The overcoming equation: Guiding an organization through HIPAA mishaps

By Kathleen J. DiGregorio

Kathleen J. DiGregorio (kathleen.digregorio@guidehouse.com) is Compliance Analyst at Guidehouse Managed Services – Healthcare Segment in Gardena, CA.

You are a compliance professional on the day a fine has been imposed on your organization for a serious Health Insurance Portability and Accountability Act (HIPAA) violation. Credit monitoring services have been made available to the patients whose protected health information (PHI) data were disclosed. Senior leadership and account executives have contacted clients to relay the details before they read it online while the legal department is preparing an online media statement. This is a rare event, yet you have to be prepared for the post-recovery period within the organization. A more familiar event is you, as the same compliance professional, have a meeting with the human capital department to talk with a valued, tenured team member about another avoidable and careless mistake reported first to the client by a Centers for Medicare & Medicaid Services (CMS) employee. Because this is the third HIPAA incident in six weeks by the same team member, the repeated incidents have called into question your organization’s ability to process this new client’s claims error-free and in accord with their standard of work. To remain consistent with organizational disciplinary guidelines, you issue a final written warning, and this team member will likely take the news very hard because they won’t be eligible for the long-hoped-for promotion to team lead or a merit increase for six months.

Both events present opportunities for compliance to move into action mode by assisting your organization after HIPAA mishaps of varying degrees while partnering with human capital and leadership to invest in empathy and understanding to create a positive shift while team members continue to work in an emotionally sensitive atmosphere.

The root cause

Recently, the compliance officer for our organization and I were talking about an article[1] that stated that in a CMS oversight audit, more than 80% of the hospitals had processed Medicare claims incorrectly and would receive lowered reimbursement rates in 2021. She stated that if the majority of organizations are getting it wrong, there is something fundamentally wrong in the CMS instructions, guidance, and availability to answer questions mid-stream to avoid punitive reimbursement reduction during this critical period in hospitals’ financial futures. So, let’s apply this to the HIPAA mishaps at your organization.

It is that straightforward and simple: If team members are making the same mistake, something has gone wrong. Compliance needs to break down the steps on any procedure that is the source of multiple HIPAA incidents and use Lean Six Sigma,[2] the five whys,[3] or another diagnostic process to gain a full understanding of a process flow. Don’t wait until more incidents rack up and clients begin to question your organization’s ability to function seamlessly on their behalf. Within this analysis, check in with employees assigned to the project. Team members might report there are no desktop procedures, or that verbal instructions have been issued to do unauthorized workarounds, or that they continue to work through rest and meal breaks to get the job done at any cost. Ask practical questions. Can the fax unit be preprogrammed with frequently used numbers? Is there a particular time of year or day in the week when there is an uptick in incidents? Is there a similar uptick with remote workers versus in-office employees, or newly promoted supervisors versus seasoned team leads? Is further training needed with one-on-one coaching or from a prerecorded training session? Save the big-picture issues for an annual risk assessment and jump into the trenches on this one with a goal in mind to stop similar incidents from occurring.

Does the training match the tasks?

We have all sat through annual required training courses that feature the classic trio of colleagues: two in white lab coats and one in blue tailored scrubs with a stethoscope, all viewing a clipboard while agreeably discussing a case near the nurses’ station. This is now followed by 25 minutes of HIPAA training and how to secure PHI data with patients, vendors, and the public in the daily work environment. This is a case of the right message if the workplace is a hospital or a clinic, but a wrong fit for revenue cycle management, claims clearinghouses, and other downstream vendors. If you can’t switch vendors, or if annual training isn’t due for another eight months, make use of micro-training in staff meetings; tip sheets distributed on a quarterly or monthly basis to revisit the basics that address the team members’ daily tasks such as email and document encryption; release of information; fax cover sheets with a HIPAA disclaimer; and operational reminders like locking down computers when away, securing electronic devices while traveling, and using security badges. Including compliance contact information plus access to an anonymous compliance and ethics hotline is an essential way to remind team members that the compliance department is available to all team members to discuss issues and ask questions.

Monotasking

There is a belief that we all can and must multitask throughout our workday with rapid speed, achieving a final product with 100% accuracy. Not so, my compliance comrades! At times, multitasking, plus distractions around the office or from a remote work environment, can lead to HIPAA incidents or worse—a full HIPAA breach. After a HIPAA incident, a team member might feel pressured to accelerate their productivity to prove they are a valuable employee. That is a great motivation for some, but is it always wise or feasible? For example, a team member might attempt to listen to a staff meeting on Skype while sending out client deliverables, without giving this important task their full attention. In error, an unencrypted spreadsheet of Physician B’s denials is sent to Hospital A, and now there is a big problem that could have been sidestepped. This is where I want to introduce the staid yet trustworthy concept of monotasking: All the cool kids are doing it because it is very 2021. Simply stated, when working with any patient PHI data or confidential client files, do one thing at a time to completion, proof it, and hit “Send.” Obtaining an endorsement from operational leadership is the next step for this simple formula, especially if there has been a recent compliance rough patch. This will go a long way to empower team members to regain control of the quality of their work.

Does the punishment fit the crime?

If an actual crime has been committed, that would be a different set of obstacles to resolve. So why let a team member be treated as if they are about to do hard time in federal prison or could soon be unemployed? Keep the corrective response to an unintended HIPAA incident in proportion to the outcome—a faxed set of medical records sent to the wrong insurance carrier, also a covered entity bound by HIPAA regulations, is a manageable issue. But eroding the dignity and self-confidence of a team member can’t always be fixed and is completely avoidable.

As compliance partners with human capital and leadership teams, sometimes a brief tutorial on where an incident falls on the range of severity of HIPAA incidents can go a long way in helping everyone involved understand the next steps. As an example, two misdirected faxes of two sets of patients’ PHI sent to another covered entity is not a HIPAA breach, so what needs to happen for compliance to remedy the errors and consider the incident closed?

Before the meeting with the team member, outline and discuss the talking points with your human capital department. The star of the conversation is the compliance issue, identifying the root cause from team member’s actions, and securing a confirmation from the team member that they fully understand how not to make the same mistake in the future. Don’t allow a supervisor or human capital personnel to bundle in other issues, such as the team member’s recent history of being tardy from lunch, while you sit by waiting to address the compliance issue. That is a meeting for another day and something you as a compliance professional don’t play a role in.

The thing about forgiveness in the workplace

It really can happen—forgiving one another for errors and allowing that process to shape future interactions and build back confidence in a team. Compliance will never change each team member’s reluctance to self-report an incident, but it can actively partner with human capital and leadership to create a shift away from the false perception that an unintended error carries tougher consequences than it does.

Not the first one and certainly not the last

While working as a compliance auditor for a nonprofit Employee Retirement Income Security Act, I sent an email to Dale, the building maintenance guy I waved hello to every morning, about removing some boxes near my office for the recycling bin. No response after two days, so I sent Dale another email; still no response from Building Maintenance Dale, but I did receive a terse reply from another Dale. As it turns out, I was emailing Client Dale, who wasn’t tasked with recycling boxes or any other office maintenance chore. After I sent an apology email to Client Dale, I sought out a few minutes with my departmental director. While cringing with embarrassment, I self-reported the incident. My director kindly shared something her former director said to her: “You aren’t the first person, and you won’t be the last one, to make an embarrassing but harmless mistake.” Those words lit up a pathway for me in my mind out of embarrassment and into moving on to talk about our next steps in more important matters going on in the department beyond my awkward emails.

In summary, in determining the next course of action, a collaborative effort throughout an organization creates the best opportunity for moving beyond the impact of HIPAA mishaps. In healthcare, millions of transactions are successfully processed error-free every year—that’s what keeps the doors open and pays the light bill. Help a team member or an organization as a whole distance themselves from a singular event and align themselves with all the good work accomplished in the past and that can be achieved in the future.

Takeaways

  • A compliance professional’s role within an organization is strengthened with active interdepartmental partnering.

  • Identify the root cause of Health Insurance Portability and Accountability Act (HIPAA) mishaps by understanding workflow processes and team members’ assigned tasks to assist with reducing repeated incidents.

  • Tip sheets and ongoing micro-training designed for an organization’s unique deliverables and workplace will build on compliance fundamentals addressed in annual training courses.

  • Encourage the practice of completing one task at a time and reducing distractions when working with patient’s protected health information to avoid potential HIPAA mishaps.

  • Empathy goes a long way in supporting a team member and the organization as everyone moves beyond a HIPAA mishap and transitions into good and productive work.

 
1 Jacqueline LaPointe, “Most Facilities in Hospital Readmissions Reduction Program Penalized,” RevCycleIntelligence, November 4, 2020, http://bit.ly/3dh0EGv.
2 “Lean Six Sigma,” Wikipedia, last edited February 2, 2021, at 21:10 (UTC), http://bit.ly/376SsVK.
3 “Five whys,” Wikipedia, last edited February 8, 2021, at 22:28 (UTC), http://bit.ly/3a2xaJo.
This publication is only available to members. To view all documents, please log in or become a member.
Become a Member Login

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings