Q: Recently, a police officer called our practice and asked our receptionist for a patient’s phone number. We previously saw the patient at the request of the Department of Transportation for a physical. Even though the caller ID indicated that the person on the phone was actually from the police department, our receptionist was unsure and escalated the call to me. Ultimately, we did not feel comfortable releasing the patient’s phone number to the caller without authorization from the patient. Did we do the right thing?
~ Clinic Administrator, Texas
A: You absolutely did the right thing. If you had released your patient’s phone number to the caller without the proper documents or authorization you would have broken the law.
The protection of your patients’ information is governed by the Health Insurance Portability and Accountability Act (HIPAA). This Act controls when, how, and to whom you can release patient data. Even law enforcement requests do not trump HIPAA rules without either a court-issued subpoena or a patient-signed Release of Information form.
Failure to comply with HIPAA regulations can quickly open you up to violation penalties of up to $50,000 per incident. Your practice can also be subject to a patient lawsuit for breach of privacy – if your state allows such action.
Point-of-Contact Risk
One of the highest HIPAA compliance risk areas at your practice is your front desk. This is especially true if your reception team also answers the phone. Why? Because these staff are the primary point people for anyone contacting your practice – and, yes, requesting patient information.
In the example provided, your reception’s suspicion of the caller, and escalation of the request to you, was the safest way to handle things. However, how can you be sure that the next time your office receives a call requesting patient information, it will be handled correctly?
To help reduce future HIPAA mistakes, every single person at your practice who greets patients, whether over the phone or in person, must know exactly how to handle requests for patient information. Some practices limit all such requests to one key person that is schooled in HIPAA compliance. This can significantly reduce your overall HIPAA compliance risk.
Reduce Phone Call Risks
Even if your caller ID says that the person on the phone is who they say they are, it may not be true. Technology allows scammers/spoofers to display any caller ID they want. Accordingly, your practice should never release patient information solely based on a phone request.
To reduce the chances of a HIPAA violation, everyone at your practice who answers the phone must be trained to follow know your patient release of information rules. Your staff must understand that just because a police officer, court official, or other trusted authority calls requesting patient information doesn’t mean that it should automatically be released.
The only way to be HIPAA compliant in these situations is to confirm the identity of the caller and ensure you have the correct Release of Information authorization documents on file. However, if you can’t trust the caller ID, what should you do?
To start, explain to the caller that you must verify their identify before any request for patient information can be considered. To do this, you must get the following contact info from the caller:
- Full name and position title
- Company name (if applicable)
- Name of their supervisor and phone number
- A direct phone number where you can call them back. Also, if it applies, you should ask for a main phone number just in case there is any trouble. Before hanging up, read back the information you have collected to confirm its accuracy.
To end the call, politely tell the person that you will be back in touch soon to provide them with a response to their request. Once the call has ended, do the following:
- Write down the number that appeared on the caller ID during your conversation.
- Go online and search for a contact phone number based on the name and/or company you were provided.
- While online, go the company website to see if you can find the person you spoke to listed (if applicable).
Now you are ready to verify the identity of the caller:
- Compare the caller ID phone number to the direct and main numbers you received. If none of the phone numbers match this COULD mean the caller is not legit, but they might still be.
- Call the supervisor (if applicable) at the main number:
a. If you reach the supervisor, ask them to confirm that the person you spoke with is truly employed by their company.
b. If the supervisor is not there, this is an even bigger red flag of a problem. - Call the company’s main number that you found online and ask for the caller by name. If you are told that the person does not work there, then you can pretty much bet that the call was a scam.
Whether your research determines that the caller is legit or not, whomever is verifying the information must document the process in detail. This verification process can easily be done by your reception staff, once trained to do so. Then, they should turn over all their research to practice management to make the final decision.
Remember, if your practice’s policies don’t already spell out situations such as this, where someone calls claiming to be seeking information about a patient (an employer, law enforcement, a school, an insurance adjustor, etc.), you need to amend them immediately. A newer employee without a full understanding of HIPAA could easily be duped into giving out a patient’s personal information, leaving your practice liable for the fallout.
Your front desk is one of the first lines of defense against HIPAA violations and errors. Ensure your team has all the tools they need to protect patient information and avoid costly fines and penalties by watching Healthcare Training Leader’s session, Head Off Front Desk HIPAA Nightmares. In this 60-minute online training, Tracy Bird, FACMPE, CPC, CPMA, CEMC, CPC-I, you’ll get the tools you need to shore up your front desk policies and guard against even innocent violations. View this immediately available training today.
 |
Subscribe to Healthcare Practice Advisor |
| Get actionable advice to help improve your practice’s reimbursement, compliance, and success in this weekly eNewsletter. |
|
|
|