Question                                              
(Volume 94)

In an office with multiple employees, if the doctor(s) treat any of the employees, how should their charts be handled?

If the charts are filed with those of other patients, any other employee would (probably) have access to them.  Even if employees are told that they only get information from charts on a "need-to-know" basis, if their normal duties give them access to charts, what is to keep them from satisfying their curiosity about a co-worker?

Should employee charts be held out from the other patient charts, perhaps even in a locked file, so that co-workers would not be able to access them?  Then only the doctors would be able to retrieve or add information to them.

And then if MRI or lab results need to be sent....someone in the office will see at least part of such things even if only to know whose report it is.  Your answer would help a lot.

Answer                                                

This is a good one; the question we need to ask is: “Why do we want to afford a special level of privacy over and above the average patient?”

In this case it hits home because it hits home.  But HIPAA requires this “need to know” regarding patient information to be applied to all patients.  In this case it may be one of our own, but it is just as sensitive if it was Mrs. Jones and her neighbor, who happens to work in your office, looked up her chart.

This also brings up the issue of control of the information, in this case the chart.  In a paper chart office, how can you really tell who has been looking at a chart, short of selectively pulling “special” charts and locking them in the doctor's office?  Even though HIPAA is technology neutral it kind of leads us to conclusions as to solutions, in this case EMR.

The other thing to keep in mind is sanctions.  If an employee is looking up information that they don’t have a need to see, then they need to be fully aware of the penalties and the practice must prosecute to the full extent of the law.

Hope that helps.


By: Raymond F. Posa, MBA
Technology Advisor to the American Academy of Podiatric Practice Management
President, R. Francis Associates

Any questions or comments can be addressed to Mr. Posa by E-mail: Rposa@Rfrancis.com

Question                                              
(Volume 53)

Do the rules say we have to have monthly meetings about HIPAA the way we're supposed to for OSHA?  Or just that we all be trained?

Answer                                                

As for monthly meetings, HIPAA does not specify any frequency of meetings and/or training.  It only requires that all staff members be formally trained and the training sessions documented and recorded and kept on file.

Question                                              
(Volume 32)

APMA has sent a notice to members that new information and samples of forms, including a revised Authorization form, and a Spanish translation of the Compliance Notification form, have been added to their web site's HIPAA section.  I thought we had everything we could possibly need prior to April 14th.  What do you know about this?

Answer                                                

I could not look at the new form because I don't have a password to the APMA site.

What I can tell you is that if a practice has patients that it knows do not understand English, they must provide the NPP and forms in the patients' language. The way we need to think about the NPP and related forms is that they are legal documents. In order for them to be valid in court the person signing must understand the document.

From our own HIPAA consulting, we have found the need for other forms not included in the APMA handbook.  Remember that the handbook is a guideline, it is not the be-all and end-all. Any practice relying solely on the handbook is probably not in compliance; the information in the handbook needs to be modified.  I have been telling all the doctors using this book to please read the very first page.  Kevin West clearly states that this handbook does not make you compliant; it is only a start.

We really need to stress this to people.  Too many just think that with this book they are done.  It is not until practices get audited they are going to realize this is not the case.

Question                                              
(Volume 29)

A few HIPAA questions:  

(1) For a patient's disability claim, can you fax the information?  I feel no is the correct answer, so I mailed the information to them marked confidential.

(2) In a workman's comp case, the Attorney calls asking for information? I told him to contact the patient.

(3) I am not trained about HIPAA although I should and want to be. Is there a seminar in the Chicago area coming up for those of us who would like to know more?

Thanks for the help,
Brenda

Answer                                                

(1) Faxing information is permissible as long as you have proper faxing protocols in place.  For proper faxing you should sent over a test Fax to the number (when it is a new fax number to you) and then call over and make sure it arrived.  You don't want to have a number transposed and send it to a wrong number, so we like to verify that we have a valid number. Secondly, you want a good Fax cover sheet that states that "The following is confidential patient information and (that) if you are not the intended recipients, please destroy the fax and call our office immediately and notify us that the fax was sent to a wrong number". Other than that, faxing is fine.

(2) Regarding the workman's comp case, the Attorney in unknown to you so you have no idea who this is requesting patient information.  The best way to handle this is to send a patient "Request for release of patient information" to the attorney and have them get the signature of the patient and send it back to you, and keep it in the patient's chart. This type of release of information is permissible under HIPAA as long as the patient requests the release. If the request is a "time of the essence" matter, then I would call the patient and get a verbal acknowledgement for the release, and write the time and date of the request and put it in the patient's chart and then follow up with the written request form and keep that in the chart also.

(3) As for the final question, by HIPAA regulation if you are working in a doctor's office or in an environment where you are handling PHI, then you must be trained on the office's privacy policies and HIPAA.  As for training in the Chicago area, I don't know who is offering training but I would think all you have to do is wait a week or two and you will probably get some solicitation in the mail about upcoming training. There are many companies offering training. You can also go to the Web and do a search on "HIPAA training in Chicago". You will probably get some hits.

Question                                              
(Volume 28)

(1) Please, tell me the right way of calling a patient into the examining room.

(2) I am also letting my patients sign in when they arrive.  Is this correct?  Some people say no, others say yes.

Haydee

Answer                                                

(1) First, you may call a patient from the waiting room by their name.  You are not giving away any PHI by uttering their name.  The only situations where calling a person by name might infer a breach of a patient's privacy would be in the case of an AIDS clinic, substance abuse center, or situations like that where just being there for treatment will infer some negative images.

(2) The second is similar to the first; just having a sign-in sheet with a date and time will not divulge any PHI, unless you are in one of the highly sensitive area as mentioned above.

Question                                              
(Volume 25)

We are a small office and I would like to know which forms I need to have to be in compliance with HIPAA. The information is very confusing and the money to invest in books is too much for a small practice.  Please help.

Answer                                                

Here is a list of the Forms and Policies that we use for our clients. They cover the whole privacy regulation.

Privacy Policies
The Practice’s Policy on Patient Privacy and Employee Acknowledgement
Patient Request to Inspect and Copy Their Medical Record
Patient Request to Amend Their PHI
Patient Request for Special Privacy Protections
Privacy Protection, Record Protection and Retention
Privacy Officer’s Duties and Responsibilities
Employee Privacy Rule Training Certification
Privacy Forms
Notice of Privacy Practices
Patient Authorization to Use and Disclose PHI
Patient’s Request for Amendment of PHI
Response to Patient Granting Request to Amend PHI
Notice of Amendment of PHI (to third parties)
Denial of Request for Amendment of PHI
Patient Complaint Regarding Privacy Practices
Patient Request To Inspect and Copy Medical Record or other recorded
Patient Request for Accounting of Disclosures of PHI
Business Associate Agreement
Business Associate Agreement for Attorney

Unfortunately, HIPAA does not distinguish between large and small practices.  All covered entities are required to have their policies in place and to abide by them.  You also have a mandatory education requirement for all staff members which must be documented and signed off. 

While the information may be confusing, the regulation requires that you have a thorough knowledge of it.  What we recommend is that you have your Privacy Officer (yes, you should have already declared a Privacy Officer by now) take a good HIPAA training class.  We normally hold a class called "Train the Trainer."  We give the Privacy Officer an intensive training class, then they go back to the office and train the staff.  We find that this serves to really reinforce the material for the Privacy Officer. 

Finally, I understand that the cost of some of the books is a bit much and trying to decide which are really helpful can be an ordeal.  I would suggest spending the money on a training class; the interaction and the ability to ask questions and get clarification is invaluable.  Lastly, while the training cost may be high, if you don't do it, the cost of the fines will be much more costly.  Remember that not only can you be fined by the government for infractions, but infractions can also be a violation of a patient's civil rights and have large civil judgments.

Question                                              
(Volume 25)

See the question in Volume 24 (3/29/2003)

Answer                                                

This question covers several important areas.  The key point to remember in all of this is that our primary goal is to protect a patient's privacy.  I know a lot of practices clip the super bill to the outside of the folder.  The problem with this is once the super bill is filled out, you have the patient's procedure codes and diagnostic codes marked, so any unauthorized person viewing the file is now seeing protected health information (PHI).  This is a serious violation.

The key is to put as little on the outside as possible.  If they want to use a color-coded sticker system known only to the employees to alert themselves to look inside the chart, that would be fine.  Just don't disclose information on the outside of the folder.  Having a patient's name visible on the chart is not disclosing any PHI and thus is permissible.

The other problem with putting a lot of information on the outside of the folder is not only that it would be visible while hanging in a chart-holder outside of a door, but also when this chart now moves to the front desk for processing and maybe things are a little busy and charts pile up.  What would a patient at the front desk see?  Charts with diagnoses and treatment codes and patient names; so we want to keep this information inside the chart.  One possible solution to keeping the information private, yet still giving the staff easy access to the information, would be to use a colored piece of paper inside the chart and keep the insurance, co-pay and any important notes on this page.  Then you can easily flip through the chart and look for, say, the goldenrod-color page and there is all of your information.

Complying with HIPAA may be inconvenient at times, but the cost of not complying will be infinitely more inconvenient.

Question :                                            
(Volume 21)

I read a post in PM-News that made reference to having transcription done by email, and the likelihood of needing a "business associate" document from the transcription service.  If that is the case, would you not need the same document from any transcriptionist who is not part of your regular office staff?  For that matter, should there be something in the office policy manual about confidentiality that all staff would need to sign?  It seems to me that in the past, many offices had the policy that "what you see here/hear here, stays here", but it may not have been in writing, or at least not required employee signatures to acknowledge it.  What rules are there on this aspect?

 Answer                                                

The answer to the question of whether or not you need a Business Associate Agreement from a transcription company .... is yes.  Any outside person or organization, not a member of your practice, who handles PHI in the course of their work for you must have a Business Associate Agreement with you.  The exception would be a transcriptionist who maybe works part time at home.  As long as they are on the payroll they are treated just like an employee and don't need a Business Associate Agreement; they would, however, be covered by an employee confidentiality statement.

As for employees, you must now have an office Privacy and Policy Manual, which spells out in detail all of your policies (which should address all of the requirements of HIPAA). They must be educated on these policies and they must sign a form stating that they have been trained and abide by the confidentiality requirements of HIPAA.

This is not as difficult as one would think.  Most offices already conduct themselves in a very responsible manner regarding patient information.  HIPAA just wants the process formalized and put in writing.  This way it is very clear what the policies are and what the expectations are of the employee.

 Question                                             
(Volume 1 7)

How much information can the staff give by phone to a disability company regarding the patient? They request office notes often, and make many phone calls to us regarding individual cases. We want to be sure we are not overstepping our bounds. Thanks for any help!!!

Brenda
JLBKREED@msn.com

 Answer                                                

Brenda,

Under HIPAA you may freely discuss patient information with an insurance provider or physician for the purpose of patient care. In this case the disability company acts in the role of an insurance provider and is acting on behalf of the insured so discussions are permissible. The only thing I would suggest with disability is that this exchange of information be done in writing, by mail or Fax. This way there are nomisunderstandings or errors and there is a paper trail. Disability claims can sometimes wind up in court, so it would be best not to rely upon verbal communications.

 Question                                              
(Volume 14)

It was nice of Ray to respond with what he and Kevin discussed concerning sign-in sheets.  My next question is the charts being locked up or at least guarded by some means.  Can you address this please?  Thanks so much.

Gail Bennett, PMAC
WSPMAA Executive Director

  Answer                                                

Gail,

HIPAA does not require you to lock up your charts.  HIPAA does require controlling access to the charts.  Generally what is required is that you store the charts in areas where the patients would not have access to them, some examples are, behind the front desk, in a basement, or in a storage room.  HIPAA realizes that in order to function you need ready access to your charts and therefore it does not impose any Draconian measures that will hinder you practice.  By just keeping the charts in non-public areas of your office you are in compliance. The only other thing you should consider is an office alarm system. This will address several HIPAA issues and with the price of alarm systems being so cheap it’s a no-brainer. The average alarm system with central station monitoring will cost less than a locking chart cabinet, plus you will probably get a discount on your business insurance policy (check with your insurance agent).

 Question                                             
(Volume 9)

1)  I do wonder about the sign-in sheet, we were told I thought by Kevin West at the ASPMA National Seminar in August that sign-in sheets are ok, not to worry about them.

2)  I also am very confused about locking cabinets for charts.  I got the feeling that we didn't need them, but I hear of offices spending a fair amount of money that most Podiatrists don't have and wonder if we really need to go to all that bother. Could you please pass this on and see what Ray says?  Thanks, I have tons of questions.

I know that APMA is going to have a book on HIPAA in January, by Kevin West, but I am already hearing conflicting opinions on what is true and what is not. Is there any way that Ray and Kevin could compare notes? Would Kevin be willing to write for your newsletter too and maybe read what Ray writes and then give his version?  Dr. Douglas and I went to a seminar in Spokane put on by an insurance company that writes malpractice for optometrists and I felt that they gave different opinions also. I have a notebook they passed out, but it doesn't really say much.
Thanks again Gayle.

Gail Bennett, PMAC

  Answer                                                

1)  I am confident that sign-in sheets that show all of the patients' names are out.  There are stationery stores that are making a sign-in book with tear-off slips, so that a patient signs the slip and hands it in.

2)  As for the locking cabinets for the charts, HIPAA does not tell you how to secure your records, nor does it endorse any method.  It merely states that you must control access to your records and provide for tracking of those who access the records.  How you accomplish this is up to the individual.  I have heard doctors saying that they have to get folding metal gates to lock up the records. That may be one solution, but it not THE solution, and again, HIPAA does not endorse one method over another.
Hope this helps.

I'll be getting a copy of Kevin's book and give it a read.  I am also going to be speaking at the Region One conference in Boston on December 14th, as will Kevin; this will give us an opportunity to speak face to face. There is enough confusion going around and with April 14th looming, HIPAA it going to get real very soon (this is when the privacy section goes into effect and the real enforcement and fines begin; no extensions on this one).

Question                                             
 (Volume 7)

 I have a few HIPAA questions and I'm not sure if a "final answer" is available yet. 

First, with regards to the sign in sheet: Is it required to have labels, or some other form of patient sign-in? I know there was previous discussion that due to privacy issues, patients signing in should not have access to review all the patient's previously seen that day. Then I heard this does not pertain to podiatry. So, do we know the final answer?

Next, someone indicated to me that HIPAA will require all billers to be "certified". I had never heard this one before, but I would appreciate it if you could please research and provide information regarding this as well.


Linda Harr
Roseville, MI  

  Answer                                                

(1) First, the sign-in sheets should now be a thing of the past. All check-ins should be done face to face with a staff member and that staff member can then mark that patient "in" either in the computer system or in the appointment log book. A sign-in sheet on the counter should never be used nor any other method whereby the patient can see the other patients' names.

(2) HIPAA is not specialty-specific. The rules apply the same to Podiatry as to Cardiology, no exceptions.

(3) The answer to the question as to whether "HIPAA will require all billers to be certified" is no. The word "certified" is going to be thrown around a lot in regard to HIPAA.  There is no formal Government certification for anything HIPAA. It is just a buzzword that a lot of organizations will try and use to lend credibility to themselves. The only requirement for the biller is that they must have a compliance plan in writing. Then as part of your compliance plan, with respect to those specific questions regarding billing compliance, you would just cite the billing company's compliance plan.