Managing client privacy and confidentiality is relatively straightforward when you’re a solo practitioner. You only have yourself to worry about. But once you start working with other people in your private practice, you’re going to need to institute policies and procedures to make sure that everyone connected with your practice is maintaining the same high standards that you have for yourself.
Here are some basic steps you can take to insure privacy compliance:
-
Provide your employees, interns, and subcontractors with an email address within your G-Suite domain, and require them to use it for any communication related to clinical work with clients. You can set this up through your G-Suite admin panel.
-
Set them up as a user within your EHR platform. In other words, don’t give them your login credentials, but use the platform’s protocol to provide your intern, employee, or subcontractor with the appropriate level of access. Use this email address, not their personal email address.
-
Create a signature template for all employees, subcontractors, and interns to use when communicating through the email address you provide them. You can use this space to promote your private practice
-
Ensure they are appropriately trained on all the technology that you are using in your practice to prevent any accidental sharing of client information. Providing them with training resources (like my modules) can be considered a business expense. I believe that you should bear this cost (rather than asking the intern to pay for it) because ultimately it’s your responsibility to protect your practice. (And by the way my toolkit makes a great “graduation” gift for your interns when they pass the exam.)
-
Incorporate privacy training in all the tasks you assign. For example, a great intern task is to have them call the pediatrician’s office after you fax over the report. Not only does this assure that the fax went to desired recipient, it teaches the intern that you need to verify faxes, and also present an opportunity for your practice to make positive contact with a potential referral source.
-
Reserve clinical discussions for private spaces, such as your office, your home, or your car. Refrain from discussing clinical matters at a coffee shop, restaurant, or on public transportation.
-
Respect the personal privacy of anyone who comes into your sphere. While you don’t have a clinical responsibility to keep your employee’s phone number confidential, it sends a powerful message when you show a commitment to privacy above and beyond what your local laws require.
-
Document everything in your Policies and Procedures Manual (which gets shared with anyone working for or with you).
If you are in the US, you are going to want to make sure that everyone you work with signs a Business Associate Contract, where they are promising to keep Protected Health Information (PHI) confidential and secure. Fortunately, the department of Health and Human Services has a free sample contract so you don’t need an attorney to craft one for you. Anyone who is working with or for your business in any capacity needs to sign one of these, unless they are a HIPAA-covered entity already (i.e. another IBCLC).
When you’re ready to bring someone on, you can use the Group Practice Essentials bundle to create the legal contracts you’ll need. You will want any subcontractors you hire to have their own NPI and liability insurance. You may also want an NPI2 for your company, and umbrella coverage if you have an office space.