I recently conducted a HIPAA audit for a medical practice that came under scrutiny by its local hospital affiliate.
The issue arose after a disgruntled employee posted online comments and sent a letter to the hospital’s compliance officer indicating that the practice was in breach of HIPAA. In particular, the employee alleged that passwords were shared, information on non-patients was accessed, and employees viewed patient information beyond the scope of their employment. Such conduct, if it had occurred, would breach the practice’s own policies as well as its agreement with the hospital.
A thorough investigation found there had been some sharing of passwords but no HIPAA breach. Not a single employee had looked at a record that fell outside their job description, and not a single employee looked at a medical record outside of the practice’s own patients. At the end of the day, those individuals who shared passwords were disciplined and/or terminated. The practice also provided employees with additional training.
Unfortunately, this is not the norm for most practices. In many HIPAA audits, I find that in addition to the sharing of passwords, personnel regularly review records that fall outside their job description. Easy access to a connected hospital’s EHR system means employees can access an even greater number of medical records.
Sometimes, if a practice employee accesses the records of a non-patient, this can trigger an alert of the hospital EHR system, but not always. Thus, all practices should be vigilant about auditing employee activity and must strictly enforce — and promptly to respond to — any policy or HIPAA violations.
Humans are curious by nature and when it comes to HIPAA, this can often be their downfall. For example, actor Jussie Smollett was recently treated at a Chicago hospital for an “alleged” attack. Subsequently, dozens of hospital employees were terminated for having viewed his medical records without authorization.
This has happened before with other celebrities, and the common belief among healthcare employees is that they won’t get caught. However, most EHR systems are sophisticated enough to determine how the employee called up the record, what they looked at in the record, and how long they spent looking. This can make it impossible for anyone to argue he/she did not intentionally access a medical record.
Curiosity does not end with celebrities. Some of my clients’ employees regularly get in trouble for peeking at records of friends and family members, which they claim to look at out of “concern.”
The situation becomes even worse when this information is shared with others. For example, there was recently a case in New York where a nurse found out her sister in law’s boyfriend was diagnosed with a sexually transmitted disease. The nurse promptly sent text messages warning her sister-in-law. The clinic was sued even though the nurse was immediately, and appropriately, terminated.
To minimize risk to your practice, you need to consider:
- Training your employees. My most successful practices require it quarterly.
- Auditing employee activity routinely.
- Flagging personal relationships and conflicts, when possible. Family members of employees should have their records flagged and handled by other staff.
- Disciplining staff for violations. Employees should know the practice is serious about patient security and privacy. This should include termination where appropriate.
- Listening to your employees. Are they seeing violations occurring? Do they have concerns about the way the practice is operating, or if particular people are handling their jobs properly?
I understand it can feel like it’s almost impossible to comply with HIPAA when rogue employees can so easily cause a violation for the entire practice. Having the right policies and practices in place are your best form of protection.
Ericka L. Adler has practiced in the area of regulatory and transactional healthcare law for more than 20 years. She represents physicians and other healthcare providers across the country in their day-to-day legal needs, including contract negotiations, sale transactions, and complex joint ventures. She also works with providers on a wide variety of compliance issues such as Stark Law, Anti-Kickback Statute, and HIPAA. Ericka has been writing for Physicians Practice since 2011.