Medical practices in rural settings face a host of concerns, such as how emergency protocols may differ from urban areas, difficulty in finding nurses (according to a recent Friday Letter from the Alabama Hospital Association, registered nurses are the third most in-demand jobs), and difficulty in finding appropriate training for staff.
In small towns/rural settings, where “everyone knows everyone,” confidentiality is also at the forefront, especially where patients are known by staff members.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires employees to be trained so they understand privacy procedures. According to the “Questions and Answers” section of the U.S. Department of Health & Human Services website, http://answers.hhs.gov, “the training requirement may be satisfied by a small physician practice’s providing each new member of the workforce with a copy of its privacy policies and documenting that new members have reviewed the policies; whereas a large health plan may provide training through live instruction, video presentations, or interactive software programs.” For more information, please visit the Department of Health and Human Services’ website at https://www.hhs.gov/.
Below are some tips to lessen your risk recommended by risk management experts:
Written policies and procedures will help reduce the risk of a breach in patient confidentiality. To help preserve patient confidentiality, it’s important for all staff members to:
- Never discuss cases or patients where conversations may be overheard.
- Never leave case files, consulting reports, or any other written material regarding patients in areas where other people may inadvertently see them.
- Only allow medical records to leave the facility when absolutely necessary.
- Keep all patient information confidential.
- Sign a confidentiality statement as a condition of employment and annually at the time of their performance evaluations.
In general, the HIPAA Privacy Rule (“Rule”) prevents physicians and other health care providers from using or disclosing any protected health information unless they have obtained permission from the patient or the Rule allows disclosure without the patient’s permission. HIPAA rules are voluminous, complex and can be revised yearly; it’s prudent for practices to consult their corporate attorney to help ensure HIPAA
compliance. The following is a very brief overview of HIPAA with regard to the release of patient information.
Patient authorizations grant permission to release patient health information. To be considered valid, an authorization must be in plain language and include the following elements:
- a description of the information to be released;
- the name of the person or organization authorized to release the information (e.g., Dr. John Smith, Smallville Cardiology Clinic);
- the name of the person or organization to receive the information (e.g., the patient’s attorney, the patient’s employer);
- the purpose of the disclosure* (e.g., “at the request of the patient” is sufficient when the patient initiates the authorization);
- the expiration date or event (e.g., “end of the research study,” or “at the conclusion of the subject litigation” is sufficient);
- a statement of the patient’s right to revoke the authorization in writing;
- a description of how the patient may revoke the authorization and exceptions to the right to revoke;
- a statement that the physician may not condition treatment on whether the patient signs the authorization;
- a statement acknowledging the information may be re-disclosed by the recipient and no longer protected by the Rule;
- a signature by the patient and the date; and
- if the authorization is signed by a personal representative, a description of the representative’s authority to act for the patient.
Patients can revoke authorizations at any time except when they have already been acted upon. Authorizations must be maintained for at least six years.
*This may be prohibited by state statute.
Access to Protected Health Information
With a few exceptions, HIPAA gives patients the right to inspect and make a copy of information maintained in their record. Practices must act on a patient’s request for access within 30 days of the request (60 days if the records are kept off-site).
A reasonable, cost-based fee is allowed for copy requests. This fee may only include the costs of copying (supplies and labor) and postage. Many states have rules limiting the amount a practice may charge for copying a medical record. Be sure to review Alabama’s state rules regularly as some are adjusted annually.
When an attorney makes a request for records, have the physician review the request and the patient’s records so that he or she can take the appropriate action and notify his or her ProAssurance Claims Specialist. It is prudent to establish a screening process to help ensure the physician is notified of requests for records from attorneys.
The United States Department of Health and Human Services Office for Civil Rights enforces HIPAA. Its website provides helpful HIPAA compliance information and a“frequently asked questions” page on HIPAA Privacy regulations. Access the website at hhs.gov/ocr/privacy.
State Patient Confidentiality Laws
HIPAA preempts state laws that are less stringent than HIPAA, but states may enact laws that are more stringent than HIPAA. Consult your corporate attorney to ensure compliance with HIPAA and any applicable state patient confidentiality laws.
Physicians insured by ProAssurance may contact our Risk Resource department for prompt answers to risk management questions by calling (844) 223-9648 or via e-mail at RiskAdvisor@ProAssurance.com.