Is it acceptable for Jane, a hospital employee, to look up the medical record of her friend's blind date? What if her friend works in the police department and obliges by looking up the criminal record of Jane's blind date?
Clearly such behavior is off limits, yet this situation actually happened at a facility where Michael O’Connell, MHA, consulted. Mr. O’Connell, vice president of operations and physician services at Cleveland Clinic's Huron Hospital in Ohio, led a session on compliance at the Medical Group Management Association's (MGMA) annual conference in New Orleans in October.
Needless to say, the two employees in the example were fired. Most situations are not as clear cut, however, Mr. O’Connell noted. Adhering to privacy rules and other compliance areas can be difficult in the fast-paced world of hospital medicine, and violations don't usually spring from a place of bad intentions, he said.
“I don't think anyone comes into work saying they want to do a bad job, but we get busy, distracted, frustrated and overworked. We forget things, or say or do things in times of stress that we don't mean to, and it's important that those are corrected,” Mr. O’Connell said. “Better yet, educate people so they don't happen to begin with.”
While every hospital has its own unique set of compliance pitfalls that need to be identified, Mr. O’Connell outlined some common problem areas, such as a lack of employee understanding about the kind of information that can and cannot be shared with friends and family, he said.
Subject to permission, a hospital employee can release medical information to a nonpatient if that person is involved in the patient's care or payment for treatment, Mr. O’Connell said.
“We have to help physicians and staff recognize that everyone doesn't have access to everything. So if you have a spouse that wants to know specific information about his or her spouse, we may not necessarily be able to provide that,” Mr. O’Connell said. “We may have to ask the [hospitalized] spouse if it's OK, and then document that permission.”
Some general information can be given, however.
“If someone is in the hospital, we can give out the person's location and general condition and whether he or she has died, but that is the extent of the information we can provide” without express permission, he said. “There needs to be a lot of education with staff on this, especially when it comes to behavioral medicine and women's and children's services.”
Training on which staff members can access what records is also important. Mr. O’Connell said. Unauthorized access to patients' medical records is the single most common HIPAA complaint, he noted. Examples include when 27 employees of a New Jersey hospital were suspended for looking at actor George Clooney's medical records after he was treated for a motorcycle accident, or when 15 California hospital employees were fired for looking up the records of Nadya “Octomom” Suleman. None of the employees in question had anything to do with those famous patients' care.
“Cleveland Clinic takes care of actors, actresses, kings and queens, and we can only share their information with people they say is OK. We send out email reminders saying some VIPs may be coming in and it is not appropriate to look at records if you're uninvolved with the care. And we do random audits, to see if anyone has accessed those records when they shouldn't have,” Mr. O’Connell said.
Unauthorized access can also crop up when an employee has been terminated but a hospital doesn't have a quick process to ensure his or her various logins and email have been deactivated, and pagers and phones returned, he added.
Recovery audit contractors
Dealing with Medicare's recovery audit contractors (RACs), whose job is to recover improper payments and return them to Medicare's trust fund, is another big area of compliance, Mr. O’Connell said.
Once a hospital receives a Medicare demand letter (requesting the return of an alleged overpayment), it has 45 days to respond, so there's no time to waste, he said. Huron Hospital has a point person and a committee to work on RAC issues, so demand letters can be reviewed and promptly addressed, he said. The committee also tracks denied claims, finds patterns, and takes corrective action so as to be in compliance and prevent future denials.
“A lot of institutions don't have the time or infrastructure to respond to RAC audits, so 70% to 80% of payments are returned and the facilities don't contest them. We wanted to make sure we could respond, because there are millions of dollars at stake,” Mr. O’Connell said.
One of the biggest challenges in dealing with RACs is ensuring they are following their own rules and guidelines, he added. One such rule is that only claims after Oct. 1, 2007 can be reviewed; another is that RACs must employ qualified staff—nurses, physicians, certified coders—when doing reviews.
A third important rule is that there is a limit to the number of records the RACs can review. For hospitals, it is 10% of the average monthly Medicare claims (to a maximum of 200 claims) every 45 days per national provider identifier (NPI). For physician groups of six to 15 individuals, it is 30 medical records every 45 days per NPI; for physician groups with 16 or more doctors, it's 50 medical records every 45 days per NPI, he said.
The top cause of overpayments to inpatient hospitals is incorrect coding, followed by medically unnecessary treatment and insufficient documentation, according to a Medicare status report on the RAC program for fiscal year 2007. Knowing this, hospitals can anticipate the payments they might be questioned on, and conduct internal assessments to ensure they are in compliance with Medicare rules, Mr. O’Connell said.
“You may, for example, have a billing practice in which a charge ticket inadvertently gets copied twice, or the biller puts it in twice without knowing it, or there are two different people doing the billing,” Mr. O’Connell said. “Audits can help uncover this sort of thing.”
Huron Hospital carefully examines its practices to protect against double billing, billing for services not rendered, and upcoding. Billing reports are printed at the end of the day and checked to ensure two services aren't provided for the same patient on the same day, he said. The hospital also has a procedure to ensure diagnoses aren't misrepresented as a means of justifying services.
“We have a compliance checker in our lab that tells us what is covered, and sometimes we have to call a doctor—like if a diagnosis relates to a foot and the doctor is ordering a chest X-ray. And sometimes the doctor will say ‘Well, just tell me the diagnosis to use so it's covered,’ and we can't do that. Either they need to supply the diagnosis, or we need to charge the patient for that service,” Mr. O’Connell said.
Audits and reviews of processes are also important to uncover the difference between what the hospital thinks is happening and what actually happens, Mr. O’Connell said. For example, a routine audit at Huron Hospital uncovered the fact that a medical assistant was telling patients they didn't need to wear identification wristbands if they came to the hospital often.
“We do ‘safety rounds' every week, where a multidisciplinary group of people runs through everything from whether people are washing their hands, or computer screens are visible to other patients, or doctors are talking about patients in the elevator,” Mr. O’Connell said. “We do this to figure out what our education message to staff will be next time around.”
Confidentiality and privacy
Hospitals need to ensure they are using the best processes possible to keep a patient's private information from being seen, overheard or otherwise disclosed to people who don't need to know, including hospital employees uninvolved in a patient's care, Mr. O’Connell said.
Waiting rooms are a hotbed of privacy leaks, he said. Best practices include using only last names on sign-in sheets, and crossing the names off as patients are called to be seen. All visible papers should be face down, computer screens should be turned away from public view, and staff voices should be kept low. Patients should be asked to keep a distance from the registration window when it's not their turn.
Hospitalized patients should also be given the opportunity to talk about their health in a private setting.
“If someone is visiting a patient in the hospital, you can say to the patient ‘I have some information to share with you, would you like to go [somewhere private] to talk?’” he said. This gives the patient the opportunity for a discreet conversation without putting him or her in an awkward position with the visitor.
Answering machines are another problem area. Simple is best: Employee callers should give a name, facility and phone number—and that's it.
“So you say, ‘Hi, this is Joe from Cleveland Clinic; please call me at 987-6543,’ not ‘Hi, this is Joe from Cleveland Clinic calling about your positive lab results for your HIV test,’” he said. “Sometimes patients get irate and say we made them nervous by not giving their results on the message, but we simply can't do that.”
To help ensure protected health information (PHI) doesn't get in the wrong hands, Cleveland Clinic has a policy that prohibits PHI from being transferred to regular flash drives, Mr. O’Connell said. “Instead, we use a special thumb drive that encrypts PHI, like a patient's name, Social Security number or medical record number. So if [the drive] gets lost or stolen, the information can't be accessed,” he said.
The hospital system also has email software that automatically scrubs messages labeled “confidential” and protects them so they are not vulnerable to unwanted eyes when sent through the Internet. Employee laptops have been updated to protect PHI as well, Mr. O’Connell said. Medical facilities and practices have a legal obligation to notify a patient if his or her personal information is lost or stolen, he added.
Duty to report violations
Complying with the duty to report suspected or actual violations of a hospital's code of conduct or policies is a thorny issue, because employees don't want to get their coworkers in trouble, Mr. O’Connell noted.
“It's important that people realize it's not a matter of getting a doctor or nurse in trouble, but of letting [compliance officers] know some of the kinds of things that are going on so we can address them,” he said.
Issues that fall under the duty to report include misuse of PHI, password sharing, unauthorized access of information, breach of confidentiality, and incorrect billing. To ensure these problems aren't happening, employees need to understand the systems and processes of their daily work, and that includes part-time, per diem and temporary workers, he said.
Two of the most important things to note about compliance are that auditing and monitoring are key, and that employees need to be reminded often about correct behavior via education, training and regular staff meetings.
“In marketing, they say you need to hit people with information about seven times, on average, in order for it to sink in,” Mr. O’Connell said. “So you need to figure out how to reach people in a lot of different ways.”