Accessing PHI – Are you really authorized to do so?
Is there an authorized request for disclosure? Did someone call to check on a status? Is a relative concerned about the health of a loved one? Or was there a question about a previously processed request?
These are the questions that start your process. And require someone within your Department to look at a patient’s protected health information. Accessing PHI is a necessity in HIM. But does your staff always have a valid reason to do so?
It’s extremely important for every covered entity and business associate to implement policies, plans and procedures ensuring their own staff doesn’t cause a HIPAA breach. There are three common ways that internal staff breaches PHI.
- Curiosity – Celebrity or employee hospitalization…everyone wants to know
- Innocent – Relative hospitalization or health check…very innocent and we know you mean well
- Malicious – Ex-girlfriend/boyfriend or former boss hospital stay…need I say more
This interesting case from the National Law Review provides just one example.To protect your patients and your organizations, ask yourself these two questions.
- Are you diligent about your audit trail?
- Do you have a plan in place to audit your own staff?
You must have a solid, structured plan that includes serious consequences for breach of privacy and security. It must be strictly followed. At a minimum, the plan should include the following seven steps.
Make sure your employees are trained and educated on the “gotcha’s” of PHI.
- Begin staff’s initially training with a thorough orientation process.
- Set permissions in your software program to access PHI that only pertain to your staff’s job responsibilities.
- Reduce and control access, plus make sure your audit history is set up properly in your software system as well.
- Perform random spot checks on employees.
- Obtain employee signature on PHI training.
- Establish sanctions for employee-caused breaches and apply them if an incident occurs.
- Take drastic measures where malicious intent is identified.
It’s not your employee’s fault if they weren’t taught properly. A valid request for PHI is necessary before ever looking into a patient’s file. Every chart. Every patient. Every time.