Everyday Encounters
A patient asks you when their spouse’s next appointment is. What should you do?
What is, "Confirm their spouse has listed them on their HIPAA Privacy release within the patient intake form and do not disclose their next appointment time if they have not?" This goes for anything related to their care at Range.
You’re in the breakroom and mention, “That patient with the foot fungus is back again!” This kind of violation has occurred.
What is, “An unauthorized verbal disclosure of PHI”?
You need to step away from your workstation for any amount of time. What should you do first?
What is, “Lock your computer and secure any documents or notes with visible PHI, per the HIPAA Security Rule requiring device access controls”?
A patient requests a copy of their medical record. You must provide it within this many days.
What is, “Within 30 calendar days of the request”?
E.g. OCR newsletters
HIPAA was enacted in 1996. The “P” in HIPAA stands for this.
What is, “Portability”?
E.g. pre-existing conditions, broader definition today via ACA
This person stole our lunch break today to yammer on about a bunch of boring regulations.
Who is Maggie Herron?
You overhear a coworker discussing a patient’s diagnosis in the waiting room. This is what you should do next.
What is, “Address it privately with the coworker or report it to a supervisor if needed”?
E.g. speak up culture
A coworker jokes about a patient’s behavior in a private staff meeting. Even if no names are mentioned, this could still be a violation if this is true.
What is, “The patient could still be identifiable based on context or shared knowledge”?
E.g. evolving understanding of HIPAA
An email with PHI is sent to the wrong external provider. The first thing you must do is this.
What is, “Notify your HIPAA privacy officer or supervisor immediately”?
An established patient messages you on social media with a question about their home exercise program. This is what you should do.
What is, “Leave the message 'unread' until you are at the clinic and can respond via Jane messaging. Explain that HIPAA prevents us from responding on social media/by unsecured means.”?
You receive a Facebook message from a fellow Covered Entity asking you to send over a patient referral, stating the patient's name. This is what you should do to be HIPAA compliant.
What is, “Delete the message on your end and remind the sender to use a secure, encrypted means of communication for ePHI at all times. Suggest they call the clinic during business hours.”?
E.g. EmpowerChiro
This aggressively polite midwesterner has a contagious enthusiasm for the science of tissue change and really wishes you would do your home exercises. Skilled at modeling burnout for the team so everyone knows what not to do. Actual best person I know.
Who is Dr. Ben Herron?
A delivery driver walks into the clinic and sees a computer screen showing patient names. This has just occurred.
What is, “An unintentional disclosure of PHI — a potential privacy breach”?
E.g. incidental exposure, TPO
You accidentally send a patient document to the shared printer and leave it there. You return 30 minutes later. You should do this next.
What is, “Secure the document immediately and report the incident as a potential breach”?
You’re working remotely and access the Jane on public Wi-Fi. This must be used to stay HIPAA-compliant.
What is, “A secure VPN or encrypted connection”?
A patient can file a HIPAA complaint through this entity/entities.
What is, “The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR)”?
If you’re unsure whether something violates HIPAA, your first step should be this.
What is, “Consult your HIPAA privacy officer or supervisor”?
Still waters run deep for this Bandon legacy. Quietly brilliant and sneakily hilarious, her dedication to unearthing health and wellness cheat codes will have future generations living to 150!
Who is Dr. Alissa Miller?
A patient at checkout is complaining loudly about billing errors. Another patient nearby overhears PHI. This is the breach risk level.
What is, “Low to moderate — but still needs to be assessed and possibly documented”?
E.g. small clinic probs
A coworker frequently refers to patients by room number and symptoms while in shared spaces. This culture issue affects HIPAA in this way.
What is, “It normalizes casual handling of PHI, increasing risk of violations”?
A coworker keeps their login credentials on a sticky note under the keyboard, putting the clinic at risk in this way.
What is, “It creates a serious vulnerability to unauthorized access of PHI”?
You get a subpoena requesting patient records. Before sending, this must happen.
What is, “Confirm it’s a valid subpoena and consult legal or compliance staff”?
Your friend texts you asking about a mutual acquaintance who was in your clinic. You respond with this (or not at all).
What is, “I can’t confirm or deny whether any person has been a patient at my clinic."
This smarty cat is 10 feet tall (on the phone) and Manga is her thang-a. Always a fountain, never a drain, her laugh will be the best thing you hear this week.
Who is Bunny Ransom?
A patient gives verbal consent to share records with their specialist. You follow up with this best practice.
What is, “Document the consent in the patient’s chart or obtain written authorization”?
Staff are frustrated with a patient and vent via group text (without using names). Why could this is still problematic?
What is, “Because tone, context, and content can still reveal PHI or be unprofessional”?
The clinic adopts a new scheduling software. Before its use, this must be confirmed with the vendor.
What is, “Verify the vendor has adequate privacy and security infrastructure and ensure a Business Associate Agreement is signed by both parties”?
A parent asks for records of their 17-year-old child. You must confirm this before disclosing.
What is, “Whether the parent has legal rights to access, based on state laws and minor’s care type”?
The maximum fine for a willful HIPAA violation (per violation, per year) can be this much.
What is, “$1.5 million”?
Part-time presence, overtime mindset. Whip smart and intrinsically motivated, this gal has a thoughtful reason behind every action. Positively radiates (and we're not talking about the sunburn)!
Who is Lorena O'Lexey?