necessary” guidelines. Another scenario may
involve front desk personnel in Radiology or
a physician practice hastily printing PHI for
the patient without proper authorization or
verified dates of service. In the fast-paced ED,
disclosure management can be a distraction,
impinging on caregivers’ focus, when administrative staff are much better equipped with
the knowledge to safeguard PHI.
Best practice is to assign PHI disclosure
and ROI responsibilities to a focused group of
professionals who understand the regulations,
receive ongoing education on changes, and
realize the complexities of the process.
Centralization yields stronger
Centralized disclosure management is the
recommended approach to safeguard PHI
and assure adherence to patient access rights.
Many health systems are now working with
individual organizations to move toward
an enterprise model that centralizes the ROI
process. This means establishing one area
for maintaining appropriate records of what
information has been released, where it’s
going, and when to escalate notification issues.
Regulating information through one department provides a much higher level of patient
privacy and care.
While working to mitigate risk, keep in
mind that the right combination of people,
processes, and technology yields optimal
outcomes. Choose technology that aligns
with your PHI disclosure management practices — particularly data analytics. Every
disclosure should be tracked to include all
information needed for Office for Civil Rights
(OCR) reporting, along with any inadvertent
mistakes or issues. Data points to be tracked
· all identifying information of the individual affected by the incident,
· details of any information accessed
· details of what happened,
· risk factors, and
· mitigation efforts.
The following types of human error mistakes commonly occur during PHI disclosures
resulting in an inadvertent privacy breach:
· comingling of medical record data
(i.e., patient receives another patient’s
· incorrect recipient address or email,
· improper or missing patient
· multiple encounters sent.
Breaches associated with ROI will occur. It
is a matter of when, not if. The onus is on each
provider organization to track mistakes and
improve PHI protections over time.
Privacy dashboards identify root causes, track
patterns and trends
Every privacy incident yields valuable data
to improve compliance. Privacy dashboards
can be used as a powerful tool to show patterns and trends for smaller incidents — now
being tracked by OCR — and for large events
as well. An effective compliance tool will
· consistent capture of data that can be categorized by the information data points
needed for an OCR report, crosswalked to
· built-in risk analysis, attached to the
notification provided to you, enabling
expanded analysis based on information
about the patient and/or event;
· built-in state laws, notifying you if a
report is warranted;
· time-sensitive data alerts;
· tracking of incidents related to the responsible person or process for drill-down
pattern analysis; and
· system dashboard reports per schedule
and/or on request, as needed.