• E-mail
• Print
• RSS

Ensure your HIPAA training reflects real-life scenarios: Policies should address digital images, Internet sites, flash drives, and more

HIPAA Training Advisor, December 27, 2007

When one healthcare organization purchased a brand-new CT scanner, it wanted to announce the exciting news in its organizational newsletter by including a picture of a provider using the scanner in an actual exam.

Well aware of HIPAA and the need to protect patient privacy, the organization went through great pains to ensure that only the patient's arm appeared in the picture. However, the picture also included a computer terminal for the scanner in its foreground.

Several employees examined the prepublication proof to verify that the PHI displayed on the terminal was illegible; however, the resolution on the final printed copy was of a much higher quality. The PHI displayed on the terminal was suddenly legible.

This is one of many examples that a panel presented at the American Health Information Management Asso-ciation conference in Philadelphia October 7-10 that demonstrates that healthcare organizations need to educate all staff members about the need to safeguard the privacy and security of patient PHI, said Nancy Davis, MS, RHIA, director of privacy/security officer at Ministry HealthCare in Milwaukee, WI.

Keep training up to date

Digital media and photographs are just one vehicle for potential HIPAA breaches. The far-reaching and relatively unmonitored abyss of the Internet poses a risk as well. For example, consider the implications of an employee who takes pictures of nursing home residents using the small camera on his or her cell phone and then posts those photos on MySpace-a public, free, and unmonitored networking Web site.

Hospitals should question whether they are properly educating the work force and keeping their education and training current, said Jamie Husher, RHIA, CHP, director of health information management/privacy officer at Evangelical Lutheran Good Samaritan Society in Sioux Falls, SD.

Keeping policies up to date is essential when training today's technologically savvy work force, said Davis. Policies should specifically address flash drives-tiny portable hard drives that users can plug into a computer to save and retrieve information. For example, identify how you will handle instances in which employees save confidential information to a flash drive and then leave the hospital with it.

The panel discussed several other issues that healthcare providers should address in privacy/security policies, including high-profile patients. "In the past, we were able to use an alias and bill manually. With the transaction and code sets, that is no longer possible, so we are working with the payers to accept the bill with the alias name," said Aviva Halpert, MA, RHIA, CHPS, chief HIPAA/compliance officer at Mount Sinai Medical Center in New York City.

Also address how to deal with minors with divorced parents. Think about who has custody and whether there are any restraining orders, said Eliza Gorton, RHIA, MA, HSM, manager of health information management/privacy officer at Hall-Brooke Behavioral Health Services in Westport, CT. This might mean restricting information for one parent, or keeping the parents in separate rooms.

• E-mail to a Colleague
• Print
• RSS
• Archive