HIPAA Compliance Strategies

Hospitals Are at Risk When 'Family Doctors' Go Too Far With Records

Reprinted from December 2007 REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

Hospitals are full of physicians who treat their own family members — the plastic surgeon who gave his wife an eye job; the dermatologist whose daughter gets her Accutane scripts from dear old dad. In these cases, the doctor would appear to have a legitimate need to access the wife's and daughter's medical records, although it could be argued that the treatment relationship is ethically questionable.

But what about the doctor who suspects his wife is cheating and accesses her records to see if she's seeking medical care for a sexually transmitted disease? Or the doc who peeks at a cousin's chart just to make sure his gallbladder surgery went well?

In years past, it might not have been possible to document this type of activity, but nowadays, under HIPAA, hospitals conduct (or should be conducting) routine audits to see who is accessing information to ensure that the access was permissible.

Hospitals and other covered entities (CEs) are required to take steps to mitigate the impact of the infractions of the privacy and security rules and to apply sanctions to the offender. When the possible violator is a physician and the patient is a family member, experts advise that despite any political sensitivities, it would be wrong to ignore such behavior.

Instead, you should employ tactful measures to discipline the errant physician if necessary to ensure that you remain in compliance. And in this case, there's an added complication: Many believe physicians should not treat family members, and some hospitals even prohibit it.

So if the physician turns out to have treated a family member or is simply mucking about in the record for no allowable reason, the possible HIPAA violation may just be the start of the trouble.

Probe Physician Access to Family Records

As with most compliance issues, having comprehensive policies and procedures in place — and consistently enforcing them — will hold any CE in good stead, whether the transgressor is a physician or a maintenance worker.

Generally, though, the privacy rule is silent on doctor-patient relationships between family members, but requires that physicians access only that information necessary for treatment, payment and health care operations — unless they obtain an authorization from the patient.

The rule also requires entities to develop systems to protect the data from unauthorized users and to audit it regularly to ensure nothing is amiss.

Any audit that shows a physician accessing a family member's record should be investigated to ensure that the access is legitimately related to the purposes that HIPAA allows — that is for treatment, payment or health care operations, advises David J. Zetter, a consultant with Health Care Professional Management Services in Mechanicsburg, Pa. "If I was the privacy officer and this kind of issue came to me, the first thing I would do is address the access — determine what they accessed and then why," Zetter says.

If the access appears legitimate and does not violate any hospital policy or privacy- or security-rule requirement, the situation could end there.

But if it isn't clear from the audit trail or from the medical record that there was a legitimate reason for the access — or if the access violated a policy that physicians cannot treat family members — the next step is to contact the physician to inquire about the access, he says.

A likely story one could hear from physicians is that they reviewed a record before writing a script for antibiotics, or birth control perhaps, but they may not have actually examined the patient during a formal visit or written a script that was documented in the record. So the audit trial might just show they accessed the record, and nothing else.

This would fit the pattern that some doctors have of "informally" treating family members. They don't document their services because they don't intend to bill for them. This is a sticky situation, and the hospital will have to grapple with whether the physician did anything wrong.

"I would obtain their comments to see if they line up with what the audit trial shows," such as how many times the record was viewed, and what parts were viewed, if the trail is that specific, Zetter says.

To quantify whether the physician really does have a right to the record, one hospital in the Midwest permits access if the physician falls into one of four categories: admitting, attending, referring or consulting.

Confront the Physician Carefully

If the access were unauthorized, and thus a possible HIPAA violation or it falls into a gray area, "I would review the policy with the physician and have him or her sign the policy stating that he or she understands the policy and will follow it." Zetter says. He adds that "if we didn't have a policy on access, I would certainly draft one to make sure it doesn't happen again."

Hospitals and other CEs should have a policy "that succinctly explains what access each person is allowed to have based on their job duties and responsibilities," Zetter says. "This is called a workforce analysis and documents what access an individual should have based on their job description. This is on record in the HIPAA compliance plan."

"Physicians have to go through the process like everyone else," Zetter says. "No physician has the right to go in and access family files just because they want to. But I'll bet it happens all the time."

He recommends that this encounter be as non-confrontational as possible. "You say that you are collecting information. You go in speaking very calmly.... Ask them why they accessed the record and whether they are aware of your policy" if the access was unwarranted.

"If they did get [unwarranted] access, we need to find out how to lock them out," Zetter adds.

If you determine that there is a true violation that must be punished, as it goes against your policies or the privacy and security rules, you may want to involve your personnel or human resources department to notify the individual of the consequences of his or her actions. This might include the classic letter in the permanent personnel record, a suspension or some other action as provided for in your policies.

Or, depending on what your bylaws state, the news could be delivered by an individual handling physician disciplinary matters, such as the chair of an applicable medical department, a chief medical officer, the chairman of the hospital's governing board, etc.

Some medical administrators suggest that you will get better compliance from physicians if only their peers or colleagues — specifically those with a medical degree — are the ones responsible for enforcement.

If there is no established or documented treatment relationship, but the physician insists he should have access to the record, the next step is to require proof through an authorization signed by the patient.

The hospital then has the discretion to either grant or deny the authorization, Zetter says , in much the same way as you can say "no" when a patient wants to amend or change a medical record. In this, it may even be prudent to say "no" to such an authorization if you want to discourage physicians from treating family members.

Consider Banning Family 'Care'

Your next step could be to rally your medical staff behind you and move to ban physicians from treating family members. Other hospitals have taken this step, and there are a number of good resources to back you up.

Your audit trails may or may not turn up lots of "family" doctors, but it is common enough that the American Medical Assn. has strongly discouraged it.

In addition, CMS does not permit physicians to bill for care rendered to immediate family members, Zetter says. Also, you may be able to refer to state laws, which are often stricter than federal regulations on medical issues.

Some state laws require that a physician must have a "professional" relationship to the patient, which is defined as one that is at least documented. Ohio, for example, also states that such a relationship can never be with "oneself." Ohio also specifically addresses this issue in reference to controlled substances, as do other states.

"Accepted and prevailing standards of care require that a physician maintain detached professional judgment when utilizing controlled substances in the treatment of family members," the Ohio law states. "A physician shall utilize controlled substances when treating a family member only in an emergency situation which shall be documented in the patient's record. For purposes of this rule, `family member' means a spouse, parent, child, sibling or other individual in relation to whom a physician's personal or emotional involvement may render that physician unable to exercise detached professional judgment in reaching diagnostic or therapeutic decisions."

Finally, if your medical staff needs more convincing, you can point out that the Joint Commission on Accreditation of Healthcare Organizations doesn't like this practice either. Some hospitals have been cited for this as a violation of accreditation criteria for ethics, conflict of interest and adherence to laws and regulations.

Advertise With AIS

Privacy

Site Map