Train your environmental services staff on HIPAA: Risks to consider and tactics to try

Just like your clinical staff members, your environmental staff works inside your hospital 24 hours per day. Whether serving food in the cafeteria, providing custodial or housekeeping services, or performing a variety of other tasks, environmental services staff members are part of the hospital fabric. They are simply less visible than those wearing white coats.

 

But that doesn’t mean you should exclude them from HIPAA training. The nature of their jobs takes them to every nook and cranny of the hospital, and they have more access to PHI than you would ever imagine.

 

Steve Miller, JD, chief compliance and privacy officer at Capital Health System in Trenton, NJ, says the challenge he faces with nutrition staff members is teaching them the precise meaning of PHI. “A lot of these folks get the impression that PHI is limited to why [patients are] in the hospital, not the fact that they are in the hospital,” he says, adding that you should make this distinction clear in your training.

 

Emphasize that even a seemingly harmless comment in response to an intrusive question can pose serious privacy risks. And whether the patient is a friend, or the person asking for information is a friend to the staff member and/or the patient, is irrelevant. It is also immaterial whether it is the patient who initiates a conversation with a staff member inside the hospital. When explaining this to your environmental services staff, make it as clear as possible. Any PHI you see or hear while you’re at work must be kept private, Miller says. “It doesn’t matter if it’s a personal friend that gave [the information] to you; you treat it as if you received it as part of your job and, therefore, can’t disclose it.”

Inappropriate disclosure to family and friends is one risk; carelessness is another, says Diana Holub, RN, CHC, ethics compliance manager and facility privacy officer at Medical City Dallas Hospital. “I’ve had at least one report that generated from the food and nutrition area because someone left a diet listing out in an open place,” she says. This incident could have led to a privacy breach and is a violation of HIPAA. Ensure that staff members understand their role in compliance to prevent similar occurrences.

 

At Medical City Dallas Hospital, Holub says she trains housekeeping staff members to recognize PHI in trash they remove from patient rooms. However, the ability to recognize PHI that may have been discarded improperly, though helpful, doesn’t solve the problem, she adds. Teach your housekeeping staff members to alert their supervisor to the problem, instead of simply disposing of the PHI correctly. Remember that PHI comes in many forms, and people don’t always think about what they are discarding, says Holub. “An IV bag with a label on it has patient information on it. So that’s thrown into the regular trash and then it can get into the wrong hands,” she says.

 

At Capital Health System, Miller teaches HIPAA from a perspective that explains how the law permits staff members to handle sensitive information. Anticipate that they will be asked to use or disclose information for purposes beyond their daily responsibilities, and teach them the appropriate response.

 

Miller says his staff members must respond to such requests by referring to the policy or directly asking the compliance officer if the answer isn’t immediately clear. Train your environmental services staff members to recognize and understand that a support structure exists to help them get the right answers. Teach them to not rely on their own judgment if they are uncertain, says Miller.

 

Role-playing that relies on real-life scenarios to illustrate the appropriate response in various situations is an effective training tool. This not only educates staff members, but also illustrates where problem areas exist.