7 tips to help you protect patient privacy
By Jacqueline Klosek
Chiropractic professionals and other individuals and organizations that collect, store, and use personal data in any capacity are facing challenging times.
Given stringent legal and regulatory obligations existing under HIPAA and other health-privacy legislation, you and other healthcare professionals have long recognized the importance of maintaining the privacy of health information. Even prior to the enactment of HIPAA, health professionals had legal obligations to protect patient privacy.
However, privacy is getting tougher to maintain, and consumers are expecting more guarantees from those in which they entrust their most private information.
As a result, it’s now more important than ever to have a solid, proactive privacy strategy. Yet few organizations actually do. Anecdotal evidence suggests many organizations continue to take a reactive approach to privacy, choosing to direct their privacy strategy toward addressing specific requirements of laws and responding to actual breaches when they occur as required by law.
In addition, studies and surveys confirm that many organizations predominantly view privacy as a risk to be avoided rather than as an opportunity to build consumer trust. Organizations that take a more holistic, proactive approach to privacy are likely to reap the rewards, with increased patient confidence and trust.
While there is no one-size-fits-all approach to adopting a privacy strategy, certain key steps apply to all organizations. The following recommendations are provided to guide practitioners through a checkup of their information privacy and security programs.
1. Conduct an initial and ongoing internal audit. Before an organization can provide its patients with useful information about its privacy policies and practices, it must first understand what they are.
To do this, conduct an internal audit to identify what data you are collecting, how you are using that data, with whom you are sharing that data, and how you are protecting that data.
Once you complete the initial audit, conduct additional compliance audits each 90 days to ensure compliance with law and your internal policies and procedures.
2. Develop a privacy policy. Once you have clarified your organization’s policies and plans for collecting and using patient data, develop and communicate formal policies internally and externally.
For covered entities, it is important to note that providers must have documented policies and practices clearly stating patient privacy and protected health information security. Patients must receive policies regarding consent, authorization, disclosure, and rights.
While HIPAA dictates much of what is to be included in a privacy policy, it will be essential to ensure that implemented policies reflect accurately what your organization does and will do with respect to patient information.
3. Be prepared for the inevitable. It is essential to think ahead and anticipate the unforeseen, including the potential that you could face a government subpoena demanding patient information.
By understanding this may occur, you can prepare policies in order to set patients’ expectations regarding the privacy of their personal information. This may help you avoid making a strong privacy promise to consumers that changing circumstances may not allow them to maintain.
4. Give your patients control of their information. Organizations subject to HIPAA have legal obligations to obtain consent prior to certain processing activities, including most third-party disclosures of information.
With few exceptions, a patient’s data should be used for health purposes only, including treatment and payment. In addition, specific patient consent must be sought and obtained prior to engaging in any nonroutine uses and most nonhealthcare purposes, such as releasing information to financial institutions determining mortgages and other loans, or selling mailing lists to interested parties, such as life insurers.
Patients have the right to request restrictions on the uses and disclosures of their information.
It is extremely important to understand the circumstances under which consents must be obtained and have processes in place to ensure that requisite consents are in place before transfers are made. In addition, it is important to note that patient authorization to disclose information must meet specific requirements.
Establish and implement an effective disclosure-tracking mechanism. Long-term compliance with accounting of disclosure provisions will be possible if disclosure of protected health information is recorded on a regular basis.
5. Conduct due-diligence when sharing data. When you share patient data with third parties, you rely on that third party to do its part to allow you to maintain promises you have made to your patients.
Because one false move by a contracted third party can do immeasurable damage to the trust and goodwill you have established with your patients, conduct proper due-diligence on all third parties with whom you may share data. Examine the third-party service provider’s experience with privacy and data security and investigate any privacy complaints the service provider has faced.
Of course, subject to very limited exceptions, organizations subject to HIPAA are required to have business-associate agreements in place with such third parties. These are important, but they are not sufficient and should be augmented with the due-diligence procedures.
6. Invest in security. You cannot protect the privacy of information if the security of the information is not protected.
Consequently, organizations must integrate technical, administrative, and procedural safeguards into their overall privacy strategy. The security program should, of course, meet all requirements of HIPAA and cover all security vulnerabilities by installing needed measures to protect data confidentiality.
7. Train, train, train. The extreme importance of training cannot be overemphasized. Many of the most high-profile and damaging data breaches have been a result of relatively simple employee errors. Regular, consistent, comprehensive training is fundamental to true data privacy and security.
The tips presented in this brief summary are intended to serve as a starting point for you to begin a review and revision of your internal policies and practices. The challenges of protecting the privacy of customer data will continue to expand and increase.
Of course, if you violate HIPAA, you become exposed to civil and/or criminal prosecution, which may, in turn, result in large monetary penalties and possible imprisonment.
Successful organizations view privacy issues beyond the confines of specific legal requirements and as a tool for building loyalty, trust, and goodwill with their patients and customers. Organizations that prepare for and address these privacy challenges in a proactive and holistic manner are likely to be viewed most favorably.
Jacqueline Klosek is a senior counsel in the business-law department of Goodwin Procter LLP, where she practices in the intellectual property practice area. The author of two books, The Legal Guide to e-Business and Data Privacy in the Information Age, she can be reached by e-mail at JKlosek@goodwinprocter.com or through the Web site, www.jacquelineklosek.com.
The importance of taking a good history
By Stuart E. Hoffman, DC, FICA
On Jan. 17, the patient, a 64-year-old male, presented to Dr. Brown complaining of pain in his shoulders and back.
Dr. Brown was filling in for another chiropractor, Dr. Red, at the Chiropractic Center.
Dr. Brown took x-rays of the patient’s cervical spine, but was unable to take an x-ray of the thoracic spine due to the patient’s size. Dr. Brown also took a medical history, which included prostate cancer diagnosed four years earlier, but did not ask questions about the cancer treatment.
Dr. Brown opined there were subluxations in the upper thoracic region. He then performed adjustments of the patient’s cervical and lumbar spine on nine occasions from Feb. 1 through Feb. 27, but never adjusted the patient’s thoracic area.
At 9 a.m. on March 11, the patient came to Dr. Brown with severe back pain. Dr. Brown examined the patient and opined his C-5 vertebrae subluxated. He administered a supine cervical adjustment to the C-5 through T-2 region and used an activator on the T-1 through T-3 area.
Soon after going home, the patient lost feeling in his legs and called Dr. Brown, who told the patient to come back to the office, call 911, or put ice on his back and wait and see.
At 1:30 p.m., the patient’s wife came home from work and put ice on his back. At Dr. Brown’s request, Dr. Red then called the patient and recommended putting more ice on his back or taking him to the hospital.
The patient’s wife called the paramedics at 2 p.m., and the patient was taken to the local hospital. A CT (computed tomography) scan confirmed the patient had a cancerous mass (metastatic carcinoma) in the thoracic (T2-T3) region with rear impingement on the spinal cord.
Surgery was required to remove the mass and an emergency bilateral laminectomy had to be performed from T1 to T3 to relieve the compression. The patient remained in the hospital for four weeks and was left paralyzed from the waist down after the surgery. Rehabilitation was unsuccessful.
Chemotherapy was also unsuccessful due to the development of blood clots. The patient was admitted to a nursing home for two months and then remained home until the time of his death, which occurred 18 months after the surgery.
All medical expenses were paid by insurance.
WHO WAS AT FAULT?
The defense asked a number of chiropractors to review the case. All gave negative reviews and were unable to support the treatment rendered by the defendant, Dr. Brown.
Each expert opined Dr. Brown did not obtain an adequate history of the patient’s prostate cancer, nor obtain a full set of x-rays. While it was noted the x-rays could not be completed due to the patient’s size, the experts were of the opinion the patient should have been referred to a facility that could accommodate him.
The case was also reviewed by an oncologist, who could not provide a favorable review for Dr. Brown.
The experts also believed the adjustments performed by Dr. Brown were the cause of the resulting paralysis, even though paralysis was not present before surgery. Specifically, the adjustment performed by Dr. Brown on March 11 caused rear impingement of the spinal cord, which necessitated the need for the bilateral laminectomy, and the subsequent paralysis.
Although the patient would have needed surgery to remove the tumor, had Dr. Brown performed a more complete initial examination and referred the patient to his treating oncologist, the paralysis would been avoidable because there would have been no compression.
Moreover, once Dr. Brown caused the compression, there was very little that could have been done to prevent the paralysis.
Additionally, it was determined that Dr. Red contributed negligence for his role in providing instructions to the patient following the incident.
This case was brought in a difficult venue for the defense, and defense counsel estimated the chance of a defense verdict at less than 25 percent. A verdict search of similar matters showed verdicts of $1 million. This matter was ultimately settled for the defendant’s policy limits.
Stuart E. Hoffman, DC, FICA, is the president of ChiroSecure. He is an experienced chiropractor and licensed insurance broker who advises based on his knowledge of both the insurance world and the chiropractic world. He can be contacted at 866-802-4476 or through the Web site, www.chirosecure.com.
How to deal with denials
By Steven Conway, DC, DACBOH, JD
I received yet another denial from an insurance company. Is there a way to get a successful reversal of these denials?
Insurance denials are frustrating. It is not the stimulus from the insurance company, but the doctor’s response that is key to a successful reversal of a denied claim.
Responding to an insurance denial should be an unemotional systematic process based on the review of three key areas: Errors in the facts, reference check, and errors in opinions.
• Errors in the facts. One of the first things you should do when you receive an insurance denial is read each section and outline the errors in the facts in the report. The errors can be of multiple different levels and types, from a wrong address of a patient to having a different patient’s name in the middle of the report.
The most common errors found are wrong names, addresses, dates of service, tests performed, misspelled words, and codes. Others include misquoting patient statements or stating specific documentation that was not included. You should also examine the reviewed documentation list to ensure the reviewer received the entire file and not just isolated parts from the insurance company.
List each error in order of importance with errors, such as a wrong patient name, at the top of the list and others, such as misspelled words, toward the bottom.
•Reference check. The report generally contains pages of references the reviewer feels support his or her opinion; however, you should actually get each reference and read it.
Sometimes the references are more show for the report than actual support of any opinion, or the references are macros the reviewer uses on all of his/her reports regardless of the type of claim. You can use this information in many of your responses with success.
• Errors in opinions. This is not a difference in opinion, but finding errors in the opinion. You want to find all of the facts in the documentation that contradict the reviewer’s opinion.
For example: If the reviewer opined in his report that all care after Sept. 24, 2007, should be denied because the patient did not receive home exercises in his treatment program — which would have decreased the reliance on the passive care provided by the provider — but the patient actually did receive an exercise program, you will want to state the opinion and the reference in the documentation that contradicts the reviewer’s statement.
A similar error occurs when the reviewer takes information out of context, such as noting one subjective comment by the patient on a specific date of “feeling great” and determining all care after that point is not medically necessary. The appropriate response is to list surrounding subjective and objective documentation that, again, contradicts the reviewer’s opinion.
Another common error is the use of generalized macros. You should keep a collection of previous reviews and wherever you see the “macro,” point it out in a fashion in the response that lets the insurer know you knew what it was, thereby decreasing its validity.
When it comes to a reversal of a denied claim, what you are dealing with is credibility. If you fill your response with emotion and threats, you lower your credibility. If, however, you base your response upon systematic factual analysis of the reviewer’s opinion that contains point-by-point contradictions, you greatly elevate your credibility and your response will have a greater chance of winning.
Steve Conway, DC, DACBOH, JD, is a partner in True North Chiropractic Consultants LLC, which provides guidance and ethical solutions to the barriers found in chiropractic practices. He can be reached by e-mail at chirolaw@aol.com or through the Web site, truenorthchiropracticconsultants.com.
DISCLAIMER: This column is provided for educational purposes only. The accuracy or timeliness of the information presented is not warranted. The information is not presented as legal advice and no attorney-client relationship is established.
QUICK TIP
Create a Great Practice
1. Pay a premium price. Pay 5 percent to 10 percent more than other healthcare providers in your area.
2. Provide creative benefits and incentives. Let your staff members create their own incentive programs.
3. Train rigorously. Develop a staff handbook and train employees on using it.
4. Train periodically. Take your staff to a seminar once a year.
5. Empower your staff. Let them make decisions when dealing with patients, as long as they stay within legal and ethical boundaries.