HIPAA Myths & Truths
Does LHC have to have a release of information signed in order to send a report of your hearing test out to another medical office?
NO, HIPAA law does not require a release of information to share medical information with another health care provider
How often does LHC have to ask patients to sign that they have received a copy of our privacy practices?
We have to ask patients to sign that we have given them a copy of our privacy practices at their first visit with LHC. We need to have a copy of our privacy practices posted in our office. We need to have a copy of our privacy practices available on our website. A copy must be available to patients upon request at any time.
Patient trips on the way into the office and skins their knee. They are bleeding through their pants. What do you do?
Help them clean their wound with soap and water.
Apply a dressing/first aid. If you cannot stop the bleeding or if the wound is deep, offer to call EMS for patient. See if patient's companion (if any) can take patient to urgent care.
Try to help patient get blood out of their pants with a cloth?
DOCUMENT everything in an incident report, and in pt's EMR (what you did, what they did/said). Give Incident Report to Susan
You come in the front door, and the ceiling has leaked badly from a storm over the weekend. We have several ceiling tiles in the floor, and wet carpet.
Call, text, and email Nisha Pearce at Candor Realty asking for help ASAP
Move the damaged tiles out of the way as best you can
What should I do if I get an urgent request for payment for a bill for the practice to my work email with the bill attached as a PDF?
DO NOT OPEN THE PDF!
You can forward it to Susan... however, chances are if you are receiving the bill yourself, it is garbage at best, and phishing or hacking at the worst. Since Susan does 95% of purchasing, unless you have directly interacted with the entity, the chances of you having a real bill that needs to be paid urgently is pretty much non-existent.
If a patient refuses to sign our Notice of Privacy Practices, do we have refuse to see them?
No, Health services Can Still Be provided even if a patient refuses to sign the notice of Privacy Practices. Patients do not have to read, sign, or accept the NPP but LHC must make a good faith effort to obtain a signature. If we cannot get a signature, we can still treat the patient.
Is a parent is a personal representative for their minor children?
This is true--and parents have the right to access their child's medical record on behalf of their children. There are rare cases in which a parent would not be considered a personal representative, but at our office, if the child is with their parent when they come to our office, we would have no reason to believe/suspect that the parent would not be a child's personal representative.
Patient states that they are diabetic and says they are having some issues with their sugar and asks if we have any crackers they can eat?
See if eating some candy from our office helps? Offer to reschedule the appointment if they do not feel well? See if they need us to call a friend or family member to come help them?
Document every thing you do, document what the patient does and says.
A man walks in off the street. He is not our patient. He is mumbling and not making sense and walks into our office bathroom. He stays in the bathroom and doesn't come out.
Call the police and ask for an officer to come help us.
What should I do if I get an email from Counsel Ear asking for my log in and password because our account has been hacked and they need it to track down the culprit?
DO NOT RESPOND! Discuss this with Susan.
Any entity that we work with on a regular basis (Counsel Ear, hearing aid manufacturer, insurance company) should NEVER ask you for a password.
Can healthcare organizations can refuse to send health records to a patient's health app?
NO! Healthcare organizations are required to provide patients with a copy of their health information upon request. This can be in paper form, but if the patient requests an electronic copy, the organization must provide the copy in an electronic format if the organization has the means to do this. If a patient wants their information sent to an app, the organization cannot refuse to send it unless the act of sending the ePHI poses a security risk for the organization.
Do all OCR investigated HIPAA violations result in serious financial penalties?
NO, When investigating data breaches, the HHS OCR evaluates whether reasonable safeguards were in place to protect patient information, and whether HIPAA-compliant policies and procedures were followed. OCR recognizes that despite robust security measures, breaches can still occur due to evolving cyber threats and human errors.
Patient ( or patient's companion) says they have a headache and asks if we have any Advil or Tylenol they can have?
We should not provide OTC medication to patients from our office. We are not medical providers in that sense. You can offer to reschedule a patient if they are not feeling well enough to continue their visit at our office. Our liability for providing medication in this situation is too high and not worth the risk. Answer, "No I'm so sorry, we do not have any of these medications at our office."
We have had a huge snow storm the night before. You get to work and the snow has not been cleared from the parking lot and it is very deep.
Park across the street if the snow has been cleared from their parking lot. Text/call Susan ASAP. Call Nisha ASAP. Call our first patients to let them know (many will have cancelled).
What should I do if UpLync calls us and says that our account will be closed because we haven't paid our bill, and offers to take a credit card payment over the phone to get our account caught back up and not cut off our phone service?
Put the caller on speaker phone. Start recording the conversation with your smart phone.
Get the caller's name--ask them to spell it.
Get a contact phone number for them / email address.
Tell them that you are not authorized to make a payment, and that we will follow up with them.
Hang up and let SMT know about the situation. Send SMT the recording you made of the conversation via email.
Can you sue your health care provider for a HIPAA Violation?
NO! If there is a data breach, or your health care provider or health plan violates HIPAA law, you cannot sue them in federal court. You have the right to report the violation to the Dept. of Health and Human Services Office for Civil Rights (OCR) and OCR will investigate. If a HIPAA violation has occurred, OCR can take action and that may result in a financial penalty, or in certain cases, criminal penalties. You may be able to sue a health care provider under your state law.
Does the HIPAA privacy rule protect your employment records?
No, it does not, even if the information in your employment records is health-related. However, your employer may not obtain health-information about you from your healthcare provider without your consent.
A patient walks in for help with their hearing aids and gets angry when they are told they need to have their device repaired and that it will cost $X. The patient starts yelling at FOS loudly in the waiting room saying how awful LHC is and how they can't understand how we stay in business at all.
#1) remain calm
#2) inform patient that we will call the police (if they make threatening remarks)
#3) Invite patient to leave, and then come back to our office once they are calm. Remind patient that we are here to help.
A patient falls over unconscious in the waiting room. What do you do?
Yell at someone in the office to Call 9-1-1
Grab the defibrillator and go to patient.
Touch patient on the shoulder and shout their name...If they remain unresponsive, start up the defibrillator and follow the instructions given by machine
Send staff out to watch for EMS and waive them in.
CPR?
What should I do if a patient sends the LHC email a PDF with a vague statement in the email like, "Here's the document you requested"
#1) check Counsel Ear for any emailed requests for information
#2) if there is no emailed request documented in the clinic notes or general notes, move the file to the TRASH email but let Dr. Susan know it is there
#3) DO NOT OPEN THE ATTACHMENT!!!
#4) IF you DO open the attachment, LET SUSAN KNOW ASAP!
What are 9 of the 18 items that are required to be removed before your health information can be sold?
Name--full or partial, Geographic Location smaller than state, All Date elements (birthdate, admission dates, Date of death) except the year, Telephone Numbers, Fax numbers, Email addresses, SSNs, MRNs, Health Plan Beneficiary numbers, Account numbers, certificate/license numbers, VINs and S/Ns, Device IDs or S/Ns, Website URLs, IP addresses, Biometric identifiers (fingerprints, voice recordings, photos, Full Face photographs, any other unique identifying number, characteristic or code
Can a pharmacist can refuse to give your prescription to your friend to pick up for you?
No, if your friend has your pertinent information (name, DOB, etc.) a pharmacist can assume that you do not object to your friend picking up your prescription for you unless you have provided a written statement to the pharmacist stating they are NOT to give your prescriptions out to certain individuals.
Patient's companion runs back into our office after the appointment saying the patient fell in our parking lot and cannot get up
Call 9-1-1, get another staff person to help as well
Go out to see patient--try to help patient be more comfortable (get first aid, get blanket if appropriate)
Do not encourage patient to move if they appear to be injured. If pt is bleeding, try to treat their injury in place with basic first aid.
Document incident carefully in pt's EMR and also in an incident report.
A patient confesses to you that they are going to go home and kill themselves. What do you do?
Call 9-1-1
Stay with the patient until EMS arrives.
Document all interactions with patient.
What should I do if someone from Audigy IT calls and says that they have evidence that our internet system has been hacked and that they need us to pay them $499 with a credit card over the phone immediately so that they can shut down the activity before it crashes the entire system?
#1) put caller on speaker phone
#2) start recording the conversation
#3) get caller's name and contact information--be sure to get correct spelling of their name, get an email address if possible
#4) tell caller you will give this information to your supervisor (do not provide supervisor's name), or confirm any employee's name over the phone
#4) hang up, give this information to Susan