19.2 Core Workflows and Decision Points

19.2 Core Workflows and Decision Points

Most ethics and legal questions are really workflow questions: a task is triggered, a rule controls it, you act, and you document. Learn the four pillars below as ordered steps.

Workflow 1: Identity verification before PHI

Before charting, releasing results, or discussing anything, confirm two patient identifiers (typically full name and date of birth). This prevents wrong-record entries that ripple into billing, surgery scheduling, and the master patient index. Phone callers must be identity-verified before any value is read out.

Workflow 2: Informed consent

Consent is the physician's legal duty to explain the procedure, risks, benefits, and alternatives. The assistant's job is to confirm the consent form is signed, dated, and matches the planned eye and procedure before the patient proceeds. If the form is missing, blank, or names the wrong eye, you stop and notify the physician — you do not obtain consent yourself.

Workflow 3: Documentation and corrections

The chart is a legal document. Entries are accurate, objective, timely, and attributed. To correct a paper record: draw a single line through the error so it stays legible, write the correction, and add your initials, date, and a brief reason. Never erase, use correction fluid, obscure, or back-date. In an electronic health record (EHR), corrections are made as tracked addenda or amendments — the audit log preserves the original.

Workflow 4: HIPAA privacy and security controls

• Apply the minimum necessary standard: open only the part of the record the task requires.
• Use unique logins; never share passwords; log off shared workstations.
• Disclosures for treatment, payment, and operations generally need no extra authorization; most other releases require a signed authorization.
• A breach affecting 500 or more individuals must be reported to HHS and the media without unreasonable delay and no later than 60 days.

What belongs in a defensible ophthalmic chart

Documentation is itself a workflow. A complete encounter note ties each finding to who recorded it and when: chief complaint, visual acuity (with correction and method), pupils, intraocular pressure with the instrument and time, confrontation or formal fields, motility, external and slit-lamp findings, any drops instilled (drug, concentration, time, which eye), and the patient's stated history and allergies. Use only approved abbreviations — "OD" right eye, "OS" left eye, "OU" both eyes — and avoid error-prone shorthand. Every entry should be legible, signed or electronically attributed, and timed.

If a value is abnormal or alarming (for example, an IOP of 42 mmHg), the chart should also reflect that the physician was notified. Incomplete or ambiguous charting is the most common documentation failure the exam probes.

Retention numbers worth memorizing

HIPAA requires keeping compliance documentation (policies, risk analyses, training logs) for 6 years. HIPAA does not set a patient medical-record retention period — that is governed by state law, commonly 7–10 years for adults and longer for minors. When the two conflict, follow the more stringent requirement.

Workflow 5: Telephone, fax, and electronic disclosures

Day-to-day disclosures carry real risk. On the phone, verify identity with two identifiers before releasing any value, and never leave detailed clinical information on a voicemail unless the patient has approved that method. Faxes go only to verified numbers using a cover sheet with a confidentiality notice; a misdirected fax of PHI is a reportable incident. Email and patient-portal messages should use the practice's secure channel, not personal accounts. When a patient asks you to text results, get documented consent for that less-secure method first.

Workflow 6: Patient access and amendment rights

HIPAA gives patients the right to inspect and obtain a copy of their records, generally within 30 days of a written request, and to request amendments to information they believe is wrong. The assistant routes these requests through the practice's process rather than handing over or editing records on the spot. A patient cannot demand deletion of accurate clinical findings, but they can add a statement of disagreement. Knowing that access is a patient right — not a favor — helps you eliminate distractors that stall or deny the request.

Putting the controls together

A defensible answer almost always satisfies four checks at once: the patient's identity was verified, only the minimum necessary information was used or released, the act stayed inside the assistant's scope, and the action was documented in a way an auditor could follow. If a candidate answer fails any one of these, it is usually the distractor.

Worked example

A coworker leaves a chart open and walks away; another patient could read it. The triggering rule is the Security and Privacy safeguard against unauthorized access. The defensible action is to close or secure the record and remind staff of the workstation policy — not to ignore it because "nothing happened." Choosing inaction because no harm is visible misses that HIPAA addresses the risk of exposure, not only proven disclosure.