Train billing and coding staff members on HIPAA

Coding and billing staff members don’t have much face-to-face interaction with patients, but their constant access to medical records and PHI makes them susceptible to HIPAA violations without proper training. Much misunderstanding still exists regarding what HIPAA permits and what it requires, says Chris Simons, RHIA, director of HIMS and privacy officer at Spring Harbor Hospital in Westbrook, ME. So it’s essential that your coders and billers really understand the intent and importance of HIPAA compliance, Simons says. Explaining HIPAA’s intent and requirements to HIM staff members will prevent many of the simple misunderstandings that can lead to confusion and errors, she adds.

Confidentiality, particularly as it relates to disclosing patient information, should be the primary focus when training HIM staff on HIPAA, says Elisa Gorton, RHIA, director of revenue cycle operations and privacy officer at Hall-Brooke Behavioral Health Services in Westport, CT. Emphasize the importance of disclosing information only to people who need it, Gorton says.

 

Coders and billers often experience difficulty knowing whom they may give information and how they may give it, says Nancy Davis, director of privacy and security officer at Ministry Health Care, a healthcare system based in Wisconsin.

 

Focus on the appropriate response to family requests for information when training coders and billers, Gorton says. For example, the insurance information provided by a patient upon admission might be incomplete or inaccurate. A biller who then calls the patient to request a Social Security number or other policy information to complete the paperwork could inadvertently become involved in a conversation with the patient’s parent or spouse. Thoroughly explain to your staff members which information they may release in similar situations.

 

And strong security requires the vigilance and efforts of all staff members. The volume of patient records HIM staff members process make them essential to the security of your facility’s confidential information, Davis says. Good security measures include systems that require passwords to access patient information and computers that automatically log out when not in use for more than a minute or two.

 

Proper security measures also require teaching staff members the additional rules that apply when they take PHI off-site, Simons says. Thoroughly review the policies and procedures designed to protect PHI accessed outside your facility with your remote coders. These rules apply to PHI accessed via the Internet or stored on a laptop computer, PDA, or portable media, such as a USB thumb drive. “Coders and billers are working off-site more often now and that brings about a whole new set of challenges,” Gorton says.

Employee carelessness and recklessness can also cause substantial problems for facilities. Employees who are careless with respect to what they say and do or, worse, intentionally violate the rules, provide the recipe for a HIPAA disaster.

 

For example, carelessness can easily result in misdirected mailings. You’re not to blame if the U.S. Postal Service delivers mail to the wrong person—but it is your job to ensure you address correspondence correctly and insert only the one correct bill in each envelope, Davis says. She recalls a situation in which a staff member mistakenly mailed sensitive medical information to a patient’s former spouse, who then used the information against the patient in a custody battle. Instruct HIM staff members to verify names and addresses every time they mail any billing or medical information, she says.