HIPAA Compliance Strategies

Hospital Volunteers Can Present Special Patient Privacy Risks, Require Careful Selection and Training

Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

They come in all warm-hearted, eager and smiling, those volunteers who may deliver flowers to patients, help issue visitor passes to anxious loved ones and ring up purchases in the gift shop. And today, when hospital finances are stretched to breaking, volunteers are serving an even greater role on medical campuses.

But if Greg Young had his way, no volunteers under age 18 would be allowed to work at Mammoth Hospital in Mammoth Lakes, Calif., where he is the privacy and security officer. He considers these youngsters "too much of a risk" when it comes to compliance with the privacy and security rules.

But that's a fight Young lost. So while his hospital doesn't have many minor volunteers — only about five of the hospital's 25 volunteers — he still takes special precautions with them and, for that matter, with all Mammoth's volunteers.

Young and others say that volunteers, regardless of how well-meaning they may be, present a special threat to patients' privacy and security in a hospital setting. They say that compliance officers need to ensure volunteers are well-trained and, if infractions do occur, that they are appropriately disciplined.

Job duties and training programs need to be tailored to the needs of volunteers, who are often elderly rather than young, and may work odd or irregular hours. Some other strategies can include limiting their activities to exclude contact with protected health information (PHI).

As Kate Borten, president of health care privacy and security consulting firm The Marblehead Group, notes, this is an issue that is not going away anytime soon. "I have seen greater use of volunteers over the years as hospitals go through tough financial times," she says.

She adds that "even without HIPAA," hospitals have become more cautious about who they accept as volunteers and employ careful screening, which in some cases is required by state law.

"Any hospital that is not looking at [selection and training of volunteers] very rigorously is maybe out of synch with the rest of the hospital world," Borten says.

Understanding the Volunteer Mindset

It is important to understand the factors that make volunteers risky so that you can mitigate them, says Robert Tennant, a senior policy advisor for the Medical Group Management Association, who advises physicians and hospitals on HIPAA compliance.

"On the one hand, they are least likely to cause problems, as they usually don't have access to patients' medical records," he says. "But on the other hand, they are less likely to understand hospital policies."

"Many are seniors who have not been in a workforce for some time, and may not be acutely aware of the heightened concern over the privacy of patients," Tennant says. "They may have issues with memory. They may also not feel the same compulsion to follow the rules and regulations because they are not employees; they may not be worried about being fired."

Young, however, is most concerned about volunteers who are minors. He worries that they may find it hard not to share information about friends or neighbors or — heaven forbid — a teacher that they might learn about on the job.

To ensure high-caliber volunteers, Young insists that all volunteers provide several references and that those are contacted. Criminal background checks are also done, he says.

At his hospital, volunteers are typically used as "runners," doing things like "bringing blankets" to patients, he said.

Training Should Be Immediate, Scaled Down

Covered entities (CEs) under the privacy and security rules must train the volunteers, as they are considered part of the workforce. The privacy rule states that training must take place "within a reasonable period of time after the person joins the workforce."

To the experts who talked to RPP, that means before the volunteers hit a hospital floor, it is "critical that volunteers know that they cannot snoop," says Tennant, "they cannot review or reveal PHI."

He adds that the temporary nature of some volunteers' positions with a hospital could mean they would work up to a month before undergoing privacy and security training, if a hospital waits to include them in a regularly scheduled, systemwide HIPAA training session.

He recommends against waiting, as does Borten.

"Training should occur before they are actually working," Tennant said. "This will add a burden to the hospital, but I don't see any other way around it."

At Mammoth, Young does all the privacy and security training himself for volunteers, which differs from the process used for full-time workers.

"What they get is me," he says, referring to a 15- to 30-minute talk he delivers on the highlights of the rules, with time for questions and answers. Other employees complete a two-hour online training program, and also get a personal talk from Young.

He says he keeps his educational message to the volunteers very simple: "What you see here, stays here; what you hear here, stays here." And he addresses how long someone might have to keep private information private: "forever," he tells volunteers.

"I tell them 'you are going to see things or hear things about people you know, and you are going to be excited to tell someone. But you can't. And if you think you can't do that, if that is going to be too hard for you, then this is not for you.'"

Tennant also recommends having volunteers sign a confidentiality agreement, which he says serves to remind them of their responsibilities.

Young designed a specific one just for volunteers.

Volunteer coordinators should also discuss privacy policies with volunteers when they hold regular meetings, and posters should be placed where they meet that also carries the message, Borten says.

Monitoring, Discipline Must Follow

Volunteers may need to be closely monitored, at least in the beginning, to ensure they're not disclosing PHI, even if they think they're being helpful.

Borten recalls a hospital that asked her if it was OK that gift-shop volunteers regularly phoned a nursing station to ask if patients had dietary restrictions, such as an inability to eat chocolate. Borten told the hospital, "no, no, no!" as this was clearly a PHI disclosure that was inappropriate.

There are differing views on how to discipline volunteers. One issue is whether to apply the same sanctions as those used with employees.

Tennant suggests retraining a volunteer and issuing a written warning for the first offense. He believes some attention must be paid to circumstances of each case.

"I think it is entirely up to the nature of the infraction. If you have a 70-year-old who did something with no malicious intent, I am not sure you want to pick them up the lapels and toss them into the street," Tennant says.

For repeat offenses, though, or particularly egregious situations, he has no doubt the person should be told his or her service is no longer needed. And Borten and Young believe one privacy or security rule infraction is enough to let the volunteer go.

"They don't get to skate just because they are a volunteer," Young said. "There is no second chance."

Advertise With AIS

Privacy

Site Map