Saturday February 04, 2012
BridgeFront - http://www.hipaarx.net & Regulatory Compliance Products - HOME
  
Search

 
About HIPAA > Information
Day in the Life of a Privacy Officer

Many managers are wondering how much time Privacy Officer responsibilities (required under HIPAA) will add to their already busy schedules. Though not based upon any scientific study, but rather upon the realities of this role, I recommend that you plan on allocating about one-half hour per day per provider in your practice once the implementation phase is completed. What do you think the Privacy Officer will be doing each day? Let's assume that Pat works for a 12-provider internal medicine practice; here's how she might describe a typical Monday in the office... 

I arrived to work at 9 AM to find that two early morning patients had questions about our Privacy Notice. Mr. Gonzalez couldn't understand the Privacy Notice and asked that I explain its intent. My simple explanation followed: "A new federal law requires that we provide you with a Privacy Notice that explains your rights as a patient." He wanted more information. While we are not required to publish the Privacy Notice in any other language, this patient needed answers he could only understand in his native language. I called Mary Santos, our medical assistant, who came down to help translate. 

Twenty minutes later, I called the second patient into my office. She was a 90-year-old woman accompanied by her 70-year-old daughter. Both were hard-of-hearing. She was quite well informed and explained that she was refusing to sign the acknowledgement of receipt of our Privacy Notice. But, as long as she had the right, she also wanted to review her records. I told her that we would set up a time when she could come back to review the records, and she couldn't understand why she couldn't view them today. Finally, she agreed to return at an appointed date and time. 

Upon returning to my office, line 3 was holding. I picked it up to find a rather irate patient complaining that our nurse had left a voicemail for him with the message: "Your prescription has been called in to the pharmacy; you may pick it up." The patient was upset because he had not told his wife about his appointment in our practice. He gently reminded me that he had informed us not to call his home. I assured him that I would investigate his complaint and get back to him. Following the call, I made a note to look in his record for a completed "Request for Confidential Communication" form. Also, I made a note to follow-up with the nurse to determine what transpired. If she had missed or ignored the patient's request, remedial action would be required. 

The morning was slipping away. I sat down to review a stack of charts: seven Requests for Records Reviews, four requests for records from disability insurance carriers, two from law firms, one from a payer for a chart review, and one patient complaint. I began documenting the requests, reviewing which portion of each record could be disclosed, and completing the disclosure log in each chart, when appropriate. In each case, I had to determine which disclosure required a signed authorization and if I had one on file for the patient. 

Shortly before lunch, I began preparing for two new employees' HIPAA training. I accessed the web-based training program, obtained two new registration numbers and set the program up for each staff member. I then pulled out our own HIPAA training program to review the presentation I would make to each employee. The employee who was filling a reception position would require less training time than the other new hire, a nurse. But I went through the entire presentation anyway, to refresh my memory. 

A pharmaceutical rep brought in lunch, which is common in our practice. The lunchroom was filled with two reps, several staff members, providers, and the billing clerk's daughter. I had just taken a slice of pizza when Dr. Dix walked in, chart in hand, chuckling to a nurse about the condition of Mrs. Johnson, who had just been seen. He placed the chart on the table while he grabbed his lunch. The intercom rang, and the receptionist's voice, heard above the rumble, asked: "Is Dr. Marks in there? Mr. Smith is on line 2; he says he is having a problem with his Viagra." (I made a mental note that there would be a few impromptu meetings in my office this afternoon.) 

After lunch, the two new employees arrived for their HIPAA Training. Following their web-based training, we reviewed our HIPAA policies and procedures, required forms, a list of patients' frequently asked questions (with our standard responses), and our practice's policy when patients' rights are violated. 

Then I sent an email to Dr. Dix, his nurse, Hermione, and the receptionist, asking them to stop by my office before the end of the day. On my "to do" list for today was a reminder to review a Business Associate Agreement for our new transcription company. With the template pulled up on my computer, I completed the appropriate sections and printed a copy to be sent to the vendor. Additionally, I emailed a copy to our attorney for his approval. 

Keeping current on HIPAA changes and updates is one of my regular Monday tasks. I logged onto the Internet to the HHS web site and two other HIPAA sites. I found and read three articles and printed four important advisories. I then logged onto our HIPAA web-based training site to retrieve the grades of the two employees trained earlier, and printed their training log sheets for their personnel files. 

A knock on the door signaled Dr. Dix's entrance. He appeared ready for his "tongue-lashing." A gentle reminder about keeping patients' information confidential and insuring that charts are not left in public areas was sufficient. He bumped into his nurse as he departed. The same conversation was repeated with her. At 3 PM, the receptionist appeared. We discussed her announcement of Mr. Smith's message to the entire lunchroom; she wasn't quite sure what she did wrong. I asked her to return the following day for a HIPAA training review. I would document this breach of confidentiality as well as the remediation (repeat training) in her personnel file. 

Returning to my "to do" list, I was to approve a spreadsheet to go to our coding auditor for a chart review. The audit was to be "blinded," so it was my responsibility to determine the method for blinding each record and de-identifying each record. I also reviewed our Privacy Notice to be sure that we had been informing patients that chart reviews were part of our routine healthcare operations. 

At 4 PM, three patients arrived for scheduled Records Review appointments. Our policy is that the patients be greeted by the Privacy Officer, placed in a private area, and asked to record their questions as they go through the record. We also provide them with bookmarks to mark pages on which they have questions. I informed the patients that I would return in 15 minutes to hear their questions. 

I wandered up to the front desk on my daily "walk-through" to monitor for potential violations of patients' privacy. The check-in receptionist was chatting through the window with a patient. On her desk was tomorrow's appointment list and charts she was prepping for the morning. I reminded her that prepping charts should be done elsewhere. The appointment secretary had left her desk; on her computer screen was Mrs. Freeman's account. I logged her out on my way to Medical Records. File clerks were hard at work, but I noticed that their wastebasket was filled with faxed lab reports. They told me the shredder had overheated; I reminded them, "Don't discard any documents with patient information without destroying them." 

Working my way back to the patients who were reviewing their records, I stopped at the busy nursing station. A medical supply vendor was at the counter talking with a staff member. Close by, nurses were returning calls to patients and phoning in prescriptions. I made yet another mental note to inform employees to escort vendors to areas that are "non-clinical." Having reviewed her record, Mrs. White had her questions ready and four bookmarks in the chart. I was able to answer her simple questions. In her chart, I noted on the Medical Record Access Log that Mrs. White reviewed her records and that her questions were answered to her satisfaction. Mr. Quick had two pages of questions, most of which were clinical in nature. I informed him that I would pass along the questions to Dr. Munchie who would phone him within five days. Again, I documented this on the log in Mr. Quick's chart. 

Ms. Potter had no questions, but a request for an amendment to her record. I asked her to complete a "Request for Amendment of Health Information" form and told her that Dr. Surefire would review her request within sixty days. I would get back to her sooner, if possible, to let her know whether her request had been approved. I documented her request on the Medical Record Access Log. 

Back in my office, I packed up for the day. Briefcase in hand, the phone rang one more time. I hesitated, but went for it. "Hi, this is Mr. McFly. I am the principal at the local high school. Unfortunately, there are about 50 medical records flying all over Academy Road that belong to you. Do you want to come down and retrieve them?"

Call us today at 866-447-2211 or email info@hipaarx.net to see how we can help you navigate compliance.

HIPAA Solutions Rx has developed a proven project management approach to certification.
HOW CAN WE HELP YOU?

HIPAA Solutions Rx
Toll Free 866-447-2211
Info@hipaarx.net
www.hipaarx.net



HIPAA For DC / DOM HIPAA For Business Associates HIPAA For Employers HIPAA For Health Plans HIPAA For Hospitals HIPAA For Providers HIPAA In Spanish

©® 2002-2012 BridgeFront