Ultimately, all employees, including medical billers and coders, within an organization bound by HIPAA are responsible for maintaining compliance to the best of their abilities.
Even though HIPAA has changed privacy and data protection for the better, don’t be fooled into thinking that information that should be held confidential between doctor and patient stays in the examination room. Patient information is exchanged in many places, so discretion on the part of all staff is imperative to protect the rights of your patients.
Consider this: In earlier days, patient charts were kept in file cabinets or record rooms. Ideally, only those with a need to see those records were allowed access. Today, because of electronic data transfer, all patient information finds its way into data files. Without high levels of security, confidential patient information could easily find its way into the wrong hands.
With regard to patient confidentiality, the general idea is really simple: Those who do not need to know should not be told. Patients in the waiting room do not need to know anything about another patient.
Nor do they need to know why that patient is there. Your office should have a process that allows every patient to relay this information without anyone else in attendance being privy to that info.
Your employer is responsible for having a compliance implementation plan and a way to monitor whether the plan is being followed. In small offices, one individual may be responsible for monitoring practices, like making sure computers are password protected, making sure that sensitive areas are secure, and so on.
Larger facilities normally have a number of people monitoring compliance within the practice. These individuals include informational technology specialists who make sure that no software viruses or network breaches occur.
You also have an important role to play. Fortunately, the do’s and don’ts of compliance are basic.
Here are the things on your Do list:
Treat patients’ personal information as you would like your own information to be treated: Keep it secure and respect their right to privacy.
Use passwords that are not obvious (password is not a password; neither is 12345), keep them in a secure place that is also password protected, and change them regularly.
If you need to be in patient areas, be discreet. If you work in a surgery center, wear the uniform so that patients are not uncomfortable with a stranger in street clothes.
Keep your voice down when discussing patient finances, both in person and over the phone.
Be professional at all times.
And here are the don’ts:
Don’t write your passwords on the side of your computer, share the passwords with other staff members for their use, or use the same password for everything. (Note that most office policies require that all passwords be registered with either the office manager or compliance officer; that’s fine.)
Don’t discuss personal issues in the presence of patients.
In many offices, the coder is the one with the best resources for staying abreast of compliance regulations. The coder also needs to stay aware of Medicare policies, which include compliance issues.
Beyond your official responsibilities regarding compliance, keep in mind that, as part of the office staff, you can help guard confidentiality in other ways. For example, family members of the office staff don’t belong in the secure areas of the office, and visitors to the office need to identify themselves and the reason for their visit. If you see people in areas they shouldn’t be in, inquire why they’re there and direct them elsewhere.