Several months ago, I received a call from a client that was contacted by the privacy officer of a local medical institution. This practice, like other groups in the community, is integrated with the information systems of the local hospital and its physicians are on staff at the hospital. The privacy officer reported that a member of the practice staff had accessed the hospital medical records of another practice employee. In addition to informing the practice manager of the breach, a formal response from the practice was requested. The practice was also informed the individual whose record was accessed would be informed of the breach.
First, the agreement with the hospital indicated that, as a result of the breach, the hospital was required to notify the impacted individual of the HIPAA breach and had the right to pursue other legal remedies. The agreement also stated that the practice, or members of the practice staff, might be deprived of access to the information systems going forward as a result of the breach. Because the practice depends on this EHR access, this was an issue of great concern.
Second, we reviewed the HIPAA policies of the practice. They were confusing, incomplete, and did not provide the guidance I had hoped to find regarding discipline of employees for HIPAA violations. In fact, it was determined that, although an outside consultant had reviewed the practice’s HIPAA policies and practices a few months earlier, no identified steps for correction had yet been implemented.
In determining the steps needed to be taken, the following was decided:
1. All EHR access of the employee who committed the violation was to be discontinued immediately. The job description of the employee would be modified to accomplish this task. Luckily, in this instance, EHR was not an integral part of the job description. If EHR had been required, termination may have been a more likely option.
2. Recommended improvements to the HIPAA program would be implemented immediately. The consultant was directed to complete the policies and staff training on an expedited basis. The employee that violated HIPAA was to be individually educated every three months for the next year.
3. The employee who violated HIPAA was also put on unpaid leave for a period of time. A reprimand was placed in his file and any reoccurrence would mean immediate termination. Although some entities might have terminated him immediately, it was determined that education had been deficient and a chance at redemption was appropriate.
In communicating the steps taken to the hospital, we made it clear how compliance with HIPAA is of the utmost importance to my client and, in fact, they have approached HIPAA compliance with zeal. The client also understands that a complaint may yet be filed against the practice and that the violated employee must be allowed to take any action he chooses. The practice cannot pressure the violated employee not to file a claim or retaliate in any way.
While the full outcome of these events remains unknown, every practice should consider:
• Has your staff been properly trained and is it time for a refresher?
• If a violation did occur, would you know which documents to turn to and are they ones you can understand and find what you need?
• Does your HIPAA policy address the type of discipline and/or actions required under different circumstances?
• Do you know how to respond if you receive an inquiry from a hospital or other third party regarding a HIPAA violation?
• Are you informed about your practice’s obligation under HIPAA?
Although compliance with HIPAA is key to prepare for HIPAA audits, practices need to appreciate that compliance with HIPAA is a day-to-day reality and not merely an academic exercise. Think about whether you are ready to address a privacy violation if it occurs today.