Protecting the Privacy of Our Members
At Blue Cross and Blue Shield of North Carolina (BCBSNC), we take our duty to safeguard the privacy and security of our members protected health information (PHI) very seriously. Our members have the right to expect that their PHI will be respected and protected by BCBSNC. Our privacy and security policies are intended to comply with current state and federal law, as well as the accreditation standards of the National Committee for Quality Assurance.
The HIPAA/HITECH Act requires that we treat all unauthorized disclosures of PHI, even if due to an honest mistake, as a breach unless or until we demonstrate that the PHI in question was not compromised. When a claim is filed under the wrong insurance policy, and an Explanation of Benefits is sent to the wrong person, BCBSNC may have to report it to the U.S. Health & Human Services Office for Civil Rights (OCR). OCR is authorized to impose fines and penalties on covered entities that commit a breach.
What You and Your Office Staff Can Do to Protect Patient PHI
BCBSNC must let the member(s) involved and the OCR know what we have done or will do to help prevent a similar breach from happening again. We rely on providers participating in our networks to assist us with our efforts to protect the privacy of BCBSNC members within your care and to help ensure that such breaches do not occur. There are many ways that you can help:
- Always ask for the patient’s insurance card at every appointment.
- Verify that the patient’s name, date of birth, address, etc. match the information on his or her insurance card or when you verify the patient’s eligibility with BCBSNC or any other insurer. Some patients may have similar names or share the same date of birth as another patient, etc.
- Blue eSM allows BCBSNC-participating health care providers to access a secure e-network to search for a member’s ID number by name. When searching by name, always verify that you’ve found the correct member with your search results, as many people with BCBSNC health care coverage can share the same or similar name.
- Always verify that the member’s ID number you’ve located belongs to the patient in your care. Check that the search results contain a matching date of birth for your patient. For instance, is your patient male, and if yes, is he a junior or a senior?
- Patients and visitors should not be able to read or reach for paperwork in the work areas where it’s being processed. In addition to a physical barrier—such as an elevated countertop—computer monitors should face away from view and contain peripheral “privacy shields.”
- Patient charts not being worked on should be closed or flipped over, charts should never be left in exam rooms, and if it’s necessary for staff to step away from a task, the chart should never be left unattended. File rooms and doctors’ offices should be locked at night.
- Documents containing patient PHI that are no longer needed should be shredded or disposed of in proper containers—never in the trash where they may be recovered by “dumpster divers.” Electronic paper shredders should be HIPAA-compliant cross- or confetti‐shredders.” If shred bins are used, they should be locked and a reputable mobile shredding service—specializing in medical practices—should empty bins on a regularly scheduled basis.
- Staff should always be aware of who is around them and what information can be overheard. If it’s necessary to discuss a patient’s health information, defer such communications to areas where patients and visitors cannot overhear the conversation and then speak in a controlled volume.
Although patients may not know the intricacies of HIPAA and what constitutes an unauthorized disclosure, they are aware and will often comment on activities and processes they feel compromise their privacy. Patient perceptions should always be taken seriously, evaluated, and if appropriate—acted upon. If, for example, a patient comments that others in the waiting room can hear his interactions with the front desk, then a solution may be to construct a privacy barrier or ask patients to step into an office to discuss their concerns.