AUTHORIZED ACCESS? Is your patient information protected from the prying eyes of your staff?

One of the most common HIPAA violations? Staff snooping in medical records. Healthcare employees who access and view a patient's protected health information simply for personal reasons, and not for any legitimate business or patient care needs, may face criminal culpability. As their employer, your facility will find itself in regulatory risk as well for such privacy breaches. Curiosity-kills-the-cat cases where staff peek into the medical records of friends, fellow workers and even celebrities are becoming increasingly common. Here's an example.

Let's say that Mary, who works as one of your scrub techs, discovers that her ex-husband, John, who has not paid child support in more than 8 months, has undergone elective surgery at your facility. Mary has no job-related reason to access his electronic health record, but she does so on 11 different occasions, at times for more than an hour. She prints his demographic, credit card, health insurance, billing and claims information, his Social Security number and certain portions of the clinical record documenting his procedure. She uses this information to file a legal action against him to obtain the unpaid child support and to increase her alimony. She also blasts him on social media for spending exorbitant amounts of money on his vanity, naming the procedure and its costs, instead of child support.

John files a complaint against your facility with the Office for Civil Rights. He also files a criminal complaint and a civil libel suit against Mary. When you confirm Mary's unauthorized access to the EMR system and her breach of patient information, you fire her, of course, but in HIPAA's view your job's just beginning. Now you have to conduct an expensive and time-consuming investigation, take action to mitigate any further harm to John and make any required notifications. The loss of an employee and professional reputation will no doubt cost you, plus you may face federal fines.

Nothing stays anonymous online
While you need to be careful not to interfere with your employees' First Amendment rights to free speech, you also need to warn them of the potential for HIPAA breaches in their social media communications. A posting that claims to tell "True Stories of the OR," or begins "You would not believe what happened in surgery today," reciting "anonymous" facts based on an incident that occurred at your facility places the facility, its administration and its staff in the HIPAA breach danger zone.

All too often, social media that is commented upon and forwarded results in unintended consequences. Inevitably someone in the chain will add a name or other identifying information. Protected health information will be released and facts will be twisted. This information, however, must remain within the walls of your facility and be disclosed only for the legitimate business and patient care needs permitted under HIPAA.

HIPAA audits underway
In July, the U.S. Department of Health and Human Services' Office for Civil Rights — which enforces HIPAA — announced plans to conduct desk audits at healthcare providers, insurers and clearinghouses. These audits are underway and focusing on the law's privacy, breach notification and security rules (osmag.net/vkV7JQ), and those that reveal deficiencies may be expanded into on-site audits or more detailed inquiries into all of a facility's HIPAA practices.

With patient complaints and enforcement actions on the rise, orientation sessions and annual refresher courses may not be enough to keep your facility on the right side of the law. In addition to continuously monitoring compliance, you may need to take the extra steps of individually training affected staff members as needed, such as after a privacy breach incident. Delivering periodic reminders of HIPAA's obligations and protections via facility-wide e-mails can also help to promote awareness of, and avoid, common privacy pitfalls. OSM