In the first four months of 2007, Park Nicollet Clinic in Minneapolis reprimanded more than 100 employees who were looking into patients' records inappropriately.
While the intent of the inquiring minds may have been due more to concern than malice, accessing the medical records of a relative, friend, co-worker, and other patients is in clear violation of patient privacy guidelines outlined in the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
Park Nicollet is not alone in its vigilance to prohibit unauthorized access to patient data and discipline employees who break HIPAA's privacy statues. Other hospitals and healthcare facilities around the U.S. are taking concerted measures and investing millions of dollars to prevent similar such privacy intrusions.
The Medical University of South Carolina (MUSC) in Charleston uses what Susan Pletcher, director of health information and patient access services, describes as progressive disciplinary action. Say, an employee faxes a patient's information to the wrong number. He or she will receive counseling for the minor violation and will be reminded to confirm the destination of the information next time.
A suspension is warranted in incidents in which an employee looks at a medical record of a relative, friend, or co-worker out of concern for the patient's health. Even if the information is used exclusively for his or her own personal knowledge, the inquisitive employee will earn a three- to five-day suspension from MUSC.
"If an employee were suspended for a HIPAA violation and maybe three or six months later has another violation, they could very well be terminated," Pletcher said. "They don't just keep getting suspensions."
When there is malicious intent to obtain patient information, then the employee faces immediate termination. "We have had employees terminated, but it doesn't happen often," she added. "If somebody looks at a neighbor or co-worker's file in that situation, we have terminated employees. We take it very seriously."
Inpatient concerns
Some MUSC employees are reluctant to receive care at the facility, because they are concerned that a colleague may access their medical record. To quell that fear, Pletcher receives a list of MUSC employees who are inpatients at the hospital and conducts an audit every Monday to make sure no one has inappropriately accessed their files. The audit also can determine how long someone had a particular patient record open.
She also will perform an audit for public officials and other VIPs who receive treatment at MUSC, as well as follow-up requests from anyone who believes his or her file was accessed without authorization. If Pletcher eyes suspicious activity, she will send a letter of query to the person who opened the record and ask why it was accessed. The letter is a way for the employee to justify his or her actions.
It simply may have been a case of a nurse working a different shift or assigned to a different department. "We don't automatically accuse them, because they may have changed their assignment," Pletcher said.
To help with the responsibilities and boost its HIPAA compliance and enforcement, MUSC recently hired a new HIPAA compliance officer to work with Pletcher.
Security technologies
The 72-bed University General Hospital (UGH) in Houston uses a number of different technologies to secure and monitor patient records. Each employee must swipe his or her ID badge through a reader next to a PC as part of UGH's single sign-on technology to access data. The process includes entry of a user name and password.
The facility also has biometric technology for fingerprint ID on laptops, as well as radiofrequency identification (RFID) technology as an option for the sign-on confirmation process.
In addition, UGH's security system audits access to each file that contains protected information and tracks employees' use of the Internet and e-mail. "If an outgoing e-mail has an account number, Social Security number, or medical record number in it, it will not pass through the outgoing mail filter," said UGH chief information officer (CIO) Kelly Riedel.
UGH's health information system (HIS) from Siemens Medical Solutions of Malvern, PA, includes features that allow the facility to track access to every application, where the user went, and what they did. For the period of one month, the HIS also provides a history of any accessed file that contains protected healthcare information. If there are any questions or concerns, the report goes to the respective directors to see where their employees have been.
Early due diligence
During the first few months after UGH opened in September 2006, Riedel said there were some privacy issues regarding e-mail, but those breaches in security were unintentional.
There have been no disciplinary actions taken against employees for violating HIPAA privacy standards during the first 11 months of UGH's operation, according to Riedel. "I am not aware of a single infraction, and we have not had to write anyone up," he added, "but there were verbal warnings at the beginning as part of the educational process."
Like MUSC, UGH has three levels of violation and discipline. The least severe is an unintentional breach of a patient record, whereby information was accessed or viewed when someone did not log off from a computer. That infraction results in a written warning.
Level two is an intentional breach in which there is concern for the condition of a friend, relative, or co-worker. "Obviously, they should not be privy to that information. That goes back to a written warning," Riedel said. "If there were a previous infraction, that could lead to termination."
Any sort of purposeful breach of security, malicious behavior, or disclosure of patient health information to an outside party -- such as a doctor looking through another doctor's patient records without prior approval -- "would lead to immediate termination of employment, or we would revoke medical staff privileges," Riedel added.
Biweekly audits
UGH's department directors review security and user reports on a regular basis, while the IT and human resources departments both conduct audits every other week.
So far, the hospital, which continually adds to its privacy protection arsenal, has invested approximately $2 million for its HIS, which includes the security technologies.
Riedel also has at his disposal an anti-theft laptop and PC-tracking technology called Computrace from Absolute Software, based in Vancouver, British Columbia. UGH pays a fee of $75 per computer for software that allows Riedel to track any laptop with confidential information that leaves the building without authorization.
"The first time that piece of hardware connects to the Internet and we have identified it as a stolen or breached piece of equipment, I have an authorization code that will disable that laptop," he said. "As soon as it hits the Internet, it wipes out the hard drive immediately."
Location, location, location
While the level of enforcement and punishment of HIPAA violations is standard among healthcare facilities, the interpretation of privacy guidelines seems to vary throughout the U.S. Based on his travels, Dr. Maurice Ramirez, an ER physician at Highlands Regional Medical Center in Sebring, FL, believes that healthcare institutions in the Southeast and on the East Coast are stricter in HIPAA interpretation than on the West Coast.
On the West Coast, he maintains, physicians are taught that HIPAA applies only when patient information is stored or transferred. "If you are physically carrying a chart from point A to point B or photocopying a chart for records dissemination or records release, then HIPAA applies," Ramirez said. "They don't feel that HIPAA applies if they are doing research or if writing a scientific article about a patient, because they observed the other confidentiality requirements as determined by the independent research board at their facility."
Ramirez gave an example of an independent research board (IRB) that referred its HIPAA policies to the researcher, who chose to follow the study sponsor's privacy guidelines, which, in turn, did not match those of the IRB.
"If you are in a diabetes research project, you are under one set of guidelines, because that institution's guidelines are enforced," Ramirez said. "If you are in the cholesterol project at a different university, that facility is operating under its own guidelines, as well as imposing additional restrictions when the individual research guidelines are more strict than those proposed by the facility itself."
Missing relatives
The issue of privacy interpretation can become more complicated in cases of natural disasters, such as hurricanes and earthquakes. Can a physician or healthcare provider divulge if someone is being treated at the facility, because people are searching for their loved ones?
Some facilities may decide that having a list of patients being treated in such events is acceptable, while other facilities would view that disclosure as a HIPAA violation.
"Interestingly, the guidance from the government is that is not a violation to confirm or deny the treatment of an individual at your facility in circumstances of a disaster," Ramirez said. "The official guidance seems to have been lost in the murky waters around what constitutes a violation."
MUSC's Pletcher recommends educating employees on HIPAA guidelines, along with ongoing monitoring to minimize violations. "Then they (the employees) know you are serious about it," she said. "It works to create a good, trusting department. People will give you feedback if they think there has been a violation."
By Wayne Forrest
AuntMinnie.com staff writer
August 27, 2007
Related Reading
Security awareness in healthcare is coming of age, March 2, 2007
EHR deployment presents familiar obstacles, February 27, 2007
Security considerations in transmitting medical information, January 19, 2007
HIPAA security still problematic, November 7, 2006
HIPAA compliance remains inconsistent, April 12, 2006
Copyright © 2007 AuntMinnie.com
