Editor
Recently, I had eye surgery. As I was checking in at the surgery center, I noticed a sign that read, “If you need more privacy, let us know.” That was the first time I’d seen a sign in any sort of medical facility stating something about privacy. It’s more common that as I’m waiting to check in or to pay that I overhear some seriously personal information (be it medically sensitive information, social security numbers, or payment information/problems) … which brought me some comfort until a few moments later.
A doctor practically broke down the door to the waiting room and blurted out specific and graphic details of another patient’s surgery to what I can only assume was her spouse. Things did not go well for her in the sugery and the entire waiting room got to hear about it whether they wanted to or not. So much for that sign I saw when I was checking in. This was a clear violation of the patient’s HIPAA rights.
Now, I know this isn’t usually what we talk about in the HIT space when privacy comes up—we’re usually focused on patient’s PHI, payment information, and other sensitive information that various staff members in organizations all have access to. Tim Burris, Product Manager for Privacy Solutions, Iatric Systems touched on these topics, and said. “Even though HIPAA and the other rules governing sensitive information have been out for years, hospitals are still plagued by inappropriate activity among staff. Inappropriate activities range from someone looking at their spouse’s lab results in the hospital EMR system to massive information harvesting schemes by criminal rings. But, with thousands of accesses daily, it’s impossible to check them all without hiring an army of staff.”
Any staff member at a hospital could look up my records (when I’m not there). What if someone I went to high school with saw me come in and then was curious? What if someone was in the business of stealing identities? Burris touches on the technology available to help organizations keep this in check, citing automated auditing systems. He said, “A valuable side effect of this automated auditing is the impact on the culture of the organization. Some people are inherently nosey; a few may have darker motives for snooping. But with an effective auditing program, they know they are being monitored, and any inappropriate access will be flagged immediately. As people are caught and disciplined, word gets around. Time and again, we’ve seen the results: inappropriate accesses plunge—usually down to zero.” It’s good to know that organizations are taking privacy concerns seriously and implementing advanced technologies to help.
And yet another facet of patient privacy is the right to obtain one’s own medical records and the length of time the facility has in which to produce them. Sue Bowman, MJ, RHIA, CCS, FAHIMA Senior Director, Coding Policy and Compliance, HIM Practice Excellence explained, “Access to the requested health information must be provided no later than 30 calendar days after receiving the individual’s or personal representative’s request. If the covered entity is unable to provide access within this time frame, the covered entity may extend the deadline for up to 30 days.” So, I see good and bad to this rule. It’s good that there’s an allotted amount of time that is allowed … but that extension? Thirty days is long enough. I understand organizations get tons of requests, but sometimes things are time sensitive.
It’s obvious that the education on patient privacy still has quite a way to go. There are still holes in the system that need to be plugged. Perhaps as technologies continue to advance they will close up these holes and one day no one will have their records stolen or their privacy violated.
As always, thanks for reading. I welcome your feedback at [email protected].
