Each time one of your patients checks in, his or her personal information has an increased potential of being seen or overheard by someone else in your reception area. However, being aware of this increased risk and setting up preventive actions means you can head off common HIPAA violations at check-in before they occur. common HIPAA violations.
Identify Danger Zones
If your reception area is like most, it’s probably located in or close to your waiting room. Accordingly, because of patient traffic, the chances of your front desk staff committing one of several common HIPAA violations skyrockets. Your front desk team may be handing out or receiving patient paperwork, answering patient questions, talking on the phone, completing patient documents, or discussing a patient with a staff member. If any of these things lead to someone who isn’t authorized hearing or seeing a patient’s protected health information (PHI), a potentially costly HIPAA violation has been committed.
This generally includes data such as new patient or updated patient information, insurance verification, reasons for the patient’s visit to your office, referrals, etc. Your front desk staff must gather all of this information, provide instructions about what will happen next, and do so in a way that sidesteps these common HIPAA violations. Otherwise, you risk significant violation consequences for your practice.
Role Playing Training Solutions common HIPAA violations
It’s important that all your front desk staff receives very specific training of exactly how you’d like them to respond to specific HIPAA scenarios. Leaving your staff to figure things out on their own increases your risk exponentially. The ONLY way for you to be sure that your reception team is handling patient communications and interactions correctly and avoid these common HIPAA violations, is to train them and follow up to ensure they are utilizing the training accurately.
A great way to train your staff is through role-playing. Here are steps to help you run through the process:
- Staff involvement: About a week before the scheduled a HIPAA training, ask your from desk team to come up with and submit to you potential HIPAA-breach scenarios based on their experiences at your practice. You may need to give them and example or two to help them get started (see examples below). Also, in your communication requesting these scenarios, make it a requirement that every member of your team submit at least one scenario. Also, make it clear that once you receive a scenario from each person, you’ll review them and choose which ones you are going to utilize for the training. Let everyone know that not every scenario submitted will be utilized, but all are appreciated.
Tip: It is important to let your team know that not all scenarios submitted will be utilized so they don’t set an unreasonable expectation, that if not met will result in disappointment.
- Team Grouping: Separate your team into groups for the role-playing exercises. The size and number of the groups you split your team into depends on the size of your staff. You can choose to give each group different scenarios or give them all the same scenario to see how their responses differ. Then, give the teams time to put together a “skit” based on their scenario identifying how they would avoid these common HIPAA violations. Once they are finished, then they’ll present their skit to the other teams. During this time, your staff should discuss how they believe each situation should be handled. One at a time, have each group role-play their scenarios in front of other groups.
Note: If you have a very small team, try having your reception staff present their scenario to the clinical staff (it is important that providers receive HIPAA training too).
- Getting Feedback: Once each one of the individual scenarios has been acted out identifying how they would avoid these common HIPAA violations, give the “audience” an opportunity to share their thoughts. The goal is to get your team to comment on whether they believe the situation as presented was HIPAA-compliant. Ask them what the actors did well, what should they improve on, etc. Use the role-play critique as the foundation for a discussion with your entire group about how to ensure they are compliant with HIPAA regulations.
- Recognition: Finally, regardless of whether the “skits” are compliant, take time to compliment your team and their involvement in the process. You want them to walk away with a positive impression.
Important: Don’t fall into the trap of only training new front desk team members on HIPAA compliance. You should train with your entire team (new and old staff) several times a year. This will keep the topic of front desk HIPAA compliance fresh and on everyone’s radar and help your practice avoid costly common HIPAA violations.
Below, you’ll find an example of a common front desk check-in role-play scenario associated with a specific HIPAA risk area and how to handle it. Use this as a foundation to develop your own role-play scenarios with your team.
Check-In Role Play Training Scenarios
Below you’ll find an example scenario and two different situations associated with it. This scenario is going to be the basis for a role-playing exercise for your front desk team. The goal is to get them thinking and talking about HIPAA.
How you structure your role playing will depend on the size of your team. If you have a large number of front desk staff, it might be best to ask for volunteers. The remainder of your staff can watch. However, if you have a small front desk team, divide them into two groups and give each group a different situation to role play.
Once you’ve decided how you are going to structure the role-playing, sit down with your entire team and read through the scenario that will be presented. Then, break up your teams based on the structure you’ve decided upon, and give them 5 minutes to discuss how they’re going to conduct their role-play.
Front Desk Role-Play Scenario Example:
The front desk staff at a busy practice are charged with confirming the accuracy of each patient’s information on file when patients arrive for their appointment. Not having accurate information in your file can be a problem and pose a possible HIPAA violation. For example, if you depend on the information from the patient file and it is incorrect, you could end up leaving a phone message at the wrong number or mailing personal information to the wrong address.
While the front desk team is responsible for updating patient information, their supervisor has not given them clear instructions on how specifically to do this. Accordingly, to accomplish their goal, the staff decides to ask each patient as they check in, “Has anything changed?”
Response Example #1:
A patient who has not been to your office in nearly a year responds to your receptionist question, “Has anything changed?” by responding “Nope. Everything’s the same since last time.”
Result: Although your patient said that everything is accurate, and nothing has changed, in their file this may not be the case. The problem is that the question asked is entirely too broad and unfocused to ensure an accurate response. Your patient might not have moved in the last year, but he or she could have a new insurance number. Or, what if he or she moved right after the last appointment with you and thought he or she had given you the new address?
Response Example #2:
A patient responds to your inquiry, “Has anything changed?” regarding their personal information loudly goes through their exact name, new employer, new health insurance carrier, and the insurance policy number to your front desk person. As the patients is going over the information, the receptionist double checks the data in their system, and updates any necessary information. During this scenario your waiting room is full, and all of the information verbally provided by the patient is easily overheard by others. In addition to the full waiting room, there is another patient waiting to check in as well.
Result: The patient recites multiple pieces of personal information out loud at your front desk, so everyone in the waiting room can hear. This could easily be considered a HIPAA violation.
After all of the role-play situations have been acted out, sit down with your entire team and get their thoughts on what risks they have seen and what else they would do to avoid these common HIPAA violations. Then ask them for their comments, using the risk areas they’ve identified as a guide for additional role play and conversation.
For more ways to avoid costly HIPAA violations at your front desk, check out the 60-minute online training from healthcare consultant and management expert, Tracy Bird, FACMPE, CPC, CPMA, CEMC, CPC-I. Her online training, Head Off Front Desk HIPAA Nightmares, is immediately available for you to access and utilize for your entire team. Don’t wait, register for this practical, step-by-step online training today.
There are a variety of ways these situations could have been handled to prevent the disclosure of patient PHI. Use these talking points as you discuss this role-play exercise with your staff:
a. Set standards: In the scenarios above, the staff were not instructed how to specifically ask for updated information. Instead, they used their best judgment. But each person may have a different view of the correct way to handle the issue. Setting standards is the only way to ensure compliance.
b. Be specific: When providing guidelines to your front desk team, be specific. For example, instead of the team choosing to ask, “Has anything changed?” coach them on how and why it is important to be specific. Instead, provide them with an example of how they should have asked for the information.
“We need to verify that we have your current information on file. May I make a copy of your driver’s license and insurance ID card to update our records?”
If the patient claims that the information is the same as last time, you can say, recommend that your staff respond with something like:
“We like to check just to be sure, so our records are up to date.” Your front desk team can also explain that it’s their responsibility to check each time. Asking to get a copy of their license and insurance card can also make sure that your patients don’t say their personal information out loud or forget that they didn’t update their information.
c. Printouts: Your front desk staff can also be coached into providing each patient with a printout of their information you have on file (along with a clipboard and pen). Then, encourage your team to ask them to update anything that has changed. Once again, this stops the patient from giving his or her information to you verbally and allows them to review all of the information while waiting for the appointment.
Warning: Keep a close eye on these printouts. If your patient leaves the information at the reception desk, face up, and another patient ends up reading it, you’ll have another potential violation. Bottom line, you must clearly train your staff on how you want them to handle potential breaches. Otherwise, you won’t know if your patient PHI is protected.
Keep a Training Log
It is imperative (and required) that you document these and other HIPAA trainings. Each time you complete a training session, add an entry onto a HIPAA training log. At a minimum, you should document the date and time of the training, specifically what was covered, who attended, and the results. If desired, as added proof of the training, you can choose to have all participants (even you) sign the sheets stating that they attended and what was discussed.
Once completed, your HIPAA compliance training log should be kept in a binder that you can easily access should you fall prey to a HIPAA audit. This provides HIPAA investigators evidence that you are regularly working to keep your front desk team compliant and protect your patients’ PHI.
|Subscribe to Healthcare Practice Advisor|
|Get actionable advice to help improve your practice’s
reimbursement, compliance, and success in this weekly eNewsletter.