HIPAA Compliance Strategies

Featured Health Business Daily Story July 15, 2009

New Federal, State Laws Raise the Stakes When Dealing With Employees Who Snoop Into Patient Health Information 

Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

By Eve Collins, Editor, (ecollins@aispub.com)

Health care organizations have more reason than ever to keep employees from snooping into patient records. New laws at the federal level, and in some states, make it clear that letting nosy employees slide is no longer an option.

The HITECH Act’s definition of a ‘breach’ now applies to when a person snoops into patient records: “The term ‘breach’ means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” The law also requires CMS and the HHS Office for Civil Rights to investigate complaints where a preliminary inquiry shows that “willful neglect” is the cause. And the law raised the penalties the government can hand down.

Providers might also want to watch what is happening in their own states. California enacted two laws to address breaches of patient information in 2008. In May, the state handed down its first administrative penalty against a hospital under the two laws by assessing the maximum penalty of $250,000 on Kaiser Permanente Bellflower Medical Center. Bellflower self-reported incidents of employees accessing patient information without authorization during a high-profile patient’s stay.

But individuals are at risk too. In some cases, the nosy employees can be prosecuted under federal or state laws, depending on what they do with the patient’s information.

Attorney Kirk Nahra says health care organizations are battling two different issues here: access issues and policing issues. “The problem that many health care businesses have had is that it’s difficult to restrict access. A nurse in a hospital setting might need access at any moment to anyone’s information,” he points out. “That tends to shift the emphasis to the back end, which is, ‘How do we make sure people are only using what they need?’”

With a celebrity’s records, extra controls on the data and swift punishment for transgressors should help, Nahra says. “If you take action on a person who accesses the information…the swift consequences reduce the risks” that it will happen with that perpetrator again or that others will try it. “You also want to do audits and track who has access to [the celebrity’s records].” One or two nurses would need access, but 100 would not, he says.

Whether a celebrity is going to be in for treatment is not an issue all facilities have to deal with. Much more universal is when an employee checks up on a family member or friend, Nahra points out. “You can’t isolate [a patient] who is family or a friend because anybody could be family or a friend” of an employee. And the employee who looks at their records always sounds like he or she has good motives — checking on grandma after a procedure, for example. Related to this is the employees who are looking up information in a non-friendly way, such as an ex-spouse or hostile neighbor might do, he says.

“This is hard to control from a service context. Providers would have trouble controlling [employees’] access because they need that information to do their jobs” such as in billing and claims departments, Nahra says. Training, education, auditing and punishment should all be part of compliance programs. Auditing will get easier as more and more facilities get electronic health records, he adds. But health care organizations should also find a way to control access if they can. “Do an analysis to see if you can restrict access on the front end. Don’t just say, ‘It’s too hard,’” he says.

For example, an employee at a health insurance company who answers the customer service line would need access to members’ information because any customer could call at any time. But the insurer could limit what the employee sees to basic personal and claims information when he or she calls up the customer’s data.

Employees Could Have Bad Intentions

Another tier to the snooping issue involves those employees who may actually want to do harm by selling data for the purpose of committing identity theft or health care fraud, which was the case recently in Florida. Others may try to sell the information to the media if a celebrity is involved.

“You have to teach people that it’s not OK to snoop even if there’s a good reason,” Nahra says. “I think most people recognize that and realize they can get fired [and/or prosecuted], so they’re not going to do it.” When it does happen, take quick action, he says. “Publicizing that you are serious about this and taking action against the people who are doing it sends a strong message.”

Bellflower did things that many facilities do not do, Nahra says. The hospital installed confidentiality reminders that popped up when the patient’s electronic health record was accessed, and it audited its logs to find examples of unauthorized access. Then it took action against two dozen employees (including physicians) and self-reported the incident to the state.

What is disturbing about the case, Nahra says, is the state’s reaction. “The company did the right things on the front end, it fired a bunch of people…it took action and it still got hammered,” he says. “I’m not sure that’s the way to encourage [providers] to turn these things in. I’m pretty sure that nobody is going to look at records casually because of curiosity at that hospital anymore,” he adds.

One Midwestern hospital restricts employee access to patient information at its highest level of security. The facility has three levels of security that patients can choose from upon admission, says its privacy official, who asked not to be identified. At the first level, the patient agrees to be included in the hospital directory so visiting friends and family can easily find him or her.

At Level 2, the patient asks not to be included in the directory. “It’s as if they have an unlisted number and we don’t tell anyone that they’re here,” she says. “Sometimes after they understand what that means, they say they will be at Level 1 because they would not be able to get cards or flowers and we can’t acknowledge [to friends and family] that they’re in the hospital.” The people who want Level 2 status are those who don’t want calls from well-meaning friends and family during their stay.

The third and highest level of security at the facility is set up for high-profile patients and those who are at risk such as domestic abuse victims, the privacy official explains. Level 3 requires the administration’s approval and notification of several hospital departments, including security, medical records, public relations and the volunteer director because he or she often gets inquiries about patients.

With this level of security, the patient would be flagged as high-profile when his or her information is taken during registration. Certain departments (such as the volunteers or switchboard) would not be able to access the information in their system if they were to search for the patient’s name, the privacy official says.

Also, the patient’s name and other information will not appear on the hospital unit’s list or tracking board. “So whoever the caregiver is will have to use a security override to get a patient’s name in the system,” the privacy official explains. “I audit those overrides routinely, but if I have a high-status patient, I would do that more often.”

Finally, the hospital’s health information management department is told to put a restriction on all the documents and images that end up in the patient’s electronic medical record. “We don’t restrict it for clinical providers, but we can limit who has access to it and we would also audit that system more frequently when there is a high-profile or security risk patient,” she says.

The privacy official says the facility’s discipline policy has not had to be used for this type of issue — the hospital rarely treats celebrities, and staff members pretty much keep their noses out of patients’ records. “We have a progressive discipline policy out of our human resources department,” she says. The policy has a number of steps, but certain infractions like unauthorized disclosure or mishandling of information would be handled in fewer steps, she explains. “There is some discretion there” on the part of the hospital, the privacy official tells staff members.

“Unauthorized disclosure or mishandling of confidential information is a serious infraction that may result in a disciplinary suspension for a first offense and lead to discharge if a repeat infraction occurs within twenty-four months,” a summary of the human resources policy says.

Nahra says providers can choose to have a no-tolerance policy or to be more flexible and give warnings for first offenses. “There is a difference between checking on grandma versus [trying to] get information on an ex-spouse versus looking up information for identity theft.”

Advertise With AIS

Privacy

Site Map