The No. 1 rule when learning to drive is to watch out for the other driver. No matter how well versed you may be in the rules of the road, you will only be as safe as other drivers allow you to be.
The same principle applies to your HIPAA privacy efforts. Sure, you have done your best to establish safeguards to protect patient health information (PHI). You have set up guidelines to handle medical records, claims submissions and all of the other forms of communication within your control. But have you also taken steps to protect yourself against HIPAA problems caused by your customers?
E-mail communications in particular can create substantial problems for suppliers. Carelessness by your personnel or customers can cause medical records privacy breaches, landing you in hot water with your peers — or the government.
Even the most secure communication system, even the most encrypted network, loses control of medical data any time anyone in your company sends an e-mail message to a customer. There are many ways patients can compromise confidentiality. They may forward the e-mail to others, for example. “But,” you say, “isn't this the patient's own decision? How does this implicate me?”
Well, suppose one of your staffers sent an e-mail to a large number of your customers, alerting them to a follow-up service, maintenance needs, special pricing on supplies or some other “harmless” communication. Suppose one of your customers then wanted to ask you a confidential medical question, perhaps in response to the e-mail. Suppose, in his confusion, the patient hit the “reply all” button on his e-mail. In that event, the patient's confidential communication might well be broadcast to everyone who received the group e-mail.
Still believe this is entirely the patient's fault?
Nor do e-mail problems occur only because of customer actions. Your staff knows not to leave electronic medical records up on the screen where casual passersby can spot the information. But what about customer e-mails? What about the inquiry from Mary Jones asking about a different brand of CPAP masks? Is that information as carefully guarded? Where is the e-mail stored? In a secured or unsecured file? Your records may be secure, but are your communications?
Many blunders are unintentional because people use technology without understanding how it works. A compliance program can avoid this electronic nightmare by requiring your personnel be sensitive to e-mail issues. Switch off the “reply to all” option when you broadcast e-mail messages to customers or their families. Make sure your protocols concerning visibility of computer terminals or distribution of electronic messages deal with all types of communication, not just medical records.
Some experts advise suppliers and patients to sign contracts when they inaugurate electronic correspondence. The idea here is a mutual agreement to be partners in preserving privacy, because e-mail prevents confidentiality from being solely the suppliers' responsibility. Think about this idea; it has some merit.
When you address this danger, also establish whether the customer e-mail is going to a work address or to a residence address. If patients or their family members choose to use their work addresses, make certain they understand their employers can lawfully access their e-mail, even deleted messages. Recapturing deleted e-mail is also a common government technique when investigating suppliers for fraud.
Finally, remember that, despite their ephemeral natures, e-mail messages are permanent medical records. So make certain all e-mail messages list the same basic information that chart entries contain: patients' full names, their identification numbers and the date.
When it comes to integrating an effective e-mail policy into your compliance program, you truly are your brother's keeper. Create policies that protect you, and that protect your customers.
Materials in this article have been prepared by the Health Law Center for general informational purposes only. This information does not constitute legal advice. You should not act, or refrain from acting, based upon any information in this presentation. Neither our presentation of such information nor your receipt of it creates nor will create an attorney-client relationship.
Neil Caesar is president of the Health Law Center (Neil B. Caesar Law Associates, PA), a national health law practice in Greenville, S.C. He also is a principal with Caesar Cohen Ltd., which offers compliance training, outsourcing and consulting and the author of the Home Care Compliance Answer Book. He can be reached by e-mail at ncaesar@healthlawcenter.com or by telephone at 864/676-9075.
