An HIV-positive patient asked an office manager to fax his medical records to his new urologist. Instead, the office manager accidentally faxed them to his new employer. Even though the manager and urologist apologized to the patient, it still resulted in a Health Insurance Portability and Accountability Act of 1996 (HIPAA) violation and a mandate for regular training for all the employees.
A cardiology group of five physicians paid a $100,000 HIPAA settlement because they posted surgical and clinical appointments on a public, internet-accessed calendar.
A CNA had criminal charges filed against her after she viewed resident records that she was unauthorized to view.
The demand for resident privacy policy as outlined in the Privacy and Security Rules—which resulted from HIPAA—require all skilled nursing facilities to have a formally developed policy in place in order to be fully legally compliant. This means that all facilities must have a written policy to which all staff adhere, and a process through which adherence is enforced. Enforcement oversight is the duty of the privacy officer and privacy committee, two internal structures which should be in place before the resident privacy policy is implemented.
A resident privacy policy should ideally contain most, if not all, of the following elements:
– A definition of what records are covered under the protection of the law;
– An exact list of personnel who would, under normal execution of their duties, have access to the records as defined above.
– Designation of appropriate safeguards such as authorization by the resident or his/her responsible party before disclosing Protected Health Information (PHI), except when used for treatment, payment (billing/reimbursement), or healthcare operations.
– A defined list of exceptional circumstances under which patient records may be released—the so-called “exceptions” rule.
– A pro-forma “Notice of Privacy Practices” which should ideally be signed by each resident upon admission. This notice must inform residents of how and where their data will be used, what their rights are, and what the facility’s legal duties are.
– A policy statement whereby all staff must be made aware that any and all unauthorized disclosures of PHI are a violation of the HIPAA Privacy Rule, while simultaneously ensuring that all such PHI are easily accessible to those involved in the treatment of the resident.
– A statement which describes the permitted uses and disclosures of PHI to maintain a directory of residents in the facility. The directory may contain information such as the patient’s name; their location within the facility; their general condition; and their religious affiliation.
– A statement which provides guidance on the use and/or disclosure of PHI for research purposes, with the stipulation that the facility must obtain a resident’s authorization before releasing any PHI for this purpose.
– A policy which details the use of any email systems when PHI is transmitted, with the understanding that any highly sensitive information must not be sent via e-mail (such as AIDS/HIV status, information on drug or alcohol abuse, and psychotherapy notes).
– A policy which ensures that PHI is safeguarded when it is sent or received via fax, in particular where the machine is located, measures to ensure that it is sent to the correct address, and so on.
– For IT systems there must be an “Acceptable Use” policy. This must strictly define what can and cannot be done with computer equipment onsite to protect against any compromise which may lead to data breaches.
– The policy must provide full guidance to all staff members, consultants, contractors, and vendors, on how to be compliant with all privacy standards outlined by state and federal regulations—in other words, a training program for all levels of the organization.
Next: Procedures in the event of a data breach.
