Accessing PHI – Are you really authorized to do so?

Find this useful? Please Share it!Facebooktwittergoogle_pluslinkedinmailFacebooktwittergoogle_pluslinkedinmail

Is there an authorized request for disclosure? Did someone call to check on a status? Is a relative concerned about the health of a loved one? Or was there a question about a previously processed request?

These are the questions that start your process. And require someone within your Department to look at a patient’s protected health information. Accessing PHI is a necessity in HIM. But does your staff always have a valid reason to do so?

Nilda Tamburello, RHIAVP of Disclosure Management

Nilda Tamburello, RHIA VP of Disclosure Management

It’s extremely important for every covered entity and business associate to implement policies, plans and procedures ensuring their own staff doesn’t cause a HIPAA breach.  There are three common ways that internal staff breaches PHI.

  • Curiosity – Celebrity or employee hospitalization…everyone wants to know
  • Innocent – Relative hospitalization or health check…very innocent and we know you mean well
  • Malicious – Ex-girlfriend/boyfriend or former boss hospital stay…need I say more

This interesting case from the National Law Review provides just one example.To protect your patients and your organizations, ask yourself these two questions.

  • Are you diligent about your audit trail?
  • Do you have a plan in place to audit your own staff?

Your plan

You must have a solid, structured plan that includes serious consequences for breach of privacy and security. It must be strictly followed.  At a minimum, the plan should include the following seven steps.

Make sure your employees are trained and educated on the “gotcha’s” of PHI.

  • Begin staff’s initially training with a thorough orientation process.
  • Set permissions in your software program to access PHI that only pertain to your staff’s job responsibilities.
  • Reduce and control access, plus make sure your audit history is set up properly in your software system as well.
  • Perform random spot checks on employees.
  • Obtain employee signature on PHI training.
  • Establish sanctions for employee-caused breaches and apply them if an incident occurs.
  • Take drastic measures where malicious intent is identified.

It’s not your employee’s fault if they weren’t taught properly. A valid request for PHI is necessary before ever looking into a patient’s file. Every chart. Every patient. Every time.

Leave a Reply