Privacy Officer's Roundtable

1.  "HIPAA is a joke" combating/reasoning with practitioners

Posted 02-08-2012 11:55 AM
Good morning everyone -
Could you lend me your  assistance and expertise in communicating the importance of HIPAA Standards to the Medical Staff at large and individual practitioners in general.  We use diplomacy, acquiescence, humor, and, yes, a certain level of corrective action, but there are still those that don't seem to connect HIPAA to their sphere of patient care.  In their defense, for the most part, I think it's because they can't fathom purposefully doing anything to jeopardize their patient(s).  My gut tells me this attitude may always be present in some practitioners, but I'd appreciate your feedback (and support).  Any outstanding articles or presentations out there? 

Leslie Soltau, CHPC
Privacy Compliance Manager
Samaritan Health Services
Corvallis OR

2.  RE:"HIPAA is a joke" combating/reasoning with practitioners

Posted 02-08-2012 01:36 PM
First of all, I would argue that the vast majority of breaches are not purposeful or intentional - they occur because a provider or health care worker left patient records on a subway by mistake or left an unencrypted laptop in a car where it was subsequently stolen.  Patient care certainly includes medical care, but providers should also be good data stewards of their patients' confidential information.

Though lengthy, this often humorous blog post by the President and CEO of Massachusetts eHealth Collaborative about a security incident that his company caused is a real learning opportunity for any of us who deal with PHI.

I don't think any practitioner wants to have to notify his or her patients that their personal health care information was stolen out of the back of the physician's car.
Shauna Van Dongen
Associate Privacy Officer
Providence Health & Services
Renton WA

3.  RE:"HIPAA is a joke" combating/reasoning with practitioners

Posted 02-08-2012 02:44 PM
A very nice message or comment that he shares in a podcast of an interview is his reference to how a matter of convenience can often lead folks to develop workarounds or a basis for folks not to follow policy.

I must agree that on some level, convenience, time savings, less effort, etc are often themes that come up when looking into why processes broke down due to variances or workarounds.

Nice to hear some level of validation of what is probably already well known.

HIPAA College
Casa GrandeAZ

4.  RE:"HIPAA is a joke" combating/reasoning with practitioners

Posted 02-09-2012 12:17 PM
Why don't you create a fictious discharge summary for a patient with a lot of information about his or her medical history including...

The patient is a 50 y/o practicing primary care provider who suffers a multiple medical concerns relating to his  lifestyle which result in significant comorbidities associated with his medication condition.  The patient shares that he finds himself very frustrated with his career.  He finds the constant battle with new regulations, billing codes, policies, procedures, mandatory education to be extremely frustrating, particularly what he believes the over emphasis on patient privacy which he perceives as unnecessary and a barrier to patient care.

In addition, the patient verbalizes frustrations with his relationship with his wife related to........ and his son related to.......

The patient is diagnosed with:
Borderline DM
Depression and Anxiety

Then ask?  If this were your discharge summary, how would you feel about it being:
1.  Mailed to the wrong patient.
2.  Posted on the Internet.
3.  Left on a bus or subway.
4.  Disclosed to his wife, mother, son.
5.  Available on an electronic file maintained on a unencrypted laptop that was stolen.
6.  Hacked by an identity thief
7.  Used to deny a life insurance policy or workers comp claim?

Maybe putting them in the place of the patient woudl be helpful?

NancyDavisMS, RHIA
Director of Privacy/Security Officer
Ministry Health Care
Sturgeon BayWI

5.  RE:"HIPAA is a joke" combating/reasoning with practitioners

Posted 02-09-2012 05:02 PM
My thoughts exactly.  How do physicians react when someone unintentionally accesses their records by mistake?  Not very forgiving, from what I've heard....

SharonHockett JD
Agate Healthcare

6.  RE:"HIPAA is a joke" combating/reasoning with practitioners

Posted 02-10-2012 11:11 AM
LOL - I used to do tongue-in-cheek physician training in E/M documentation based on a case history of "Compliancitis", including HPI: Worsening headaches, tremor x 6 months, confusion, insomnia, etc. For Exam, it affected every organ system (carpal tunnel from writing, indigestion, male pattern baldness from pulling his hair out, strabismus, etc).
The Chief of Surgery was a great guy who let me take photos of him miming all these symptoms for the PowerPoint. The Assessment was "Compliancitis", the Plan was to "take two documentation templates and re-audit in 6 months". At least it didn't put them all to sleep... :)

J. Eric Sandhusen CPC, CHC MPH
VP for Compliance & Audit / Privacy Officer
Bayonne Medical Center
Bayonne NJ

7.  RE:"HIPAA is a joke" combating/reasoning with practitioners

Posted 02-10-2012 11:25 AM

The majority of physician and medical staff HIPAA resistance that I see is due to inefficient training and communication organization wide.  The general HIPAA training that is developed internally or purchased from a vendor is heavy on law specific requirements and not situation based.  I would agree with Nancy in that creating a scenario based situation that could very well happen is the best way to get their attention. 

Working with Baptist Health, we created their mandatory HIPAA training based on common scenarios that happen every day in hospitals.  The employees became the "actors" in the mostly video based training, which increased involvement by staff. 

I have found that HIPAA is not a one-size-fits-all training.  It usually has to do with the overall cultural communication and training efforts of the organization.  Creating and changing culture is certainly no easy task.

Best of luck,


Healthcare Compliance Manager
Vivid Learning Systems

8.  RE:"HIPAA is a joke" combating/reasoning with practitioners

Posted 02-10-2012 11:44 AM
Great summary!   To  the list of unintended potential PHI recipients, I'd add a partner or competitive Medical Staff member or two as well as intentional, inappropriate access by an administrator unrelated or uninvolved in the patient's care. 

Thank you all for your feedback!

Leslie Soltau CHPC
Privacy Compliance Manager
Samaritan Health Services