 The U.S. Department of Health & Human Services defines the minimum necessary requirement as follows: The minimum necessary standard, a key protection of the HIPAA Privacy Rule, is derived from confidentiality codes and practices in common use today. It is based on sound current practice that protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information. The Privacy Rule’s requirements for minimum necessary are designed to be sufficiently flexible to accommodate the various circumstances of any covered entity. As a data management consultant, I’ve worked on many HIPAA databases. Without exception, every end-user I’ve worked with over HIPAA data has been a complete professional. However, it never hurts to review HIPAA Etiquette.
We all know that conscientious, well intentioned people can still make mistakes. Following are a few etiquette rules that I’ve come up with after working on a good number of HIPAA databases. Passwords: The first step to protecting the data in any database is to protect your passwords. With HIPAA, passwords are that much more important. When a contractor is working on your computer, you are not required to give them your passwords. As a database contractor, I respect end-users who enter their own pass words. It may take more time as I am moving in and out of databases, testing different things, to have an end-user enter their password multiple times. But – that’s fine – they’re protecting their databases. Please don’t leave your passwords posted on your computer in the form of post-it-notes. They are an open invitation to anyone coming into your office, including contractors. If you’ve multiple passwords to remember then you may want to look into password protection software. There are free versions of password protection software; they will make your life a lot easier because your passwords will be stored in one location. In addition, password protection software protects your data because your passwords won’t be sitting out in the open for anyone to find. Business Associate Agreement Remind any contractor working on your database that they are working with HIPAA data. This should be done BEFORE they have access to the data. Require them to sign a Business Associate Agreement. Protecting the data in your database: The Minimum Necessary Requirement has several nuances when a contractor is actually working in the database. One thing to remember about database contractors; is that we view the data differently than you do. When I am working in a database, I am looking for patterns. For instance, when I am trouble-shooting an error message, I have to figure out what is triggering the message. Error messages are generally related to something outside the intended processing patterns of the program. So, while working with the data, my brain is registering patterns (and the exceptions to those patterns that cause errors). My brain generally does not register actual information in the database. After I am finished working through a trouble-shooting session, I can tell you all about the source code, the pattern that was broken and why an error message was triggered, but I most likely will not be able to recall any actual data. Generally speaking following the Minimum Necessary Requirement means using test data whenever practically possible. If you are consistently getting an error message while working in one record; that message is most-likely NOT triggered by the actual data. It is most-likely triggered by an exception to the intended pattern of processing data. In a situation like this, you can do something as simple as recreating the problem in a bogus or test record. For example; creating test case note histories for Sheldon Cooper, Amy Farrah Fowler, and Leonard Hofstadter is perfectly acceptable. From a technical perspective, all I care about is the actual error I am trouble shooting. If we are working on a new database project together, I do not need to see any real life data either. Once again, entering test data with bogus names and personal information is entirely acceptable. There are times when I do have to work with real data. These instances generally encompass mass data. For instance, if you need a new report, most-likely it will not be practically possible for you to re-create 100s of test records. Or if we are working on a new database project and I have to import legacy data from another database. Mouse in the Corner Syndrome: The Minimum Necessary Requirement does not only apply to data in the actual database, it applies to data in your head, and in your co-workers head. This is one area where I see the requirement violated on a pretty regular basis. I’ve come to calling this the “mouse in the corner” dynamic. My clients become so comfortable with my presence that they start talking about things in front of me that they shouldn’t. This can happen on conference calls, as well as in-person visits. They simply “forget” I’m there and can hear what they are saying. It is one thing, when they get into office gossip, but it is an entirely different thing when they start talking about the details of someone’s case history. Generally speaking, when folks start getting into the details of a client’s HIPAA data, they are trying to figure out why this particular record is acting differently than other records in their database. It is not malicious behavior at all. They are honestly trying to help me. One thing you can do in these situations is remind yourself that the programmer you’re working with is looking for patterns. Sometimes the pattern may be affected by actual data, sometimes not. But, I can honestly say, I’ve never had to trouble-shoot a problem where a client’s entire case history caused an error. I honestly don’t need to know all the intimate details. If data is causing the problem, it is most likely data in one specific field (like a drop down list). This “mouse in the corner” dynamic is very real. I’ve had client’s look at me before discussing HIPAA data amongst themselves and say, “You’re HIPAA certified, right”? Well, yes … I’m HIPAA certified, but that isn’t following the Minimum Necessary Requirement. It doesn’t bother me to point out the information they’re discussing is not necessary for me to do my job. But, not every contractor will take the time to do so. Sharing Files: The Minimum Necessary Requirement also applies to emails. Again, before communicating with a contractor, ask yourself what they need to do their job. If you’re emailing a contractor about a problem in your database and you want to send a screen shot, can you do it with test data? Sometimes you can, sometimes you can’t. But, asking yourself before you send the email is the first step you should take to protect HIPAA data. Transferring files is another area to consider with HIPAA data. As a database contractor I do most of my work remotely. Generally speaking my clients set up remote connectivity capabilities and ALL files remain on their system. This protects me as well as my clients. I don’t want other people’s data on my system. However, it’s not uncommon for folks to email me spreadsheet files. With regular databases, it really doesn’t bother me. I can use the file for its intended purpose and delete it. But, with HIPAA data, I don’t want it on my computer, your client’s don’t want it on my computer, and you shouldn’t want it on my computer. If you have to share a file with a contractor, and it is HIPAA, offer to set up a shared folder that they can get to on your system. I know it takes longer than shooting off an email, but really think about the implications of sending HIPAA data to someone in an email. In Conclusion: As I mentioned earlier, every single person I’ve worked with on HIPAA data has been very professional in their approach. When the Minimum Necessary Requirement is violated, it is not done with malicious intent at all. Folks really do care about the data they work with and protecting it. But, we can all use a few reminders every now and again, about how important it is to take precautions with HIPAA data. Michelle has 2 decades of experience working with sensitive data management projects. Learn more about her services here:
0 Comments
Leave a Reply. |
Michelle MeyerArticles discuss general data management issues Archives
March 2018
Categories
All
|
RSS Feed
|
Count Began On: 02-17-2018 |
|
©1st Contact Databases - 2018
|
|