256px-Frankenstein's_monster_(Boris_Karloff)Just after the first of the year, I had surgery on my right hand. I have spent the weeks since then adapting to not having full use of that hand for several months as it heals. That is definitely a challenge for someone who is fiercely right-handed.

Most of my friends saw the incision that runs from palm to wrist and yelled, “Frankenhand!”.  While the geek/nerd in me was thrilled to learn about the science behind rebuilding nerves using cadaver tissue (yes, another Frankenhand reference), the compliance professional was also fascinated with my adventure in healthcare as a patient.  If you work in healthcare, when you’re in the role of the patient do you ever feel like a secret shopper?

First, let me say that throughout the entire process, so far, I have not seen a hint of serious HIPAA issues with any encounter throughout the offices, labs, surgery, etc.  In fact, some of the different solutions to patient privacy in complex settings were interesting to watch in action.

As compliance professionals we often focus on all the requirements that people should follow to protect our privacy.  It is a harsh reminder (and very refreshing) to be immersed in the clinical and business side of all those privacy and security policies and procedures as a patient.  I do admit that I was most concerned with all the clinical procedures when they are talking about cutting open my hand and removing nerves to make new ones, not so much my privacy.  However, the last thing I remember as the drugs were taking effect in pre-op….  I recall being impressed with how the surgery center’s process had kept all the patients well divided and private.  Yes, that was the last thought I recall before going under.  I guess that shows the trust I had in my surgeon, huh!  Wait, or does it show I need a vacation?

For the most part all the HIPAA policies around me seem to be working.  But, there were still areas that had little gaps.  More importantly, though, I am acutely aware that the privacy of patients is most often breached after the treatment has occurred.  Once the information is in the systems (and there are many) you are the most vulnerable.  Those processes I haven’t witnessed.  Those are the ones patients rarely see.  Patients leave treatment, just like I did, feeling very good about the way my privacy was being protected.  Unfortunately, this secret shopper knew there was more to it.  The breaches announced just since my surgery (yep, Anthem) make that more than obvious.

And now we wait for months to see if it worked.
Frankenhand is healing nicely.

Frankenhand and I just taught the first few training classes of the year.  The focus in each of them has been on remembering compliance is about people.  People are the hackers, people steal identities, people get complacent, and people make mistakes but people are also vigilant, concerned for their patients, and trying to do what is right more often than not.  Compliance is about more than writing the policies and procedures that so many people worry about getting done.  Successful compliance is primarily about making sure that the people involved actually think about those policies and procedures and apply them to their jobs every single day.

The goal of your training and security awareness programs should be to remind your staff regularly what their responsibility is when caring for your patients in all aspects of the process of Treatment, Payment, and Healthcare Operations.  I believe it is unrealistic to do a video training class for one hour just one day each year and expect any level of vigilance or even broad awareness of privacy and security protections and safeguards in the organization.  It is unfortunate that many CEs and an even larger number of BAs believe that one hour done once a year really is enough to get the job done.

Take some time to evaluate what is happening in your offices from the viewpoint of a secret shopper.  Are the policies and procedures you have in place happening?  Maybe you need some updates, training or maybe nothing.  You may be pleasantly surprised, who knows!

Filed under: HIPAA Tagged: Business Associates, HIPAA, information hipaa, Privacy Rule, private patient, Small Provider