• What are the legal requirements of data reporting, electronic prescribing, preventive data indicators, and quality data reporting? What can an administrator do to promote ethical and legal compliance by the organization?
• When considering HIPAA, be sure to understand the minimum necessary standard rule. Just because somebody/some entity is entitled to information doesn't mean it is a free for all. There are limits to what is available and for what reasons. You can also think about it along the lines of being on a "need to know" basis. Think TPO, "need to know" and minimum necessary standard rule. How does your facility encourage complying with this?
• HIPAA is a complex law. However, you can boil it down to what we call TPO:
T = treatment. You can view a medical record for the purpose of providing treatment to an individual.
P = payment. You can look at a medical record to obtain the necessary information to construct an accurate bill.
O= operations.
You can look at a medical record to complete operationally necessary practices even if you are not directly responsible for the care of that patient. This includes items like utilization review, peer review, statistical analysis or scheduling. Always ask TPO every time a chart is accessed. If the answer is 'no" to all three, STAY OUT!!
Can you share examples where people should not have been in a record and what the consequences (if any) were?
• Do you know who the Privacy Officer is at your facility? It may be somebody whose job is solely being the Privacy Officer in a larger organization. In a smaller place, it may be somebody who wears many hats and being the privacy officer is part of their larger role. What does the privacy officer do? Do you have a professional experience with one? If so, please share and include a reference.