert advice to make sure your therapists are able to keep information under wraps -- especially when they're on the go.

Warning: There Are Ears In The Room

You can't always clear the room of your patient's family members or visitors, but you can protect yourself if and when protected health information (PHI) is overheard, points out Lee Kelly, senior security consultant with Fortrex Technologies in Frederick, Md.

Good idea: Explain to your patient that by having other people milling around, his or her PHI could be overheard. If he refuses to clear the area, ask him to sign an acknowledgement form that states he is willing to accept that risk.

In the same vein, you should never discuss others' PHI when visiting a patient's home, experts note. If you make or accept a phone call about another patient, "leave the room or limit what you say," stresses Kelly. "There's still a chance someone will overhear you, but you've done your best to protect the other client," he explains.

Stay Organized To Eliminate Security Risks

The only file you should have with you in a patient's homeis the one you need to treat that patient, notes Brian Gradle, an attorney with Washington, DC's Hogan & Hartson. Any other patient files should remain locked in a safe place like the trunk of your car, she says. Likewise, when you enter a room to treat your patient in your office, come prepared with only his or her data.

And if you're working from a laptop or other portable device, make sure you have only that patient's file open, Gradle says. That way, even in a worst case scenario, the only information that can be spotted by anyone other than you will be that of the patient you're visiting, he notes.

Remember: When you use a laptop -- whether in a client's home or in the office -- you have to take measures to keep the electronic PHI from inappropriate access. "Use passwordprotected screen savers" and set them to kick in after five minutes of inactivity at the most, Gradle recommends.

Like your patients' paper files, when not in use, a laptop should be kept locked up. You can choose the truck of your car, a closet in your home, or a filing cabinet in the office, Kelly advises. "You want to keep it someplace where someone can't look in a window or over a counter and see it."

Educate Your Patients, Too

If your staffers spend most of their time in patients' homes, you should probably take a little time to teach them how to keep their own information secure. "We recommend that patients keep their personal medical information in a drawer or another place that's not open to everyone," shares Brenda Butte, PT, compliance director for Alliance Physical Therapy in Minneapolis.

Even if you aren't worried that your client will expose information, teaching them "the rules" will help them better understand the precautions your staffers must take, Butte notes. For instance, if they know that you are trying to keep their data safe, they'll be more understanding when you must continually enter passwords or ask others to leave the room.

Good idea: Use your notice of privacy practices to initiate a conversation on how to keep medical information out of unauthorized hands, Butte advises.

The Bottom Line

You can't control everything that happens in your patients' homes, but you can decrease the chances that your patients' PHI will be inappropriately disclosed, experts agree. You have more control in the office, but that doesn't mean you can relax.

Plan of action: Ask a senior staff member to accompany a newer member on her first round of home visits to ensure patients are given enough information to keep their own medical data safe, Gradle recommends.

If you can't go with your newer staff to each home visit, you could try including privacy- and security-related questions on your annual patient satisfaction survey, experts suggest. This will help you find out who's slacking.

Drive the point home: "One way to get staff to understand what can happen is to share what we call 'the wall of shame,'" which is the government's website that lists the covered entities that had to report a breach, advises William Oravecz, chief analyst for HITECH Answers, and managing partner of WTO Associates, a healthcare technology and IT solutions company. "You can see what places have been cited and for what."

Resource: View the listing at www.hhs.gov/ocr/privacy/hipaa/administrative/breach notificationrule/breachtool.html.