Some doctors thrive in a personality-based clinic and have a loyal following no matter what services or equipment they offer, but for most chiropractic offices who are trying to grow and expand, new equipment purchases help us stay relevant and continue to service our client base in the best, most up-to-date manner possible. So, regarding equipment purchasing: should you lease, get a bank loan, or pay cash?
Poor Practice Compliance Is a Major Business Risk
The blessings of technology have enabled practices to expedite the time spent on claims preparation and claims submission, and improved the wait time for receiving payment for claims. Technology has also been beneficial to practices with respect to achieving appropriate levels of documentation in order to meet guidelines and better support the claims being billed for. Work-force members are saving time in printing, filing and organization by having software in place that stores this information.
But with the benefits of technology come responsibilities that practices must make a priority. Let's take a look at a few of the all-too-common errors that can be minimized or avoided completely with appropriate compliance policies and procedures.
Are You Making Compliance Errors?
- Unauthorized access to patient files or information systems, resulting in the access, use or disclosure of protected information
- Inappropriate and/or identifying posts made to social media sites
- Lost or stolen portable devices with ePHI access (tablets, smartphones, laptops, etc.), resulting in potential data breach
- Insufficient backup protocols, resulting in loss of data and inability to recover information
- Insufficient definition of systems and procedures, leading to various errors and strained doctor-staff relationships. Note that many whistleblower suits or privacy-related complaints reported to the Office of Civil Rights are made by work-force members!
- Improper disposal of records
- Improper methods of preventing malware and viruses from accessing information systems, resulting in hacked ePHI
- Email or other online communications among work-force members and/or work-force members with patients that compromise protected data
An Easy Compliance Target: Social Media
Let's look at an increasingly common danger: inappropriate posting of identifying information on social media sites. First, your practice must evaluate your social media use to determine what guidance and policy among your work force must be implemented and enforced to best protect patient identity, and prevent the costly and damaging error to your practice.
- Document the social media sites utilized by your practice. It should be clear why you are using social media (such as for marketing, reminders of upcoming events, etc.).
- Define your policy and procedure for use of social media. You may elect to prohibit the posting of photos that identify a patient or you may incorporate policy that requires appropriate patient authorization to be obtained prior to social media use. Of course, if obtaining authorization from patients, this must be in writing and also clearly provide details to the patients as to where there photos may be posted – including reminding patients that these photos may be "shared" and/or saved by your followers or other viewers.
- It is important for patients providing this authorization to understand that once a post is made, there is no guarantee that it can ever be completely removed; that they have the right to change any permissions granted to your practice at any time they wish; and that they may request the removal of their photos (to the best of the practice's ability where the practice has control of the posting and removal of photos, but cannot be guaranteed elsewhere).
- There are other important considerations to make as you define this policy and procedure for your practice. It must be clear who has access to your social media for posting and how these posts may be reviewed, edited and removed if needed. This may include posting guidance such as frequency and limiting those with social media permissions only to accessing business social media during business hours. Sanctions must be in place for misuse of social media as well.
- Policy and procedure must define the difference between business and personal social media. Businesses may not dictate to staff how personal social media is managed, but can offer general guidance, such as to not seek out patients as "friends" and that PHI-related posts are prohibited on personal pages. Practices must provide training of this policy and procedure to work-force members.
The Consequences
With this single example, it should be easy to see how your practice can benefit in many ways by having documented guidance. Not only is this type of guidance a required element for practices today, but also serves as significant risk management to practices, work-force members and patients. Most errors that occur in practices can be limited or avoided completely with clear and consistent communication, which is what compliance programs are all about.
All of the compliance errors listed earlier may impact your practice in various ways. Beyond financial penalties and other compliance-related investigations and penalties, errors also can damage practice / patient relationships, soil a practice's good reputation within the community, and make it difficult to retain staff, among other consequences. The only solution is to make compliance implementation a priority.