A sacred trust is at the heart of the relationship between patient and provider. Maintaining this trust can be tough for providers to navigate amid changing regulations and evolving technology.
We explore how compliance officers can help their organizations’ providers maintain trusted relationships while ensuring requirements around patient privacy and protected health information (PHI) are met.
Navigating HIPAA Privacy Rule complexities
The U.S. Supreme Court’s Dobbs decision, which left abortion policies up to states, also raised data privacy issues for providers. Further, the decision could undermine the sanctity of the patient-provider relationship.
Currently, federal laws that protect the physician-patient relationship include the Emergency Medical Treatment and Labor Act (EMTALA) and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The U.S. Department of Health & Human Services has emphasized the breadth of the HIPAA Privacy Rule and the importance of patients being confident their PHI will be kept private.
Dr. Koyama, a physician in the metropolitan Phoenix area, explained why preserving the physician-patient relationship is critical.
“As an abortion provider and emergency medicine physician, I have the privilege to learn about how the patient in front of me made it to my exam room,” Koyama said. “That story of their journey is the only way I can provide the best possible care to help evaluate, manage, or treat the reason for their visit. I need patients to feel comfortable and to give me as full and honest of their story as possible, so that I can provide the most effective and safe medical care.”
Koyama added that laws aiming to restrict or limit the sacred relationship between patient and physician could be “dangerous” for patients.
Safeguarding sensitive health data
From a compliance perspective, there are several ways to help the trusted patient-provider relationship remain intact. For organizations with offices in multiple states, a best practice for compliance officers is to follow the state or jurisdiction with the most stringent privacy laws or requirements. Then, adopt policies and procedures aligned with the most stringent patient PHI requirements.
It requires vigilance to balance the requirement to disclose PHI with the trust of the patient-provider relationship. Compliance officers should stay abreast of changes in federal and state regulatory changes to assist staff in understanding patients’ rights.
Evolving healthcare technology
Another area requiring compliance officers’ vigilance is evolving healthcare technology. A recent class-action lawsuit involving Meta’s Pixel tracking tool is calling attention to possible gaps in patient-privacy protections.
It illustrates the concerns patients have expressed about safeguarding PHI in today’s digital society. And it demonstrates the potential fallout if providers don’t get it right.
Implementing HIPAA Safeguards
Compliance officers can help prevent their organization from releasing patient data that could trigger a HIPAA violation. Their role involves ensuring that staff are up to date on the three areas of HIPAA safeguards: administrative, physical, and technical.
Below is a brief overview of each area:
- Administrative safeguards focus on the organization’s HIPAA policies, procedures, and training.
- Physical safeguards include access to office space and computers, and cover details such as ensuring that PHI is not disposed of in the trash or left unattended on a desk.
- Technical safeguards cover hardware, software, and technology, and include guidance around not sharing passwords or leaving devices unattended.
To maintain a trusted relationship with providers, patients need every confidence their provider values their privacy. And providers must thoroughly understand the permitted uses and disclosures of PHI. Compliance officers are central to both efforts.
By staying up to date on changing federal and state privacy requirements, compliance officers are helping their organizations better understand patients’ privacy rights and, in turn, maintaining patients’ trust.
Never miss an article from Denise Atwood. She covers protecting patients for the YouCompli blog.
Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.
Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.
How is your healthcare organization keeping up with changes in regulations? Read more about our regulatory monitoring process.
