Guest Blogger: Attorney Mary Beth Gettins
Hospitals do a good job of educating on HIPAA policies, but there isn’t enough focus on guidelines around HIPAA for nurses. With the focus on privacy and security, we have all heard a lot about security breaches, privacy violations, and what HIPAA requires. But, at the end of the day, how does it affect your job and how you do things. Here are a few dos and not to dos. HIPAA for nurses is an important aspect of nursing education that should not be avoided. Unfortunately, many nurses have committed a HIPAA violation without even realizing it. Let’s examine a few
HIPAA for Nurses – The Basics
Maintaining HIPAA is about protecting the privacy of patients. This means being conscious of how, when, and who data is shared with. A conscious effort should be made to ensure that health information is shared only on a need-to-know basis. Generally keeping this in mind will help avoid most errors, but there are are a few potential pitfalls which we’ll describe below. These tips are a good basis for a general guide on HIPAA for nurses, but consult your employers policies and guidelines to ensure you’re meeting all rules and standards.
One of the first things people tell us when we begin to talk about HIPAA is that they lock their filing cabinets. Well, you should. Take it a step further. You need to maintain a sterile environment. Look around. The environment should be sterile – free of patient information in plain view. Do an inspection. See if:
- Are computer screens or monitors visible to patients or visitors?
- Do you have paper inboxes with patient information visible to the public?
- Do you have appointment calendars or room assignments openly displayed in patient areas?
The public is watching and they are complaining. A Behind the Desk report published by a union advocacy group, Change to Win was crafted after undercover advocates visited Walgreen stores throughout the country looking for privacy violations. The Behind the Desk report was published on the internet and complaints were filed with numerous state governments.
We all know that paper files need to be shred. You don’t just throw paper files in the waste basket. What about all the other stuff that has patient information on it? Yes, that too needs to be properly wiped or disposed of under the HIPAA Rule. That includes everything from prescription bottles, patient out-check sheets, CD Roms¸ thumb drives, old computers, phones, copiers, fax machines, and just about everything.
There have been numerous cases of improper items disposal containing patient information. First, the debacle involving CVS, Rite Aid, and Walgreens with pill bottles found in a public dumpster. Then there came CBS evening news purchase of Affinity Health Plan’s leased photocopier which contained PHI. Recently, Midwest Women’s Healthcare Specialists at Research Medical Center in Kansas found itself the spotlight after paper documents containing patient information was found in the public dumpster beyond their office building. Be careful what you toss in the garage can.
Do avoid filing errors
Remember the feared traditional misfiling errors? “I cannot find Karen Smith’s file. Has anyone seen it?” It must have been misfiled. The same thing happens in the electronic world. The consequences, however, can be much more disastrous. There have been numerous cases where health care staff has filed patient information in the wrong folder or drive. Call it fat finger, or whatever. Case in point is Skaget County Health Department where patient files were discovered on the public network drive. Be careful where you save things!
Firewalls, encryption, automatic updates, scans, automatic log-off, screen locks, pop-up blockers, there are many security safeguards and configuration settings on computers, networks, servers, software, and devices. These technologies may seem like the menace to your everyday life. They can prevent you from going to websites. Cause you to repeatedly login to your computer. They may slow your productivity down and annoy you. However, without these things bad things can happen.
Case in point, Columbia University physicians served as attending physicians for New York Presbyterian Hospital. They advertently deactivated a hospital’s firewall when trying to make configuration changes. The firewall deactivation was discovered when a former patient’s partner reported that her now deceased partner’s treatment information was available via an internet search.
Firewalls, encryption, automatic updates, scans, automatic log-off, screen locks, pop-up blockers are just some of the security specifications that are required or recommended as part of HIPAA Standards. However, there is flexibility. For example, if there a website that you need do your job, but they are blocked. Exceptions can be made to the firewall. Software updates are essential to prevent viruses, but the updates can be scheduled during work down times. Check with your Security Officer about conflicts or issues.