Though most chiropractic offices will never provide treatment to a movie star or have the media hounding their staff for details of a patient's care, every office should be concerned about breaching patient confidentiality and violating the HIPAA Privacy Rule.
by Lori Holt in Operational & Staff Risks on Monday, August 7, 2017
Keep in mind, each community has its own “celebrities”—people whose health information might be considered “news.” Consider the following scenario:
“Jane Jones,” who was quite wealthy, well-known and active in her community, had undergone breast augmentation surgery with a plastic surgeon. She revealed this information to her Doctor of Chiropractic before receiving care, and asked the D.C. to keep it confidential. The D.C. noted this information in the charts.
Several months later, another woman considering the same surgery was confiding in a CA at that chiropractic practice. The CA unthinkingly told the woman: “You know Jane Jones, don’t you? Why don’t you give her a call? She had the same surgery last year.”
The Duty of Confidentiality
Clearly, doctor/patient confidentiality is essential as it enables patients to freely share needed information with the doctor.
Doctors—and the people they employ—are expected to protect this confidential patient information and only use it on behalf of the patient. This expectation of confidentiality starts when the doctor/patient relationship begins. When this confidentiality is violated, patients may sue.
Consider what could happen in a scenario like the one described earlier. It is very possible Ms. Jones would retain an attorney and possibly file a lawsuit for alleged breach of confidentiality for the actions of the CA. As the employer, the doctor and/or the practice could be held vicariously liable for the unauthorized disclosure of patient information by one of its employees.
Breaches in patient confidentiality can have long-term adverse effects, even when no lawsuit is filed. First and foremost, patients lose trust over having the private information they shared becoming public knowledge. The practice’s reputation can be permanently damaged by any negative publicity about the breach, resulting in lost patients and revenue.
The HIPAA Privacy Rule
The HIPAA Privacy Rule can also come into play. To ensure personal health information is protected, the rule requires providers to:
- Train employees to ensure their understanding of and compliance with the privacy policies and procedures
- Designate a person (i.e., a privacy officer) to see that the practice’s privacy policies are in place and followed
- Ensure that patient records are secure and accessible only to those who need them
A violation of the HIPAA regulations can result in both civil and criminal penalties. Monetary civil penalties of $100 per violation can be incurred up to $25,000/person/year.
In addition, anyone who knowingly obtains or discloses PHI in violation of HIPAA can be fined up to $50,000 and be imprisoned up to one year. If the offense is committed with intent to sell or otherwise use PHI for personal gain or malicious harm, fines can be as high as $250,000 with imprisonment for up to 10 years.
What Can a Practice Do?
A chiropractic practice cannot afford to give patient confidentiality the short shrift. At minimum, a practice’s efforts should include:
- Defined policies and procedures, which require employees at all levels to protect personal health information from unauthorized or unnecessary disclosure. These should include defined disciplinary actions for employee non-compliance with these policies. Many practices have implemented “zero-tolerance” policies for breaches in patient confidentiality, with violations resulting in immediate suspension or even termination of employment.
- A confidentiality agreement signed by all practice employees (including temps) upon hiring. Employees must agree to abide by these policies and procedures.
- New-employee orientation and training sessions addressing patient confidentiality and the practice’s commitment to protecting patients’ healthcare information.
- Recurring staff in-service programs on patient confidentiality. These should teach, through case scenarios and role playing, the importance of:
- Confining discussions to patient care areas
- Intolerance of staff gossip and inappropriate disclosure of personal health information
- Being sensitive about who can overhear or view: discussions, phone conversations, computer screens, unfiled clinical charts, patient records received via fax, etc.
- Adhering to the practice’s policies and procedures
- Consistent and prompt response to noncompliance, regardless of the employee’s position.
- A “nonretaliatory” process so employees will be encouraged to identify and report activities that might put patient confidentiality in jeopardy.
- Consulting with legal counsel to ensure compliance with the requirements. Some states may have more stringent personal health information requirements, which would then prevail.
Planning Ahead Is Your Best Protection
Even with the best policies and procedures in place, breaches in patient confidentiality can happen. Even so, the best thing a practice can do is have these in place and spell out the consequences of employee non-compliance