March 31, 2006
Answering
questions about protecting patient privacy
When
the Health Insurance Portability and Accountability Act (HIPAA) was introduced
in 2003, protecting patient privacy — already one of health care's
most important ethical obligations — became even more complicated.
Although the MGH offers continuing education about HIPAA guidelines, privacy
breaches do occur — sometimes accidentally. To help employees and
staff avoid breaches, MGH Hotline regularly publishes questions and answers
about patient confidentiality. The questions are answered by Eileen Bryan,
MGH HIPAA compliance specialist.
Q. Recently a staff assistant in an outpatient
practice was faxing a patient's prescription to a pharmacy. The assistant
copied down the fax number correctly from the patient's information but
misdialed the number, transposing two numbers. Unfortunately, the patient's
personal prescription was sent to a large financial services company without
a cover sheet, and the information was accidentally posted on an internal-only
website that was accessible to company employees. Fortunately, one of
the company's managers noticed the private health information and immediately
shut down the company's web site and contacted the MGH HIPAA Privacy Office
since they did not know the identity of the sender. Although it was an
innocent mistake, the incident represented a serious privacy breach. How
can this kind of situation be avoided?
A. MGH staff always should remember to use technology
such as fax machines, e-mail, cell phones and pagers only when necessary
to support patient care activities. If there is no alternative method
to deliver private patient information, then using technology such as
a fax machine should be used with extreme care. The MGH faxing policy
requires the use of a fax cover sheet at all times with the sender's contact
information and a confidentiality statement. The sender should call the
receiver to confirm the fax number and alert them of the impending fax
to make sure they are able to retrieve the document. After keypunching
in the fax number, the sender should pause and check the number on the
screen again for accuracy before hitting the send button. Because faxing
is the least secure way to send health information, the hospital is required
to have these safeguards in place. To review the policy, visit the MGH
Privacy and Security policy manual on the MGH intranet web site at http://intranet.massgeneral.org/hipaa/default.asp.
A fax cover sheet template also is available on this site.