TRANSCRIPT
Hello. This is Michael H. Cohen, president and founder of Cohen Health Care Law Group. Our guest today is an expert in healthcare privacy and security, both on the federal side with HIPAA, and the state side, especially dealing with California law. Her name is Joyce L.T. Chang, and she’s an attorney at the Cohen Healthcare Law Group.
HIPAA Policies Drive Medical Risk Management
Joyce LT Chang:
Policies and Procedures really are the bread and butter of any good starting point, whether you’re in house, you’re an entrepreneur, you really can use Policies and Procedures as an effective tool. It’s kind of nerdy to say that I get excited about it, but that’s really the time where you can memorialize what your company or your client’s vision, what that is, and also outlining what the procedures are for how you’re going to accomplish that. So, it’s a chance for you to put down your organization’s culture, how you’re going to comply with the law, and really, to set the expectations for your company as you’re growing, for how you’re going to handle business.
Michael:
Can you give us an example of, let’s say, one Policies and Procedures that was particularly complicated that’d you say you had to wrestle with? Or let’s just say something that made a really big difference in terms of health care privacy and security, or something else that you tackled that was really, really, really critical?
Joyce LT Chang:
For the big difference one, I think the hot item one is how you handle breaches and investigations, and that is something where if you think high risk, that’s where there’s financial risks, reputational risks. So when you’re outlining the policies and procedures for that, it’s a very thoughtful process just from what you do when you have notification that there may be a policy violation. Even the terminology you use, people often say, “Oh, there’s been a breach. There’s been a breach,” but that’s actually really a term of art, and also has legal implications.
So you can start by training your workforce that it’s not necessarily a breach immediately, but a privacy violation that has to be investigated. And as a lot of entities are growing and merging together, having these expectations outlined in your Policy and Procedures are critical. You can have shared services, and people need to know who is doing what, and when that has to be done.
Michael:
What would be an example of a privacy violation, let’s say that you’re in the hospital or you’re getting treated at the doctor’s office, what would be something that would be a violation as opposed to a security breach that would have to be reported and dealt with?
Joyce LT Chang:
Yeah, a common one has to do with incidental disclosures, and a good example is, “It’s flu season. The Emergency Department is incredibly crowded, and you have hallway beds stacked with patients.” A patient may have a complaint, “Hey, I was put in a hallway bed and this was a breach of my privacy.” HIPAA and there are other reasonable safeguards allow incidents like this where hospitals are allowed to reasonably accommodate with the resources that they were given.
In that incident rather than having a nurse say, “There’s been a breach. There’s been a breach,” it’s working out, how do we inform our Privacy Office to have a conversation with that patient to see, were there reasonable safeguards that this isn’t something that we have to report to Agent Jess? Having that outlined and really being able to have more risk mitigation factors in place so you don’t have an upset patient who goes directly to the regulatory agencies to report this, what they perceive as a serious breach.
So that’s one example of just by explaining and empowering your staff, or of “Hey, if a patient has X complaint, you can contact the privacy Office and they can help with the investigation and the follow-up, rather than it getting lost somewhere in the shuffle of all the other clinical responsibilities.
Michael:
So the idea there would be, for example, to have some kind of process where, if a patient feels like there’s some kind of violation, they can actually go somewhere within the organization and get their complaint out, get some kind of satisfaction. It doesn’t necessarily have to be escalated to reporting to a regulator, and the patient doesn’t get aggravated or escalate the complaint themselves, but rather they get good information, and it can be handled internally. Is that the idea?
Joyce LT Chang:
Absolutely. That is the idea, and it’s something that you can use your Policies and Procedures, not just for when you have patient complaints, but as a really effective training opportunity for your staff members throughout the year. Even if you have the most well-crafted, beautifully written Policies and Procedures, they’re not meaningful if you’re not figuring ways to implement them and to continuously educate your workforce members on those requirements.
So really it’s a partnership where you can get the legal and regulatory requirements outlined, and also figure out in your business practice how can you communicate this effectively to the people who are really on the front lines, who need to understand and live and really showcase what these Policies and Procedures are? They have to be meaningful.
Michael:
Obviously we don’t want to violate any confidentiality, but like just in general, what would be a good example of something that somebody did that was really stupid or unfortunate? Or there are some very obvious things that people do sometimes that compromise privacy like throwing patient files in the trashcan, and then somebody else picks them up, and they can be read, those kinds of things are out there.
What would be an example of something that you’ve come across that you could talk about that people should … Like don’t do this at home.
Joyce LT Chang:
Yeah, I’ve unfortunately done my fair share of dumpster diving or even at popular coffee shops on hospitals doing this sweep for-
Michael:
Really?
Joyce LT Chang:
Yep. When people think of protected health information they think that it is what you have in your electronic medical records. But you think of just the practical day to day that clinical staff have to do, and that’s patient notes as you’re transitioning, shift changes, paperwork, PHI really is in so many forms and often in the most basic paper documents that those documents fall out of pockets. You find them on the floor.
Clinicians are humans, and there are just so many human errors that can happen even with the most well intentioned people. So dumpster diving is a big thing, pieces of paper that you find around campuses, sending emails to the wrong people. My mom always says, “High tech, high risk” with auto fill and auto completion for emails. It’s easy to send emails to the wrong people within organizations, to the wrong patients, to complete strangers. That is something where with the convenience of technology, it also makes it very easy for people to get into risky privacy situations.
Michael:
What would happen? What would your advice be if somebody, they’re sending information about a patient … The doctor let’s say, says, “Hey Mrs. Smith, I’m so glad that we were able to get you symptom free of your X,” and they start typing in a name, and they send it to somebody else by accident. What should they do at that point?
Joyce LT Chang:
Michael, the problem for that started before that email’s sent, and that’s going to back to your Policies and Procedures questions, basic things that seem so straightforward are really complicated when it comes to healthcare. The question really is, should you really even be emailing patients to begin with? Should there have been other systems and procedures, encryption, other methods, to help with being able to securely recall this information?
But if you get to that point where you have that situation where you’ve emailed the wrong patient, it really is something that is a case by case decision of how to handle that. You can ask for the recipient to permanently delete that email and provide written assurances, but depending on what type of information is in that email, it really becomes a risk assessment of, do we need to report this? And what other mitigation steps do we have to take?
In addition to the federal requirements, you also have state requirements that you have to look at. You often hear of HIPAA as sort of the scary buzzword, but California requirements are even stricter than the federal requirements. So if you find yourself in that situation, call for help. The dangerous part is you don’t know what you’re missing. That’s where people can really get into trouble.
Michael:
It’s where like say, a nurse carries a bunch of folders, and it’s a windy day, and one piece of paper somewhere is whirling around, but they haven’t numbered the pages so they don’t know what it is.
Joyce LT Chang:
Right. Without good procedures you don’t even know what your risk areas are so that’s a scary place to be in.
Michael:
I understand that you worked on these Policies and Procedures for some pretty big institutions, are we talking about a Reader’s Digest version or how dense do these things get?
Joyce LT Chang:
They can get very dense, and very detailed. You think about, there is the legal side of things and also all the clinical requirements that have to be documented in your Policies and Procedures. We’re talking anywhere from tens of thousands of different Policies and Procedures for large hospitals. And even for the smallest clinics, there are so many Policies and Procedures that are required that often people don’t think about until the situation is presented for them, and that’s really when it’s a little too late for that.
An example for that is, if patients want to amend their record, a lot of small doctors’ offices may not have thought about what that process looks like. And just understanding that patients have the right to request amendments, but doctors are obligated to comply with those requests, but patients do have the ability to leave notes in their records with limitations on certain revisions or parts of their record that they don’t believe are accurate.
The request for amending your records, that’s only one small example of just the other aspects. I think a more common one that comes up is emergency contacts. What is your policy for contacting your patient’s emergency contact? If you can’t reach them for an appointment, is that an emergency?
What if they are expressing suicidal tendencies or there’s a serious risk? You don’t want to be in a position where there’s patient safety, but because you haven’t thought out your Policies and Procedures, you don’t know what to do. That’s a tough position for practitioners to be in.
Michael:
Most doctors in a small practice, who do they have to handle all this? Does the Office Manager do it? Do they need to talk to the head of the practice? Does the head of the practice have to have legal counsel? How do they handle this, and even if they have someone they can call, how do they deal with thousands or even tens of thousands of pages? What do these organizations do? I guess that’s a compound question, but, yeah.
Joyce LT Chang:
Yeah. I think the short answer is people do what they think is the best they can do, but often that’s not enough. Large hospitals will have tens of thousands of Policies and Procedures. But for a smaller office to get set up, you can consult with someone initially to get your system set up, and then it’s really just regular maintenance to make sure that you’re on time for things.
A lot of times I’ve seen people just download forms from the internet, and they feel like, “Okay, we have this checklist, we’re good,” but privacy and compliance is much more robust and complicated than that.
I really recommend hiring outside counsel or someone who has the experience to help get those initial documents and training programs set up in place. Because again, clinical expertise, that is what healthcare providers should be doing, and they’re not expected or trained on what the legal requirements are.
So just like you wouldn’t go get surgery from someone selling lemonade, why would you try to invent these documents and understand compliance when you don’t even know where to really begin?
Michael:
Yeah, well they might be very good at slicing lemons, which certainly wouldn’t qualify them to do surgery, not in the modern age.
Joyce LT Chang:
No, and that’s something where, even ask someone who has extensive experience with large hospitals, smaller providers, privacy laws and regulations are constantly changing. That’s part of our challenge is figuring out how the different regulatory landscapes fit in with each other, and even with our background, that’s something we are continuously working on staying on top of.
It’s not expected to be easy, and the consequences are very real. Having been on the other side of investigations where you have the California Department of Public Health and Human Services looking at your practices, if you are under investigation for privacy breach, they are not limited to just that specific incident. You’re really exposing yourselves, your practice, your patients, to a microscope of what regulatory agencies can do.
It’s not something that you should take lightly. There are very serious consequences, and even in the best case scenario, you can be on a corrective action plan for years after their investigation is done.
Michael:
Sounds to me like this is a case of where an ounce of prevention does a lot of good.
Joyce LT Chang:
Absolutely, and it goes so far in just preventing future headaches for years and years.
Michael:
Joyce, thanks so much for giving us a glimpse into some fundamentals of privacy law, and why it’s so important, and why HIPAA sounds like it’s something that you want to deal with better before than after, and better on your own than during some kind of regulatory investigation, if, indeed, a breach occurs.
Just one last question, how often do these things come to light, and how likely is it … What if somebody said, “Gee, I’m a small office, and no one’s going to know, and HIPAA’s expensive, and I just don’t want to deal with it, and it’s not even written in English anyway, and…
Joyce LT Chang:
If you touch any patient information, you need to understand HIPAA, and if you fail to prepare, you can prepare to fail. It’s really that simple. All it takes is for one patient complaint, one random regulatory review, and that can completely cripple your practice, and not just with financial penalties, but with potentially all sort of consequences as well too.
Michael:
On the flip side, what’s the good news about prevention?
Joyce LT Chang:
People who go into healthcare, they want to do right by their patients, and part of that is protecting their patients’ privacy and their legal rights as well too. You want to have clear expectations for everyone involved so you can strive really for the most harmonious relationship and treatment.
Michael:
Wonderful. Thank you very much, Joyce. It’s really been great hearing from you today.
You’ve been listening to the Healthcare Legal Adventures Podcast. This is Michael H. Cohen, president and founder of Cohen Healthcare Law Group. If you’d like to hear more episodes, simply go to cohenhealthcarelaw.com, go to the tab that says blog podcast, and you can download more episodes. Or visit our other website at healthcarelegaladventures.com, where you’ll find online courses, DYI forms, and other resources to help you with your healthcare and legal adventure. We’ll look forward to seeing you on the next episode.
How to avoid legal pitfalls of physician (MD) collaboration with …
How can integrative medicine physicians collaborate with chiropractors, without triggering unnecessary patient liability, medical board …
Contact our healthcare law and FDA attorneys for legal advice relevant to your healthcare venture.