Using fully patient-identified records is appropriate for patient safety and can be achieved within the current regulatory framework by using secure electronic systems, state the authors of a commentary from the July-August 2015 edition of the Agency for Healthcare Research and Quality's (AHRQ) online case study review, WebM&M. In the spotlight case, a 64-year-old man with severe dementia was admitted to the hospital after a week of worsening confusion and agitation. A magnetic resonance imaging scan of the man's brain was ordered by an overnight resident, but because the hospital used paper-based sign-out documentation that only included patients' initials for privacy, the order for the brain scan was accidentally placed in the chart of another patient with the same initials. Fortunately, the error was caught the following morning, and any potential harm was avoided. According to the authors, the case demonstrates that misunderstanding of the Health Insurance Portability and Accountability Act's (HIPAA) regulations continues to persist and illustrates how such misinterpretations can have serious implications for patient care. The authors note that, largely out of fear, many organizations impose greater privacy protections than HIPAA requires, but they caution that while there are risks for violating HIPAA, patient care can also be endangered by overinterpreting the regulations. To ease these fears, the authors explain that based on the enforcement track record of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, episodic and inadvertent violations are generally treated as an opportunity to counsel and correct a provider about what the regulations require, whereas significant penalties are reserved for organizations with patterns of repetitive violations. "If a particular precaution taken in the name of 'HIPAA' or 'privacy' poses risks to patients, it is likely not necessary—and providers and health care delivery systems should consult with their privacy officer, seek counsel, or review guidance from HHS prior to imposing it," they state. The commentary offers strategies to improve HIPAA compliance while maintaining patient safety, including reviewing HIPAA and state medical privacy law policies to ensure they are up to date and not based on any myths about what those laws require, training regulatory staff on privacy laws to help ensure that misinterpretations of the law do not get embedded into day-to-day operations, and, as in this case, considering the way electronic health record technology can be leveraged to both advance privacy and improve the quality of patient care.
HRC Recommends: Risk managers should ensure that training staff about what is required to maintain health information privacy and security remains a risk management priority. Although vigorous enforcement of the HIPAA privacy and security provisions warrants rigorous compliance efforts, healthcare organizations should assess whether staff is misinterpreting HIPAA privacy requirements and take steps to correct misunderstandings, as failure to do so can put patients at risk of harm.