• E-mail
• Print
• RSS

Recognize common HIPAA myths and misconceptions: Whiteboards, storing records, and business associates

HIPAA Training Advisor, March 6, 2008

Editor's note: Back by popular demand, this is the second part in a two-part series. See the previous issue of the HIPAA Weekly Advisor for more expert opinions on common HIPAA misconceptions.

Working proactively to maintain HIPAA compliance and patient privacy is essential. However, some of your efforts to comply may be unnecessary and may even hinder your ability to provide quality care. Ensure that your organization functions efficiently and complies with HIPAA by recognizing these common myths and misconceptions.

• Myth: Whiteboards are off-limits.

  Some organizations no longer use whiteboards because the information they contain, such as patients' names or diagnoses, potentially violates the privacy rule. However, if your organization finds whiteboards valuable in providing quality care, it isn't necessary to abandon them completely.

  "The boards can be used to communicate between providers, can have a room number, and who the nurse is assigned to-that is fine," says Mary Thomason, MSA, RHIA, CHPS, CISSP, senior compliance consultant for Intermountain Healthcare in Salt Lake City. "You can use them if they have the minimum information on them." Mary D. Brandt, MBA, RHIA, CHE, CHPS, president of Brandt & Associates, Inc., in Bellaire, TX recommends placing whiteboards where they're visible to staff members but not the public, such as a medication area or behind a nurses' station.

• Myth: You must store patient records in locked cabinets.

  It's not necessary to spend a lot of money on lockable cabinets to contain patient records. "I can't tell you how many physician offices and clinics I've seen who have spent money on lateral files or cabinets that locked because they thought it was required under HIPAA," says Brandt.

  Just be sure to keep records in a secure area with limited and restricted access. "If records are kept in a room with limited access-that is either staffed or locked when not staffed-that's acceptable," Brandt says.

• Myth: Providing patient information to business associates is not permissible.

  Many organizations use business associates to make follow-up quality-of-care telephone calls after treatment. Patients may erroneously believe that sharing their names and contact information with business associates constitutes a breach of their privacy, but a valid business associate agreement permits sharing this information. "This is something we need to know for the improvement of the quality of our care and is certainly permitted under healthcare operations," says Thomason.

  Consider informing patients in advance that a business associate will call and what the purpose of the call is. Nothing in the privacy rule requires you to provide patients an opportunity to opt out of your decision to share information for this purpose. However, you should nonetheless honor any patient requests not to share their information in situations such as this, says Thomason.

• E-mail to a Colleague
• Print
• RSS
• Archive