Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.
Different types of data breaches at two hospitals in Michigan and New Mexico underscore HIPAA liability concerns.
August 2016 will mark the 20 year anniversary of HIPAA becoming law. Yet, the number of threats to physicians, other providers, and business associates continue to make headlines. The U.S. Department of Health and Human Services (HHS) is investigating potential violations. First, ProMedica hospitals in Michigan had protected health information (PHI) breached by employees of the health system. Of the seven employees who accessed the records at Bixby Hospital and Herrick Hospital, three have been terminated because they were not authorized to access the records. Generally speaking, only members of the care team, as well as intake employees, billers and coders have the ability to access records. Therefore, even if a job description says it is permissible, if there is no clinical or financial reason to be accessing the information, then don’t.
For physicians, the takeaway in this scenario is simple. If you are a member of the care team or are approached by a colleague to review the clinical situation and provide an opinion, then this is acceptable. On the other hand, if a colleague happens to mention a “cool case,” then it is not permissible for a physician to view the medical records, simply out of curiosity.
The incident in New Mexico relates to a technology glitch, which caused staff to inadvertently send out invoices containing PHI on more than 2,800 patients. According to the Chief Privacy Officer at the University of New Mexico Health Sciences Center, Sarah Morrow, "[w]e have thoroughly investigated and identified the technical issues that led to the erroneous mailings, and we are monitoring the system to ensure this does not happen again.” Hence, underscoring the need to double check the accuracy of the information after a software system integration.
In sum, nearly 29 years after its inception, HIPAA and the related penalties are not going away. As technology becomes more sophisticated, it is crucial to make sure that physician’s don’t lose sight of the basics - training staff and implementing adequate policies and procedures. Failure to do so can be costly.