Going to ask again about HealWell - they are on an acquisition tear and seem to be very AI-focused. Has…
Curbside Consult with Dr. Jayne 5/18/20
As a consultant, you never know what’s going to come your way. Even projects that seem like they’re going to be straightforward might not be, as was the case with something I worked on recently.
I was dealing with a practice that had an issue with a staff member who was allegedly snooping through employee charts. They asked me to take a look at their audit trails and put together documentation so they could confront her. Finding the data in the EHR was easy since it has an activity log for each patient encounter that can be accessed by clicking a link at the end of the visit note. This is front-end visible data, so any user with the right access can look at it. That made me wonder why they needed to hire a consultant in the first place, other than to be able to say that they worked with an expert resource. I was sad that I didn’t even need to access the database.
The next step was cross-referencing the access time stamps with the actual patient visit time stamps, to either rule in or rule out whether the staffer might have rightfully accessed the charts as a part of the clinical encounter. When the charts are being accessed at midnight, it starts pointing towards an unusual pattern of behavior. When the midnights occur while the employee is supposed to be on vacation, you start to know that you have a winner.
Getting confirmation of the employee’s work schedule and days off was one of the biggest challenges since the practice didn’t want people to know they were investigating the employee. I had to talk to the payroll people to confirm the dates. Much of my engagement was being coordinated through an office manager who was relatively new to the practice, so I assumed that either she was just overwhelmed and wanted me to deal with everything or wasn’t sure of all the data points that needed to come together to make the case for inappropriate access.
Once we had the data in hand, the next step was putting together a report of the intrusions into various charts. Excel is my second language, so I had it all documented in a couple of hours and sent it over.
This is where the engagement turns strange. They wanted me to add documentation to each episode of chart access to specify why it was inappropriate. Sure, I said, send me over your employee handbook and I’ll tie each episode back to the relevant parts of your code of conduct and whatnot. I also offered to review their HIPAA training materials and link my findings back to that as well, functionally putting the nail in the coffin of this medical records misadventure. Since I haven’t been working clinically, I was happy to add a couple more hours to the engagement.
I didn’t hear back for a couple of days and the office manager didn’t respond to follow up emails. I escalated to calling (which I rarely do) and didn’t hear back from the voice mail messages I left either. I finally became irritated and reached out to the physician in charge of the practice, figuring that since he signed my engagement agreement, the buck would stop with him. I caught him in the car, and either he was distracted and just started talking off the top of his head or he had forgotten that they had left out a few key points when they hired me to do this work.
The snooping employee in question turns out to be the ex-wife of one of the practice’s physician owners. The situation is not just an employee discipline problem, but is also linked to a spousal support situation, with concerns that if the employee / ex-wife is terminated, the physician owner / former spouse might have to pay more. He doesn’t want her terminated.
Are you kidding me? Is this not something that could have been brought up when the engagement was outlined? I guess I’ll have to add some interrogatory questions around this type of shenanigans to my engagement intake form.
The plot thickened further. It turns out that the practice didn’t send over the employee handbook because they don’t have one. They also have no documentation of its employees having attended HIPAA training except for a log showing the date the employee watched some YouTube video on HIPAA. That video is no longer accessible, so we have no idea what they watched or whether they agree that they watched it. There is no documentation of a post-test or other evidence of mastery, so it’s going to be awfully hard to tie the misbehavior back to clear violations of office policy. The practice is liable for a HIPAA violation, but they can’t claim that the employee should have known better if there’s no documentation that she ever knew what HIPAA was or how it affected her.
Once this mess became apparent, it was clear why they hired a consultant. No one in the practice wanted to deal with the steaming pile of finger-pointing and ex-spousal angst that it was.
A couple of days later (and after a couple of calls with all parties involved on the practice side), the engagement was again expanded, with additional time for the creation of office policies and procedures regarding HIPAA training, chart access, use of practice resources outside working hours, and more. What started as a simple little project became not only a decent amount of work, but a great story for my next healthcare virtual happy hour. You simply cannot make this stuff up.
I have no idea what forces transpire to make a practice think it’s OK to operate this way in the year 2020, but apparently it has been going on for a long time. They were shocked that I also recommended they discuss this with their various liability carriers and their general counsel, to obtain additional advice on what to do next. I love writing policies and procedures, so it was great to settle into the sofa and spend some quality time with my laptop on a long, rainy weekend. I’m presenting their updated training plan to them next week along with their new employee handbook. Although this after-the-fact effort won’t do much to help them with their problem employee / ex-spouse, it will at least put them on a more solid footing moving forward.
How does your practice handle employee medical records violations? Leave a comment or email me.
Email Dr. Jayne.
“Excel is my second language” – for someone wanting to learn Excel as their second language, what resources would you recommend?
As with all things Microsoft, your best source of training is Google. That and usage. Using it for as many different problem spaces as possible will give you challenges that will expand your abilities.
Create a payroll adjustment sheet — if the offer is x, then that is an improvement of n% use the data definition functions and some formula functions
Create a mortgage calculator
Create a contact sheet — use the dictionary functions
Create a risk matrix — data calculations, data definitions
Create a project calendar for ANY project — household, todo, learning Excel…
Download the FAERS data set — all sorts of love there
Download the ICD-10 list.
Download the CDC Immunization sets (CVX, CMX, etc) cross link them
Load them up into a database, extract them from a database
Oh, and I yell at my partner all the time about her use of Excel — define your data objects before you load the data into those columns… Excel assumes it knows more about your data than you do, and doesn’t ask.
Have fun
Employee snooping is the number one driver in practices and clinics engaging with our user activity monitoring AI. The case above is all too common and the OCR is just catching up with enforcement actions and resulting fines. ALL practices need to monitor ALL user activity at ALL times. The civil monetary penalties and class action lawsuits are ramping up as this behavior is coming to light.
Honestly, I see and hear of issues like these (or worse) on a relatively regular basis. Many of these practices are operated by physician/owners who have little to no business skills/training and often hire friends and family to “manage” the practice. It’s a recipe for disaster and when the stuff hits the fan, then they call in a consultant to try to clean it off the walls and everywhere else it sprayed. The vast majority of practices I deal with are run professionally and have training, policies, and procedures in place but it’s surprising how many practices are very lax about HIPAA compliance.
Oh yea, we could do some damage swapping stories over happy hour! Now that I can’t get my hair colored, decades as a practice management consultant are starting to show in the alarming rate of grey hair creep on my head! I have had a doctor flagrantly sleeping with his MA, and his father in law was employed by him, saw them bumping uglies in the parking lot, kept his mouth shut to keep his job. Employees kept on after verified embezzlement for familial reasons, or whatever. I had a doc beg me not to fire his MA after she stole patient IDs and got caught opening credit card accounts in their names. They never did background checks before I cam on board, and once we did her, she had spent time in prison for identity theft. And then he says, but she’s my best MA, can’t we just warn her?! I kept him on the phone as he walked her out the door. Oh, and the many docs at different practices who need their own sub net because they are porn addicts and IT wants to protect the work network. They complain about every click in the EMR taking x-seconds, and calculating the minutes it’s wasting every day, but they have time to surf the porn web. I could go on and on…. sadly.