Privacy Officer's Roundtable

Good morning everyone -
Could you lend me your  assistance and expertise in communicating the importance of HIPAA Standards to the Medical Staff at large and individual practitioners in general.  We use diplomacy, acquiescence, humor, and, yes, a certain level of corrective action, but there are still those that don't seem to connect HIPAA to their sphere of patient care.  In their defense, for the most part, I think it's because they can't fathom purposefully doing anything to jeopardize their patient(s).  My gut tells me this attitude may always be present in some practitioners, but I'd appreciate your feedback (and support).  Any outstanding articles or presentations out there? 
Thanks,
Leslie 

-------------------------------------------
Leslie Soltau, CHPC
Privacy Compliance Manager
Samaritan Health Services
Corvallis OR
-------------------------------------------

First of all, I would argue that the vast majority of breaches are not purposeful or intentional - they occur because a provider or health care worker left patient records on a subway by mistake or left an unencrypted laptop in a car where it was subsequently stolen.  Patient care certainly includes medical care, but providers should also be good data stewards of their patients' confidential information.

Though lengthy, this often humorous blog post by the President and CEO of Massachusetts eHealth Collaborative about a security incident that his company caused is a real learning opportunity for any of us who deal with PHI.

I don't think any practitioner wants to have to notify his or her patients that their personal health care information was stolen out of the back of the physician's car.
-------------------------------------------
Shauna Van Dongen
Associate Privacy Officer
Providence Health & Services
Renton WA
-------------------------------------------






Show Original Message -------------------------------------------
Original Message:
Sent: 02-08-2012 11:54 AM
From: Leslie Soltau
Subject: "HIPAA is a joke" combating/reasoning with practitioners

Good morning everyone -
Could you lend me your  assistance and expertise in communicating the importance of HIPAA Standards to the Medical Staff at large and individual practitioners in general.  We use diplomacy, acquiescence, humor, and, yes, a certain level of corrective action, but there are still those that don't seem to connect HIPAA to their sphere of patient care.  In their defense, for the most part, I think it's because they can't fathom purposefully doing anything to jeopardize their patient(s).  My gut tells me this attitude may always be present in some practitioners, but I'd appreciate your feedback (and support).  Any outstanding articles or presentations out there? 
Thanks,
Leslie 

-------------------------------------------
Leslie Soltau, CHPC
Privacy Compliance Manager
Samaritan Health Services
Corvallis OR
-------------------------------------------

A very nice message or comment that he shares in a podcast of an interview is his reference to how a matter of convenience can often lead folks to develop workarounds or a basis for folks not to follow policy.

I must agree that on some level, convenience, time savings, less effort, etc are often themes that come up when looking into why processes broke down due to variances or workarounds.

Nice to hear some level of validation of what is probably already well known.

-------------------------------------------
FrankRuelas
Principal
HIPAA College
Casa GrandeAZ
-------------------------------------------






Show Original Message -------------------------------------------
Original Message:
Sent: 02-08-2012 01:35 PM
From: Shauna Van Dongen
Subject: "HIPAA is a joke" combating/reasoning with practitioners

First of all, I would argue that the vast majority of breaches are not purposeful or intentional - they occur because a provider or health care worker left patient records on a subway by mistake or left an unencrypted laptop in a car where it was subsequently stolen.  Patient care certainly includes medical care, but providers should also be good data stewards of their patients' confidential information.

Though lengthy, this often humorous blog post by the President and CEO of Massachusetts eHealth Collaborative about a security incident that his company caused is a real learning opportunity for any of us who deal with PHI.

I don't think any practitioner wants to have to notify his or her patients that their personal health care information was stolen out of the back of the physician's car.
-------------------------------------------
Shauna Van Dongen
Associate Privacy Officer
Providence Health & Services
Renton WA
-------------------------------------------





-------------------------------------------
Original Message:
Sent: 02-08-2012 11:54 AM
From: Leslie Soltau
Subject: "HIPAA is a joke" combating/reasoning with practitioners

Good morning everyone -
Could you lend me your  assistance and expertise in communicating the importance of HIPAA Standards to the Medical Staff at large and individual practitioners in general.  We use diplomacy, acquiescence, humor, and, yes, a certain level of corrective action, but there are still those that don't seem to connect HIPAA to their sphere of patient care.  In their defense, for the most part, I think it's because they can't fathom purposefully doing anything to jeopardize their patient(s).  My gut tells me this attitude may always be present in some practitioners, but I'd appreciate your feedback (and support).  Any outstanding articles or presentations out there? 
Thanks,
Leslie 

-------------------------------------------
Leslie Soltau, CHPC
Privacy Compliance Manager
Samaritan Health Services
Corvallis OR
-------------------------------------------

Why don't you create a fictious discharge summary for a patient with a lot of information about his or her medical history including...

The patient is a 50 y/o practicing primary care provider who suffers a multiple medical concerns relating to his  lifestyle which result in significant comorbidities associated with his medication condition.  The patient shares that he finds himself very frustrated with his career.  He finds the constant battle with new regulations, billing codes, policies, procedures, mandatory education to be extremely frustrating, particularly what he believes the over emphasis on patient privacy which he perceives as unnecessary and a barrier to patient care.

In addition, the patient verbalizes frustrations with his relationship with his wife related to........ and his son related to.......

The patient is diagnosed with:
Hypertension
Borderline DM
Obesity
Depression and Anxiety


Then ask?  If this were your discharge summary, how would you feel about it being:
1.  Mailed to the wrong patient.
2.  Posted on the Internet.
3.  Left on a bus or subway.
4.  Disclosed to his wife, mother, son.
5.  Available on an electronic file maintained on a unencrypted laptop that was stolen.
6.  Hacked by an identity thief
7.  Used to deny a life insurance policy or workers comp claim?

Maybe putting them in the place of the patient woudl be helpful?

NancyDavisMS, RHIA
Director of Privacy/Security Officer
Ministry Health Care
Sturgeon BayWI
-------------------------------------------






Show Original Message -------------------------------------------
Original Message:
Sent: 02-08-2012 01:35 PM
From: Shauna Van Dongen
Subject: "HIPAA is a joke" combating/reasoning with practitioners

First of all, I would argue that the vast majority of breaches are not purposeful or intentional - they occur because a provider or health care worker left patient records on a subway by mistake or left an unencrypted laptop in a car where it was subsequently stolen.  Patient care certainly includes medical care, but providers should also be good data stewards of their patients' confidential information.

Though lengthy, this often humorous blog post by the President and CEO of Massachusetts eHealth Collaborative about a security incident that his company caused is a real learning opportunity for any of us who deal with PHI.

I don't think any practitioner wants to have to notify his or her patients that their personal health care information was stolen out of the back of the physician's car.
-------------------------------------------
Shauna Van Dongen
Associate Privacy Officer
Providence Health & Services
Renton WA
-------------------------------------------





-------------------------------------------
Original Message:
Sent: 02-08-2012 11:54 AM
From: Leslie Soltau
Subject: "HIPAA is a joke" combating/reasoning with practitioners

Good morning everyone -
Could you lend me your  assistance and expertise in communicating the importance of HIPAA Standards to the Medical Staff at large and individual practitioners in general.  We use diplomacy, acquiescence, humor, and, yes, a certain level of corrective action, but there are still those that don't seem to connect HIPAA to their sphere of patient care.  In their defense, for the most part, I think it's because they can't fathom purposefully doing anything to jeopardize their patient(s).  My gut tells me this attitude may always be present in some practitioners, but I'd appreciate your feedback (and support).  Any outstanding articles or presentations out there? 
Thanks,
Leslie 

-------------------------------------------
Leslie Soltau, CHPC
Privacy Compliance Manager
Samaritan Health Services
Corvallis OR
-------------------------------------------

My thoughts exactly.  How do physicians react when someone unintentionally accesses their records by mistake?  Not very forgiving, from what I've heard....

-------------------------------------------
SharonHockett JD
Auditor
Agate Healthcare
EugeneOR
-------------------------------------------






Show Original Message -------------------------------------------
Original Message:
Sent: 02-09-2012 12:17 PM
From: Nancy Davis
Subject: "HIPAA is a joke" combating/reasoning with practitioners

Why don't you create a fictious discharge summary for a patient with a lot of information about his or her medical history including...

The patient is a 50 y/o practicing primary care provider who suffers a multiple medical concerns relating to his  lifestyle which result in significant comorbidities associated with his medication condition.  The patient shares that he finds himself very frustrated with his career.  He finds the constant battle with new regulations, billing codes, policies, procedures, mandatory education to be extremely frustrating, particularly what he believes the over emphasis on patient privacy which he perceives as unnecessary and a barrier to patient care.

In addition, the patient verbalizes frustrations with his relationship with his wife related to........ and his son related to.......

The patient is diagnosed with:
Hypertension
Borderline DM
Obesity
Depression and Anxiety


Then ask?  If this were your discharge summary, how would you feel about it being:
1.  Mailed to the wrong patient.
2.  Posted on the Internet.
3.  Left on a bus or subway.
4.  Disclosed to his wife, mother, son.
5.  Available on an electronic file maintained on a unencrypted laptop that was stolen.
6.  Hacked by an identity thief
7.  Used to deny a life insurance policy or workers comp claim?

Maybe putting them in the place of the patient woudl be helpful?

NancyDavisMS, RHIA
Director of Privacy/Security Officer
Ministry Health Care
Sturgeon BayWI
-------------------------------------------





-------------------------------------------
Original Message:
Sent: 02-08-2012 01:35 PM
From: Shauna Van Dongen
Subject: "HIPAA is a joke" combating/reasoning with practitioners

First of all, I would argue that the vast majority of breaches are not purposeful or intentional - they occur because a provider or health care worker left patient records on a subway by mistake or left an unencrypted laptop in a car where it was subsequently stolen.  Patient care certainly includes medical care, but providers should also be good data stewards of their patients' confidential information.

Though lengthy, this often humorous blog post by the President and CEO of Massachusetts eHealth Collaborative about a security incident that his company caused is a real learning opportunity for any of us who deal with PHI.

I don't think any practitioner wants to have to notify his or her patients that their personal health care information was stolen out of the back of the physician's car.
-------------------------------------------
Shauna Van Dongen
Associate Privacy Officer
Providence Health & Services
Renton WA
-------------------------------------------





-------------------------------------------
Original Message:
Sent: 02-08-2012 11:54 AM
From: Leslie Soltau
Subject: "HIPAA is a joke" combating/reasoning with practitioners

Good morning everyone -
Could you lend me your  assistance and expertise in communicating the importance of HIPAA Standards to the Medical Staff at large and individual practitioners in general.  We use diplomacy, acquiescence, humor, and, yes, a certain level of corrective action, but there are still those that don't seem to connect HIPAA to their sphere of patient care.  In their defense, for the most part, I think it's because they can't fathom purposefully doing anything to jeopardize their patient(s).  My gut tells me this attitude may always be present in some practitioners, but I'd appreciate your feedback (and support).  Any outstanding articles or presentations out there? 
Thanks,
Leslie 

-------------------------------------------
Leslie Soltau, CHPC
Privacy Compliance Manager
Samaritan Health Services
Corvallis OR
-------------------------------------------

LOL - I used to do tongue-in-cheek physician training in E/M documentation based on a case history of "Compliancitis", including HPI: Worsening headaches, tremor x 6 months, confusion, insomnia, etc. For Exam, it affected every organ system (carpal tunnel from writing, indigestion, male pattern baldness from pulling his hair out, strabismus, etc).
The Chief of Surgery was a great guy who let me take photos of him miming all these symptoms for the PowerPoint. The Assessment was "Compliancitis", the Plan was to "take two documentation templates and re-audit in 6 months". At least it didn't put them all to sleep... :)

-------------------------------------------
J. Eric Sandhusen CPC, CHC MPH
VP for Compliance & Audit / Privacy Officer
Bayonne Medical Center
Bayonne NJ
-------------------------------------------






Show Original Message -------------------------------------------
Original Message:
Sent: 02-09-2012 12:17 PM
From: Nancy Davis
Subject: "HIPAA is a joke" combating/reasoning with practitioners

Why don't you create a fictious discharge summary for a patient with a lot of information about his or her medical history including...

The patient is a 50 y/o practicing primary care provider who suffers a multiple medical concerns relating to his  lifestyle which result in significant comorbidities associated with his medication condition.  The patient shares that he finds himself very frustrated with his career.  He finds the constant battle with new regulations, billing codes, policies, procedures, mandatory education to be extremely frustrating, particularly what he believes the over emphasis on patient privacy which he perceives as unnecessary and a barrier to patient care.

In addition, the patient verbalizes frustrations with his relationship with his wife related to........ and his son related to.......

The patient is diagnosed with:
Hypertension
Borderline DM
Obesity
Depression and Anxiety


Then ask?  If this were your discharge summary, how would you feel about it being:
1.  Mailed to the wrong patient.
2.  Posted on the Internet.
3.  Left on a bus or subway.
4.  Disclosed to his wife, mother, son.
5.  Available on an electronic file maintained on a unencrypted laptop that was stolen.
6.  Hacked by an identity thief
7.  Used to deny a life insurance policy or workers comp claim?

Maybe putting them in the place of the patient woudl be helpful?

NancyDavisMS, RHIA
Director of Privacy/Security Officer
Ministry Health Care
Sturgeon BayWI
-------------------------------------------





-------------------------------------------
Original Message:
Sent: 02-08-2012 01:35 PM
From: Shauna Van Dongen
Subject: "HIPAA is a joke" combating/reasoning with practitioners

First of all, I would argue that the vast majority of breaches are not purposeful or intentional - they occur because a provider or health care worker left patient records on a subway by mistake or left an unencrypted laptop in a car where it was subsequently stolen.  Patient care certainly includes medical care, but providers should also be good data stewards of their patients' confidential information.

Though lengthy, this often humorous blog post by the President and CEO of Massachusetts eHealth Collaborative about a security incident that his company caused is a real learning opportunity for any of us who deal with PHI.

I don't think any practitioner wants to have to notify his or her patients that their personal health care information was stolen out of the back of the physician's car.
-------------------------------------------
Shauna Van Dongen
Associate Privacy Officer
Providence Health & Services
Renton WA
-------------------------------------------





-------------------------------------------
Original Message:
Sent: 02-08-2012 11:54 AM
From: Leslie Soltau
Subject: "HIPAA is a joke" combating/reasoning with practitioners

Good morning everyone -
Could you lend me your  assistance and expertise in communicating the importance of HIPAA Standards to the Medical Staff at large and individual practitioners in general.  We use diplomacy, acquiescence, humor, and, yes, a certain level of corrective action, but there are still those that don't seem to connect HIPAA to their sphere of patient care.  In their defense, for the most part, I think it's because they can't fathom purposefully doing anything to jeopardize their patient(s).  My gut tells me this attitude may always be present in some practitioners, but I'd appreciate your feedback (and support).  Any outstanding articles or presentations out there? 
Thanks,
Leslie 

-------------------------------------------
Leslie Soltau, CHPC
Privacy Compliance Manager
Samaritan Health Services
Corvallis OR
-------------------------------------------

The majority of physician and medical staff HIPAA resistance that I see is due to inefficient training and communication organization wide.  The general HIPAA training that is developed internally or purchased from a vendor is heavy on law specific requirements and not situation based.  I would agree with Nancy in that creating a scenario based situation that could very well happen is the best way to get their attention. 

Working with Baptist Health, we created their mandatory HIPAA training based on common scenarios that happen every day in hospitals.  The employees became the "actors" in the mostly video based training, which increased involvement by staff. 

I have found that HIPAA is not a one-size-fits-all training.  It usually has to do with the overall cultural communication and training efforts of the organization.  Creating and changing culture is certainly no easy task.

Best of luck,

Todd

-------------------------------------------
ToddCourtney
Healthcare Compliance Manager
Vivid Learning Systems
PascoWA
509-545-2566
-------------------------------------------






Show Original Message -------------------------------------------
Original Message:
Sent: 02-09-2012 12:17 PM
From: Nancy Davis
Subject: "HIPAA is a joke" combating/reasoning with practitioners

Why don't you create a fictious discharge summary for a patient with a lot of information about his or her medical history including...

The patient is a 50 y/o practicing primary care provider who suffers a multiple medical concerns relating to his  lifestyle which result in significant comorbidities associated with his medication condition.  The patient shares that he finds himself very frustrated with his career.  He finds the constant battle with new regulations, billing codes, policies, procedures, mandatory education to be extremely frustrating, particularly what he believes the over emphasis on patient privacy which he perceives as unnecessary and a barrier to patient care.

In addition, the patient verbalizes frustrations with his relationship with his wife related to........ and his son related to.......

The patient is diagnosed with:
Hypertension
Borderline DM
Obesity
Depression and Anxiety


Then ask?  If this were your discharge summary, how would you feel about it being:
1.  Mailed to the wrong patient.
2.  Posted on the Internet.
3.  Left on a bus or subway.
4.  Disclosed to his wife, mother, son.
5.  Available on an electronic file maintained on a unencrypted laptop that was stolen.
6.  Hacked by an identity thief
7.  Used to deny a life insurance policy or workers comp claim?

Maybe putting them in the place of the patient woudl be helpful?

NancyDavisMS, RHIA
Director of Privacy/Security Officer
Ministry Health Care
Sturgeon BayWI
-------------------------------------------





-------------------------------------------
Original Message:
Sent: 02-08-2012 01:35 PM
From: Shauna Van Dongen
Subject: "HIPAA is a joke" combating/reasoning with practitioners

First of all, I would argue that the vast majority of breaches are not purposeful or intentional - they occur because a provider or health care worker left patient records on a subway by mistake or left an unencrypted laptop in a car where it was subsequently stolen.  Patient care certainly includes medical care, but providers should also be good data stewards of their patients' confidential information.

Though lengthy, this often humorous blog post by the President and CEO of Massachusetts eHealth Collaborative about a security incident that his company caused is a real learning opportunity for any of us who deal with PHI.

I don't think any practitioner wants to have to notify his or her patients that their personal health care information was stolen out of the back of the physician's car.
-------------------------------------------
Shauna Van Dongen
Associate Privacy Officer
Providence Health & Services
Renton WA
-------------------------------------------





-------------------------------------------
Original Message:
Sent: 02-08-2012 11:54 AM
From: Leslie Soltau
Subject: "HIPAA is a joke" combating/reasoning with practitioners

Good morning everyone -
Could you lend me your  assistance and expertise in communicating the importance of HIPAA Standards to the Medical Staff at large and individual practitioners in general.  We use diplomacy, acquiescence, humor, and, yes, a certain level of corrective action, but there are still those that don't seem to connect HIPAA to their sphere of patient care.  In their defense, for the most part, I think it's because they can't fathom purposefully doing anything to jeopardize their patient(s).  My gut tells me this attitude may always be present in some practitioners, but I'd appreciate your feedback (and support).  Any outstanding articles or presentations out there? 
Thanks,
Leslie 

-------------------------------------------
Leslie Soltau, CHPC
Privacy Compliance Manager
Samaritan Health Services
Corvallis OR
-------------------------------------------

Great summary!   To  the list of unintended potential PHI recipients, I'd add a partner or competitive Medical Staff member or two as well as intentional, inappropriate access by an administrator unrelated or uninvolved in the patient's care. 

Thank you all for your feedback!
Leslie

-------------------------------------------
Leslie Soltau CHPC
Privacy Compliance Manager
Samaritan Health Services
CorvallisOR
-------------------------------------------






Show Original Message -------------------------------------------
Original Message:
Sent: 02-09-2012 12:17 PM
From: Nancy Davis
Subject: "HIPAA is a joke" combating/reasoning with practitioners

Why don't you create a fictious discharge summary for a patient with a lot of information about his or her medical history including...

The patient is a 50 y/o practicing primary care provider who suffers a multiple medical concerns relating to his  lifestyle which result in significant comorbidities associated with his medication condition.  The patient shares that he finds himself very frustrated with his career.  He finds the constant battle with new regulations, billing codes, policies, procedures, mandatory education to be extremely frustrating, particularly what he believes the over emphasis on patient privacy which he perceives as unnecessary and a barrier to patient care.

In addition, the patient verbalizes frustrations with his relationship with his wife related to........ and his son related to.......

The patient is diagnosed with:
Hypertension
Borderline DM
Obesity
Depression and Anxiety


Then ask?  If this were your discharge summary, how would you feel about it being:
1.  Mailed to the wrong patient.
2.  Posted on the Internet.
3.  Left on a bus or subway.
4.  Disclosed to his wife, mother, son.
5.  Available on an electronic file maintained on a unencrypted laptop that was stolen.
6.  Hacked by an identity thief
7.  Used to deny a life insurance policy or workers comp claim?

Maybe putting them in the place of the patient woudl be helpful?

NancyDavisMS, RHIA
Director of Privacy/Security Officer
Ministry Health Care
Sturgeon BayWI
-------------------------------------------





-------------------------------------------
Original Message:
Sent: 02-08-2012 01:35 PM
From: Shauna Van Dongen
Subject: "HIPAA is a joke" combating/reasoning with practitioners

First of all, I would argue that the vast majority of breaches are not purposeful or intentional - they occur because a provider or health care worker left patient records on a subway by mistake or left an unencrypted laptop in a car where it was subsequently stolen.  Patient care certainly includes medical care, but providers should also be good data stewards of their patients' confidential information.

Though lengthy, this often humorous blog post by the President and CEO of Massachusetts eHealth Collaborative about a security incident that his company caused is a real learning opportunity for any of us who deal with PHI.

I don't think any practitioner wants to have to notify his or her patients that their personal health care information was stolen out of the back of the physician's car.
-------------------------------------------
Shauna Van Dongen
Associate Privacy Officer
Providence Health & Services
Renton WA
-------------------------------------------





-------------------------------------------
Original Message:
Sent: 02-08-2012 11:54 AM
From: Leslie Soltau
Subject: "HIPAA is a joke" combating/reasoning with practitioners

Good morning everyone -
Could you lend me your  assistance and expertise in communicating the importance of HIPAA Standards to the Medical Staff at large and individual practitioners in general.  We use diplomacy, acquiescence, humor, and, yes, a certain level of corrective action, but there are still those that don't seem to connect HIPAA to their sphere of patient care.  In their defense, for the most part, I think it's because they can't fathom purposefully doing anything to jeopardize their patient(s).  My gut tells me this attitude may always be present in some practitioners, but I'd appreciate your feedback (and support).  Any outstanding articles or presentations out there? 
Thanks,
Leslie 

-------------------------------------------
Leslie Soltau, CHPC
Privacy Compliance Manager
Samaritan Health Services
Corvallis OR
-------------------------------------------