Accessing PHI – Are you really authorized to do so?

Charlie Disclosure Management Leave a Comment

Is there an authorized request for disclosure? Did someone call to check on a status? Is a relative concerned about the health of a loved one? Or was there a question about a previously processed request?

These are the questions that start your process. And require someone within your Department to look at a patient’s protected health information. Accessing PHI is a necessity in HIM. But does your staff always have a valid reason to do so?

It’s extremely important for every covered entity and business associate to implement policies, plans and procedures ensuring their own staff doesn’t cause a HIPAA breach.  There are three common ways that internal staff breaches PHI.

  • Curiosity – Celebrity or employee hospitalization…everyone wants to know
  • Innocent – Relative hospitalization or health check…very innocent and we know you mean well
  • Malicious – Ex-girlfriend/boyfriend or former boss hospital stay…need I say more

This interesting case from the National Law Review provides just one example.To protect your patients and your organizations, ask yourself these two questions.

  • Are you diligent about your audit trail?
  • Do you have a plan in place to audit your own staff?

Your plan

You must have a solid, structured plan that includes serious consequences for breach of privacy and security. It must be strictly followed.  At a minimum, the plan should include the following seven steps.

Make sure your employees are trained and educated on the “gotcha’s” of PHI.

  • Begin staff’s initially training with a thorough orientation process.
  • Set permissions in your software program to access PHI that only pertain to your staff’s job responsibilities.
  • Reduce and control access, plus make sure your audit history is set up properly in your software system as well.
  • Perform random spot checks on employees.
  • Obtain employee signature on PHI training.
  • Establish sanctions for employee-caused breaches and apply them if an incident occurs.
  • Take drastic measures where malicious intent is identified.

It’s not your employee’s fault if they weren’t taught properly. A valid request for PHI is necessary before ever looking into a patient’s file. Every chart. Every patient. Every time.

Leave a Reply

Your email address will not be published. Required fields are marked *