Employee Curiosity Sometimes Overcomes HIPAA Training
By Greg Freeman
Recently, a hospital in Washington was fined $240,000 in a settlement with the Office for Civil Rights (OCR) over allegations that 23 security guards snooped in the medical records of 419 patients — a reminder that this pernicious type of HIPAA violation is difficult to eliminate.
OCR will monitor the hospital for two years to ensure compliance with HIPAA. The hospital also must abide by a corrective action plan. (The resolution agreement and corrective action plan are available online at: https://www.hhs.gov/hipaa/for-....)
Employee education is key to prevent snooping, says Mutanu Mutuvi-Thomas, privacy officer with Luminis Health in Annapolis, MD. Mutuvi-Thomas begins with new employee orientation and continues with annual reminders about what is and is not allowed.
“We strictly educate people and say access is only for work-related process purposes. In addition to that, we do rounding — walkthroughs where we hand out pamphlets with little reminders that say ‘no snooping,’” Mutuvi-Thomas explains. “We tell them this is not right, and if you think someone has done it, send it to the privacy office. We’re just making sure employees know what to do and what not to do.”
In the education sessions and rounds, Mutuvi-Thomas says participants are eager to do the right thing but are sometimes taken aback by what constitutes a HIPAA violation. It is not uncommon for employees to be surprised they cannot access medical records to remind themselves of their 10-year-old son’s upcoming medical appointment.
Luminis also held a three-month campaign during which every computer in the health system automatically displayed a “no snooping” message when a user signed on. The short article also was featured in the newsletter distributed to the entire organization.
Luminis does not allow employees to access the medical system to view their own records. It is not a HIPAA violation, but it would be a policy violation, Mutuvi-Thomas says. Employees are required to use the same MyChart access as other patients.
The health system also uses software that audits logs of electronic health records to find any situations that look odd, such as someone accessing files they normally do not access, or an unusual series of clicks different from their day-to-day activities. When those are found, Mutuvi-Thomas contacts the employee’s supervisor to ask if it looks suspicious.
“Sometimes, we do have the occasional person who has ignored the education and gone ahead and snooped. In those cases, we work with that employee, with HR, and we provide additional education,” Mutuvi-Thomas says. “HR and the supervisor will determine what the disciplinary action will be. Obviously, a lot of factors go into that — whether it’s the first time or the second time, for example.”
Limit Access
In the recent Washington settlement, the main issue seems to be a lack of limited role-based access, says William P. Dillon, JD, shareholder with Gunster in Tallahassee, FL. Dillon questions why security guards would ever have access to patient records.
“We have to have access privileges for people to access that information. That is normally based on that person’s need to know. If I’m a nurse or a doctor there, my access to their information is going to be pretty substantial so I can do my job,” Dillon explains. “For the life of me, I can’t understand why the security guards were given access to that type of information. It just makes zero sense.”
However, even those employees who are not given access to protected health information should be trained in HIPAA compliance, Dillon says. For example, housekeeping staff could overhear a conversation between a patient and a nurse or a physician that includes confidential information. They should understand they cannot reveal that information to anyone.
One good tactic for auditing appears after a hospital treats a VIP or celebrity patient. This is a prime temptation for snooping, so the hospital can audit who viewed that record to see if anyone who does not need access opened it.
“It’s low-hanging fruit to check whether or not people are following the rules,” Dillon says. “If they let their curiosity get the better of them because the star football player’s in there, even if it was a nurse or a doctor, if it’s not their patient they don’t really have any right to go poking around in that chart.”
Find Violators Early
Audits are not the only best practice. Entities are required to maintain audit logs and access reports, review them, and to pinpoint any sort of outliers, says Iliana L. Peters, JD, shareholder with Polsinelli in Washington, DC.
The goal should be to find snooping employees as soon as possible before they continue with the habit out of curiosity or for criminal reasons. Even the best training program cannot prevent snooping.
“I have clients who, despite very robust safeguards, don’t know of an incident until DOJ [Department of Justice] contacts them because they are aware of a criminal enterprise that may involve one of their employees. That’s really tough because in certain circumstances these are, in fact, trusted employees who may have been with the organization for a long time,” Peters says.
The most difficult cases are those in which the employee may appear to have been legitimately accessing the record but might have been doing so for criminal purposes, Peters says. The first clue that something is wrong could be a call from the DOJ saying an employee is involved in a criminal enterprise.
“Maybe it turns out that they weren’t accessing that information for their job duties, but it’s very difficult to tell that. There are circumstances in which we have both entities that are doing a very good job of catching these types of situations, as well as those who aren’t — not because they’re not trying to, but because sometimes these can be very hard to find.”
Curiosity About Colleagues
Employees tend to be curious about the health conditions of their colleagues, friends, and families, says Christina M. Kuta, JD, an attorney with Roetzel & Andress in Chicago. Most HIPAA violations Kuta has seen involving employees viewing records has been because they wondered why someone they knew was at the hospital or seeing a physician.
“Much less frequently, I encounter employees who are looking for information that is not related to a health condition, but still is considered protected health information under the law. For example, an employee once looked at the medical records of another employee simply to find out that employee’s birthday so she could be included in the monthly office birthday listing,” Kuta says. “On another occasion, an employee looked at the medical records of all the other office employees to find their addresses to send a holiday card.”
Kuta has noticed the employees engaging in this behavior tend to not be involved in direct patient care. For example, they are working at the front desk, the scheduling department, or other administrative support services. This could reflect the fact that healthcare practices do a better job of training their clinical employees rather than their administrative employees regarding HIPAA compliance.
Every employee should receive initial HIPAA and confidentiality training when they are hired, Kuta says. This training should be ongoing and occur at least annually. Employers should create appropriate policies and procedures and ensure employees know how to access these and when they apply.
“Employers also should conduct audits of employee logins to see what information they access. I’ve worked with several practices who discovered employees were viewing records not necessary for their work after conducting these audits,” Kuta notes. “Also, there should be consequences for employees who do not abide by these rules. Having a robust compliance and training program in place does no good if it is not enforced in some manner.”
An employee’s snooping has the most direct consequences for the employer, not the employee, Kuta says. That is why it is important for an employer to put proper training and compliance plans in place. Such evidence can be used to show OCR the employer did all it could to prevent a violation from occurring and, despite its best efforts, the employee intentionally failed to comply.
For employees, the consequences for their actions generally come from employment sanctions, such as suspension or termination.
“Interestingly, I have seen more of the ‘curious employee’ issue recently,” Kuta says. “I cannot say for certain why, but I suspect it may be that employers and employees were more vigilant about HIPAA and patient privacy when it first was put into place.”
SOURCES
- William P. Dillon, JD, Shareholder, Gunster, Tallahassee, FL. Phone: (850) 521-1708. Email: [email protected].
- Christina M. Kuta, JD, Roetzel & Andress, Chicago. Phone: (312) 582-1680. Email: [email protected].
- Mutanu Mutuvi-Thomas, Privacy Officer, Luminis Health, Annapolis, MD. Email: [email protected].
- Iliana L. Peters, JD, Shareholder, Polsinelli, Washington, DC. Phone: (202) 626-8327. Email: [email protected].
Recently, a hospital in Washington was fined $240,000 in a settlement with the Office for Civil Rights over allegations that 23 security guards snooped in the medical records of 419 patients — a reminder that this pernicious type of HIPAA violation is difficult to eliminate.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.