Winning Strategies for MA Plans and PDPs Under the Mid-July Medicare Law; Health Plan Strategies for Using Predictive Modeling in Underwriting

AIS Compliance Health Reform Pharmacy Benefit Consumer-Directed Care Compliance Market Data Health Plans
 HOME
 New on the Site
Customer Service
Sample Newsletters MarketPlace
AIS Products & Services

E-Savings Club weekly specials

Free E-Mail Newsletters
Health Business Daily
Government News
Sign Up for Free E-Mail Newsletters

Health Business Job Openings

Health Business Meetings

People on the Move
 
Health Plans
General Business Issues
Product News
Company Intelligence
Disease Management
Blue Cross and Blue Shield
Medicare Advantage
Managed Medicaid
Health Plan Products
Compliance
Compliance Strategies
HIPAA Resource Center
Government Resources
Compliance Products
Pharmacy Benefit
Pharmacy Benefit Mgmt.
Specialty Pharmacy
Drug Mgmt. Products
Consumer-Directed Care
Articles on CDH
CDH Data
CDH Products
Market Data
Health Plan Enrollment
Pharmacy Benefit Mgmt.
Data Products
 
Health Reform
Presidential Candidates' Proposals
Federal Legislation
State Legislation
 
MarketPlace
Newsletters
Web Services & Looseleaf Guides
Books & Reports, Directories & Databases
Live Meetings & Audioconferences
Alphabetical Listing

Health Care Links
 

 
Visit AISEducation.com for more news and strategic information for today's business leaders
 

HIPAA Compliance Strategies

What One Hospital Privacy Officer Learned During a Surprise OCR Investigation

Reprinted from the September 2005 issue of REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

One hospital was taken by surprise when a patient bypassed the privacy office altogether and went straight to the HHS Office for Civil Rights (OCR) with an allegation that the hospital had violated her privacy. The patient alleged that a hospital employee — a relative — had looked up her medical records without permission to gather ammunition in a family squabble. The ensuing OCR investigation of the privacy violation was resolved with the hospital through voluntary compliance — which is OCR's style for willing participants — but it was an eye-opening experience for the hospital, which learned some valuable lessons.

According to the privacy officer, who requested anonymity for herself and her hospital, the incident began when a woman who had been treated at the hospital shared the news of her illness with a family member. Word of the illness then spread through members of her family, one of whom was skeptical and wanted confirmation of the illness. There was apparently a messy divorce under way, so she called another family member who worked at the hospital and asked for information.

For some ill-advised reason, the employee agreed to find out, but she didn't have that kind of access to the hospital's electronic medical records under the minimum necessary schematic. So the employee enlisted the help of a colleague with full access to the medical records, and just as inexplicably, the second employee went along with the plan. Side by side, the two employees disregarded everything they learned in HIPAA training and put their jobs on the line to satisfy someone's curiosity. The co-conspirators read about the patient's illness in her chart, though neither was entitled to by virtue of their job duties.

The first time the privacy officer heard about all of this was when a letter arrived from OCR, announcing that the agency was investigating a patient's allegation that her privacy was breached.

OCR asked the hospital whether it had conducted an investigation, and if so, what the results were. OCR also wanted copies of hospital policies and procedures on access to medical records by employees. Because the privacy officer was unaware of the privacy breach until that moment, she had to start the investigation upon receipt of the OCR letter.

Her first step: the indispensable audit trails of electronic medical records (EMRs), which document which employees access which EMR, and when. In this case, the privacy complaint already named the offender because she knew it was the relative who worked at the hospital. But the privacy officer was looking for audit trails as concrete proof.

However, "I looked at the audit trails for the person alleged to have looked at the records and found nothing. I realized it was because she went through someone else to get the information," the privacy officer says.

That wasted a week, but meanwhile, the privacy officer gathered all of the policies and procedures requested by OCR.

The next step: confrontation time. "When I asked the employee whether she [improperly] accessed her relative's medical records, she got that deer in the headlights look and admitted the behavior," the privacy officer says. "Then I said, 'you couldn't have done it by yourself. Who helped you? She told me, and I went to the other employee." The second person admitted the privacy breach as well. "You have to give people credit for honesty," the privacy officer says.

OCR Provided Complete Picture

But feeling like she didn't have a complete picture of the nature and implications of the privacy breach, the privacy officer called OCR for more details. And that's where the first OCR lesson was learned: Covered entities can have access to every word of a privacy complaint filed against them. "I called OCR [i.e., the district office phone number listed in the letter] and asked for more information about the patient's complaint, and OCR read the patient's entire letter to me," the privacy officer says. "I encourage people to call OCR if you feel you don't have the information you need" to investigate a privacy complaint.

After much consideration, the hospital decided not to fire the two perpetrators, who were instead given written warnings and additional HIPAA training.

Then the privacy officer assembled a package and sent if off to OCR . It contained a letter explaining the results of the investigation and copies of the hospital's privacy policies. The privacy officer explained the corrective action taken to respond to the privacy breach in accordance with hospital policies and to prevent future breaches, and described disciplinary actions against the offenders.

Which brings us to the second lesson learned: It's important to carefully think through the information submitted to OCR, since it could be accessed via a Freedom of Information Act request (e.g., by patients, competitors, the media, employees), the privacy officer says. While it's essential to turn over all information to achieve the goals of voluntary compliance, there's no need to go on ad nauseum, she says.

"Don't hold back information that OCR needs, but be aware that information may ultimately be available in its entirety to the patient-complainant [or others]," she says. "It leads me to carefully consider what documentation I include. I don't withhold documentation, but I don't go overboard."
In fact, she says, when you write a letter to OCR, it should be composed with two audiences in mind: OCR and anyone who might file a FOIA request.

In the end, OCR was satisfied with the hospital's handling of the privacy violation, and expressed its satisfaction in a letter to both the hospital and the patient. And that was the end of that — except for one more lesson the privacy officer learned.

"OCR is not looking to hang people. I felt they were reasonable in their dealings with us. What I came away with is you never want to fool around with OCR but my impression was the process is not intended to be punitive unless something is clearly wrong in a facility."

 

High-Risk Areas in Medicare Billing - Compliance Auditing Tools for Hospitals and Health Systems

receive free reports

HIPAA & Medicare Compliance Resources

Advertise With AIS

Privacy

Site Map



Copyright © 2008 by Atlantic Information Services, Inc. All rights reserved.
1100 17th Street, NW, Suite 300, Washington, DC 20036
Phone 202-775-9008 or 800-521-4323; E-mail customerserv@aispub.com