An impending OCR audit can lead to extreme measures.

“I’ve even done some dumpster diving,” said Mary Brandt, president of health information management at Scott and & White in Temple, Texas. “One client said I was the most refined dumpster-diver he’d ever seen.”

During the Preparing for an OCR Audit session here at HIMSS13 on Sunday, Brandt recounted sifting through the trash to discover whether hospital employees were illegally disposing of identified patient data by simply throwing it away. And that was a rather innocuous example, particularly compared to her tale of the hospital employee looking at an ex-boyfriend’s medical record and taunting him with the information.

“The stupidity of people amazes me,” Brandt said. “I hope they’d be fired for that.”

Provider organizations, of course, should be taking steps to avoid those types of situations — as well as a cadre of more modern Protected Health Information (PHI) problems wrought by information technologies.

“When you can take a picture and upload it to your Facebook page with a single click, the rules are rewritten,” said Tom Walsh, president of Tom Walsh Consulting. 

Yet, Walsh asked, how many policies have been updated accordingly?

Brandt explained that many hospitals are still using Notice of Privacy Policies (NPPs) that are 10 years old, meaning this is a good time to revisit those and to sculpt a clear definition of what an organization’s electronic medical record actually is. “When I first came to Scott and White, the lawyers would argue over what the electronic record was,” she said. 

And since then new challenges have arisen. Text messaging triggered a number of questions during the session, with one attendee explaining that the asynchronous nature of texting, in which one physician might send another PHI, can mean that the recipient receives the data hours later — or not at all. Brandt advised any providers texting or emailing pictures to be careful not to include identifying information such as a patient’s face, tattoos, or unusual jewelry. 

Brandt’s overarching message for the morning was clear: “Don’t wait for an OCR audit,” she said. Prepare now. But it's not just OCR. CMS or the joint commission can also conduct audits. "OCR is probably the scariest.'

And her tips for starting?

Coming in through the ED doors, as a patient would, is the best way to see what’s happening throughout the department. “There’s no substitute for walking around the unit, talking to people, getting out,” she explained, “and looking at what people are actually doing.”

At the very least, that can keep CIOs and chief privacy officers out of the dumpster.