Consumers have come to expect confidentiality and privacy in all business transactions today, whether on line or in retail establishments.  Healthcare is no exception and patient/customers are now protected by HIPAA (the Healthcare Insurance Portability and Accountability Act of 1996).  Consumers who have received any healthcare service in a hospital, doctor’s office, medical lab, or pharmacy have been exposed to some education about HIPAA.  Medical equipment companies are no different and have some unique issues to plan and prepare for to comply with this complex regulation and the even more fundamental patient right to privacy and confidentiality. 

Accreditation standards in general, and HQAA, address privacy, confidentiality, and HIPAA in several ways:

• Requirement for companies to “maintain secure medical records.” Companies should have policies and procedures for dealing with the protection of patient records, controlling who at the company has access to the records, how records are stored, and how and when information is disclosed to outside entities. 
• A required topic for the annual in-service education deals with HIPAA, privacy, and security.  Staff must be educated on an annual basis about this important topic.
• Your company must train and teach customers about your company’s privacy policies.  You should be explaining to new customers that they have a right to expect privacy for themselves and their medical records, and discussing when and how that information can be shared or disclosed to outside entities. 
• How are your electronic medical records protected?  Electronic medical records are subject to the same requirements as paper records, but also have to include additional protections against security breaches. 

Protecting patient privacy is an important function and medical equipment company staff needs to be aware of their role in this function.  From the CEO and top management to retail staff and customer service, from clinical staff to the delivery personnel that goes into patient homes, all staff members have an obligation to fill.  This starts with sound policies and procedures about securing the medical records, electronic and paper.  Limiting access to these records on a “need to know” basis is appropriate.  Securing these records, while making sure staff has appropriate access to use the information for care planning is important as well.  “Secure records” doesn’t just mean locking files up at night.  It also means taking protective measures when staff accesses records for deliveries, home visits, care planning, treatment, and billing. 

Patient privacy presents unique issues to resolve in retail settings.  Providing private areas to do fittings, administer treatments, explain equipment usage, and even fill out paperwork for billing purposes are all-important aspects as well. 

Conduct a quick self-audit of your business to ensure you are compliant, paying careful attention to the following common challenges:

• Make sure patient lists, delivery schedules, and maintenance records are not posted or hung up in areas where public or vendors can see them. 
• Are computer screens set up in such a way that customers can’t see them over a counter? 
• When staff leaves their office, cubicle, or workstation, is the computer shut off, password protected, and secure?  Are paper records, stored away in a desk or file rather than left out on the desktop? 
• Are your staff members aware of the company’s policy regarding patient record storage and access and do they understand their role in protecting patient privacy? 
• Does delivery staff secure patient information in their vehicles? Are they cognizant of protecting patient information when they are in a patient home? 
• Many years after HIPAA went into effect, there are still casual breaches in lunchrooms and restaurants and out in the community.  Every surveyor has seen examples of delivery personnel walking into a retirement home and having “patient A” ask how “patient B” down the hall is doing.  Train staff to handle situations like this. 
• A short in-service on HIPAA and patient privacy rights is a good reminder for all staff.  The requirement is that this training is done at hire and on a yearly basis.  Talk about HIPAA globally, but be sure to drill down and talk about your company’s specific policies and procedures and how patient privacy is protected at YOUR company. 
• Make sure patients are providing permission to your company to share information with family members, emergency contacts, powers of attorney, and any outside entity.  Be sure you discuss your company’s practices with the patients at the time of admission to service.