"From the Files of..." SOS Healthcare

[The story you are about to hear is true. The names have been changed to protect the guilty.]
 

From the Files of SOS: The Case of… “L.A. Confidential” 

By Lynn Homisak, PRT

This article was reprinted with permission from Podiatry Management Magazine

This is the city…Venice, California; a popular suburb of Los Angeles. We were no stranger to L.A. and ordinarily a visit here meant indulging in the canals, beaches and extravaganza of festivities along Ocean Front Walk. This time it was all business. We received a call from Dr. Donatella Noboddi to visit her podiatric office located in this L.A. resort vicinity claiming that a crime had been committed there. Unfortunate too, because based on information given to us, her practice, “Perfect Foot Care”, had all the markings of success – great location, full schedule, steady referral sources, good patient rapport, diverse services, increasing revenue and state of the art technology. None of those were an issue. When we asked about her staff, she didn’t hesitate to praise their overall performance; however confessed that she failed to fully train them in protecting patient privacy. As a result, there was a HIPAA incident recently involving an unintentional breach of confidentiality which led to a major breakdown in patient trust and respect.

The outcome was an embarrassment to the patient and it jeopardized both the practice and doctor’s reputation. Had a good training program been initiated, it need never have happened. When asked why she didn’t enlighten her staff as to specific confidential policies at the onset, Dr. Noboddi, like most doctors, said she never really thought about it. “They were common sense rules that I didn’t think needed to be written down. I thought my staff would have or should have known enough not to share private information.” Unfortunately, woulda, coulda, shoulda…is not enough of a reason to avoid important training protocol. It also wasn’t enough that she followed most of the administrative HIPAA “rules.” Lack of security awareness and training is a crime right up there with those found commonly recorded in Venice, like pick-pocketing, rowdy behavior or Woody Allen showing up at Muscle Beach. In fact, measures should be taken to assure that ALL members of the workforce (including management) are on board with compliance regulations. We are SOS. We carry a computer and our aim is to make things right.

Under different circumstances, I would call in back up; but this case appeared manageable. I felt had everything under control but before taking any action, it was critical that I obtain more information. Arriving on the scene, I went directly to the staff – and questioned them one by one. Not surprisingly, they pleaded the fifth; careful not to incriminate one another. It was the final staff person I spoke with however, who came clean on her own. Her name? Ami Stake. Ms. Stake gave me the low down on all the sordid details. Her confession read more like an alibi; but not airtight enough. I was able to finger her as the source of the leak.

“I didn’t mean any harm; honestly I didn’t.” she sobbed. “I only tried to help my gramma.” “Whoa, slow down,” I said. “What does your Gramma have to do with this? Better start at the beginning…” Ami composed herself and continued.

“Last week, Marsha Mallow came in for her 2 month visit. Marsha is too sweet, easily in her 70’s and always interesting to talk to. I think she has been coming to our office ever since I’ve worked here, about 10 years now so she knew the routine. We greeted each other as we normally do and I left her alone to remove her shoes and socks. (I didn’t dare help her as she was a very independent woman.) But this time, I returned to find that Marsha had taken off MORE than her shoes and socks! I was nothing less than shocked, but proceeded to help her get redressed and readied for the doctor. Later, when Marsha’s daughter returned to pick her mother up, I explained the episode to her. It was then that she informed me that her mom had been diagnosed with Alzheimer’s disease and that she was getting progressively worse. She apologized for her mother’s awkward actions, but I told her there was no harm done and in fact, I would keep a closer eye on her next time she came in.”

“Sounds innocent so far,” I said.

“Yes, but, wait. That night I went over to my grandmother’s house. Gram was also in her 70’s but unlike Marsha, she complained about everything – her arthritis, her family doesn’t visit, hearing, eyesight…you name it. After what happened that day at the office, I couldn’t help but set her straight. So I said, `Gram, don’t exaggerate! You are very fortunate. You may be 78 years old, but in comparison to others your age, you’re in good health and luckily, your mind is still sharp!’ She didn’t seem to be phased by my lecture so I thought I should back it up with an example she could relate to. ‘You know Marsha Mallow, don’t you?’ I said. (I knew she did and Gramma nodded in agreement.) `Well, let me tell you what happened to her today.’ (I proceeded to relay the story about Marsha undressing just to have her toenails cut in an effort to give my grandmother better perspective.) She was aghast and the realization that she really wasn’t as bad off as she wanted me to believe immediately softened her demeanor. She stopped complaining and I was certain I did a good thing by telling her…I left thinking my work there was done. Turns out, it had only just begun.”  

I didn’t know Ami or her grandmother, but the expression on her face told me this was headed in a bad direction. She went on to explain that what happened next proved to be one of the worst days of her life. She learned (from Marsha’s daughter) that Marsha was the topic of conversation at the local AARP meeting. It was no mystery that dear Gramma was a stoolie who told everyone there what had happened. Ami was left to deal with the ugly consequences of what now appeared to be leaked-private-information-turned-town-gossip. She apologized to the daughter over and over again, in person and in writing. The incident was recorded as HIPAA regulation dictated; but the strong band of trust and confidence with Marsha’s family was severely broken. Keep in mind; although Ami was the offender in this case, this oversight was also a poor reflection on the doctor and the practice. Luckily, there were no legal repercussions, but Marsha never did return. It was a painful lesson to learn for all, and something that could have been prevented with proper instruction. The code of confidentiality should never be taken lightly.

Regrettably, SOS was unable to correct the damage that was already done; however, concentrating on an improved doctor-patient relationship became the new mission at Noboddi’s Perfect Foot Care. I started by first making sure everyone understood the definition of “breach of confidentiality”. Simply stated it represents disclosure of information obtained from a patient in connection with their treatment. It has legal implications as well as ethical and even though HIPAA heightened the awareness of the former, the ethical origin dates back to at least the Hippocratic Oath, which reads (modern version): Whatever, in connection with my professional service, or not in connection with it, I see or hear, in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret.Staff should be equally observant of this vow and follow through as if an extension of the doctor.

Next…the Health Insurance Portability and Accountability Act. (HIPAA) laws were put in place to protect the patient’s PII (Personally Identifiable Information) because it was determined that unauthorized medical information could be harmful, prejudiced and at the very least embarrassing if it wound up in the wrong hands. When it was universally introduced however, medical offices went into a state of overreaction; mostly out of fear of being financially penalized for noncompliance. They refrained from mailing innocent reminder or birthday postcards to their patients and even considered pointing to patients instead of calling them by their names into the treatment rooms. Sign-in sheets were eliminated and patients were suddenly overdosed with paperwork, explanations and office signage. “HIPAA” it seemed, was the contemporary buzzword on everyone’s lips. It seemed to temporarily turn the entire medical profession upside down; placing new focus on something (patient privacy) that should have been common protocol all along.

Only after the hype of the program died down and its purpose became more understood, were we able to resume a sensible approach to protect our patient’s privacy, which of course is not limited to leaking information (for whatever reason) as was the example of Ms. Stake. A breach in confidentiality can easily occur via open telephone conversations, methods of releasing and/or transference of medical records, open treatment room doors, visible charts and files, storage methods, password accessibility, electronic records and reporting/dictation systems. And, whether directly or indirectly involved, it is the doctor’s responsibility to assure their patients that all personal information shared in private remains private; used only to provide optimum medical care. It should be noted that patients leaving the practice – whether due to completion of treatment or of their own volition are no exception to the rule. Privacy is protected…regardless.

We arranged a focused session with doctor and staff for the purpose of reviewing their HIPAA manual, current security directives and their electronic protective health information (EPHI) system. We performed a risk assessment to reveal potential deficiencies or weaknesses, made sure that violations were documented and contingency plans and methods of corrective actions were put in place. With the integration of laptops in each room, we needed to heighten the security of them (encryption of data) in the event that one should suddenly “walk away.” We also stressed that they schedule annual HIPAA update training sessions to keep updated and aware of any necessary changes.

As a team, we proceeded to establish written policies in the practice that required password access to computers (changed regularly) to restrict unauthorized users as well as for proper maintenance of and disposal of records, files and charts. Finally, confidentiality statements were issued to each employee requiring their signature; affirming their compliance with HIPAA and other state and federal laws pertaining to the security and privacy of all patient health information.

At the completion of our session, Dr, Noboddi felt secure knowing that all the proverbial “i’s” were dotted and “t’s” were crossed. She was also reassured knowing her staff was more educated about what to and what NOT to do to protect patient confidentiality. Before I left to return to my Seattle headquarters, I asked Ami Stake what she learned. She turned and with full confidence said, “What happens in this office…stays in this office.” The good doctor stepped in, grinned and said… “My nonna always used to say, `Keepa you eyes and ears open and you moutha closed and Donatella Noboddi you secrets.’”

Advice she’ll likely never forget.