The book you started but never finished, the closet that’s in desperate need of some reorganization, and that dreaded check engine light in your car – there are plenty of tasks that we need to do but can’t seem to actually find the time for. Unfortunately without another set of hands and 10 extra hours in the day, it’s easy to avoid dealing with the items that aren’t at the top of our priority list and focus on the ones that are. And while there’s nothing wrong with setting some things aside for later, too often medical practices treat HIPAA compliance programs like homeowners treat cleaning out the gutters – a nuisance task that ‘I’ll get to later’. But given how important the law is to ensuring protected health information (PHI) is kept safe and secure, and how costly it can be for your organization if it’s not – HIPAA deserves a bit more precedence than it’s given.
While it’s probably not always front and center and top of mind, HIPAA law plays a supporting role in your everyday work-life more than you might even realize. And with the common misconceptions around what the law actually is and what being fully compliant entails, it’s hard to give credit where credit is due. So to give HIPAA the much-deserved spotlight and prove how significant the law is to your daily operations, let’s take you through a day in the life of Sally Sue the Office Manager.
Today’s just like any other day at the practice starting with Sally settling into her desk, logging into the practice’s EHR system, and listening to any voicemails missed from the night before. One patient called to request that her son’s medical records be sent to another provider and Sally (large coffee in hand, extra ready to tackle the day) returns her call right away to see whether she would like to have the records sent electronically or in a paper copy via mail. After the patient record request has been handled, Sally checks the appointment log and notices that one of the first appointments is with a new patient. So, as per the practice’s proper procedures for onboarding patients, Sally gets the Notice of Privacy Practices (NPP) and patient consent form all ready to be signed by the patient as soon as they check-in.
After a busy morning of phone calls and appointments, Sally takes her lunch break and decides to sift through some of the practice’s unread emails. She notices an email that looks like it’s from a credit card company saying that there’s an overdue balance along with a link to make a payment. Since Sally’s always reading up on the latest news, she knows that phishing schemes are common especially in healthcare, and decides to call the credit card company to see if the email was legitimate. After receiving confirmation that it was in fact a scam, she immediately deletes the email and lets the HIPAA Compliance Officer know about the avoided issue and red flags to be on the lookout for. Luckily the rest of the day is crisis-free and Sally has some downtime to review the practice’s handbook and manual as she is working on transitioning over to managing everything electronically.
In what seemed to have flown by, it’s just about 5:00 and the practice is getting ready to close. Unfortunately, today is one of Sally’s favorite colleagues last day before she moves out of state, and after enjoying some going-away cake and thanking her for all that she’s done – Sally collects her keycard, removes her from all user accounts, and changes access codes and passwords before logging out of her computer and heading home for the night.
As you can see, and can probably relate, Sally had quite the busy day that definitely warrants a free pass from any spring cleaning and car maintenance that is still sitting on her “when I can get around to it” to-do list. BUT as you can also see, whether it’s responding to patient record requests, getting the necessary patient authorization forms signed, offboarding employees, or even just logging into the practice computer with a secure password – the requirements and safeguards outlined within the HIPAA Privacy and Security Rule weave themselves in and out of the majority of a practices daily operations.
So if your practice handles HIPAA with as much of a keen eye as Sally does, you probably don’t have too much to worry about. But imagine if she hadn’t responded to that patient’s record request right away and they filed a complaint with the Office for Civil Rights (OCR). Or if she let the potential phishing email go unnoticed and hackers gained access to their sensitive data. Or if she had just forgotten to log out of the computer at the end of the day and there was a break-in overnight. Any one of these worst-case scenarios could’ve followed suit and ultimately resulted in a violation and hefty fine for the practice if HIPAA precautions weren’t kept top of mind throughout the day.
Thanks to HIPAA, there are safeguards established to help prevent things like data breaches and patient complaints from happening and laws in place to actually mandate that healthcare organizations uphold the standard. So no matter how busy life gets, protecting patients’ sensitive information is not something that you can just save for a rainy day – and ensuring that you have a complete HIPAA program in place that meets all government requirements should always be a priority.