The Health Insurance Portability and Accountability Act (HIPAA) requires that all patients' medical records, whether in paper or electronic format, be protected from unnecessary use or disclosure. This protection applies to everyone, including celebrities. Unfortunately, a group of employees at the University of California Los Angeles (UCLA) Medical Center are finding out the hard way that looking up a celebrity's medical information is a HIPAA breach that could cost them their jobs.
Several employees at the UCLA Medical Center, accessed Kayne West's medical records when he entered the hospital last year seeking treatment for a nervous breakdown. According to Oregonlive.com, "It's not clear if they managed to sneak a peek at his treatment records, but it was enough to prompt UCLA bosses to launch an investigation into the alleged breach, which is expected to lead to a number of dismissals."
This is not a new issue for Kanye West, or his wife Kim Kardashian. In 2013, Mrs. Kardashian's private medical records found themselves at the center of a HIPAA breach at the hospital where she gave birth, Cedars-Sinai Medical Center in Los Angeles, Ca. Shortly thereafter, the hospital fired six workers for snooping on more than a dozen patients' health records.
According to a report by The Los Angeles Times, "Los Angeles hospitals have a history with curious employees inappropriately accessing celebrity health records. Britney Spears, Farrah Fawcett, and then-California First Lady Maria Shriver have all been affected by HIPAA breaches in recent years. [The] UCLA Health System in 2011 agreed to pay $865,000 settlement for HIPAA breach allegations."
The lesson here is no matter how excited we are to see our favorite celebrity at the medical office, his or her records are protected under HIPAA and should not be used, viewed or disclosed by anyone who does not have access to them. While I highly doubt anyone is interested in my medical history, someone like catcher Yadi Molina's medical history would be of interest to almost every St. Louis Cardinals fan.
This type of breach can be difficult for an employer to keep an employee from committing. Imagine former St. Louis Cardinal and Hall of Famer Lou Brock walked into your medical office. Any Cardinal fans that you might employ would be excited to see him. They may even want to let their friends know who they saw at work today by disclosing that fact on their Facebook pages. The second one of your employees discloses the fact that Mr. Brock was in your office, you could be on the hook for any fines or penalties that the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) decides to hand down.
People may want access to medical records for monetary gain as well. For example, the HHS website is filled with examples of hackers and disgruntled employees who walked away with a thumb drive full of patient information that they then used to open credit cards in those patients names. When it comes to celebrities, some employees may try to sell the medical information to tabloids, etc. Many of these types of breaches can be prevented by doing thorough and accurate trainings and risk analysis of the medical office, both of which are required by HIPAA. There are three specific things that can go a long way to helping medical practices protect themselves from these types of breaches: running a risk analysis, conducting thorough training of all employees, and using audit trail reports.
Running a Risk Analysis
HIPAA requires that risk analyses be run whenever a breach has occurred in order to determine if there is a high or low risk of compromise to the patients' medical information. The risk analysis I run for my clients comes straight from the HHS audit protocol. This audit is very thorough and can be effective in making sure all of your potential vulnerabilities are addressed.
The problem most doctors face is that they don't conduct these analyses unless a breach occurs. To fully protect yourself, you need to run these analyses on a regular basis. A doctor's office, for example, that runs a risk analysis bi-annually, or quarterly, has a better chance of catching shortfalls in their medical record protections, than the doctor who doesn't run a risk analysis until the breach has occurred. Getting ahead of the risk, before it happens, is the best way to protect your office and staff from a breach.