Hospital Terminates Employees for Allowing Another To Do Their Jobs
By Greg Freeman
A Boston hospital recently announced that it terminated two employees over a privacy breach after an investigation determined that they allowed a third person, not an employee of the hospital, to perform some of their job duties. That person might have accessed patient protected health information (PHI), the hospital said.
The incident holds lessons for covered entities, says Ashley Algazi, JD, partner with the Rivkin Radler law firm in Uniondale, NY. Although it is difficult to control your employees’ every move, especially if they are working remotely, covered entities can reduce the risk of a similar breach occurring by monitoring their information technology systems for unusual activity and implementing training that specifically addresses keeping usernames and passwords confidential, she says.
Since all employees should have a unique username and password, covered entities should have the ability to track unusual activity and identify potential breaches, she notes.
“Ultimately, good employee management is required to identify if your employee is offloading their work to an outside party,” Algazi says.
She advises watching for these top four red flags:
- employees not being able to answer questions about their work or being evasive in their answers;
- employees who are unavailable during regular business hours;
- a sudden change in the quality of work product of an employee; and
- regular unusual communications or file transfers to parties outside of your organization.
Understand HIPAA Limitations
With how busy a typical hospital gets, and considering the staff shortages that most healthcare operations face, it is understandable that some staff may need backup or assistance to help meet the demands of their jobs, says John F. Howard, JD, senior attorney with the Clark Hill law firm in Scottsdale, AZ.
“In these situations, it is important that they understand the limitations of what is permitted around the access and use of PHI, specifically, the PHI they need to access and use to perform their jobs,” he says. “Just because two employees work in the same facility does not mean they are authorized to all PHI within that facility’s possession or control.”
For example, a staff member in the pediatric unit of a hospital will not have the same access to PHI that a staff member in the cardiothoracic unit will have, he says. While this seems to make logical sense, it also is required under HIPAA. Internal uses are required to be governed by policies and procedures that control and restrict access to PHI based on the specific roles of the staff or workforce members, Howard says.
These policies and procedures must identify the roles or classes of people in the workforce that need access to PHI and what PHI they need access to. All of this is required to be based on what the individual needs to be able to do their job, he says.
“One type of HIPAA violation we have all become used to seeing that relates to these requirements is employee snooping. Where a person with some level of authorized access, based on their job role, exceeds that access and starts looking at PHI belonging to individuals that they do not need to access to do their jobs,” Howard says. “We have seen many cases where this has led to fines against covered entities and actions taken against employees. Granted, this is different than an employee getting assistance from another employee to do their job, as arguably the use is for [treatment, payment, and healthcare operations], but it is essentially a violation of the same restrictions. A person’s access rights are required to be restricted based on that person’s role.”
Covered entities can avoid these issues by making sure that their staff are appropriately trained on what role-based access rules and procedures the organization has put in place, he says. Covered entities also can put technical controls, where reasonable and possible, to limit access based on each individual. This will help limit the possibility of staff crossing over into operational areas where they are not permitted to do so, he says.
“Essentially, the best way to combat these types of breaches is to train your workforce not just on the requirements, but also on the purpose of such requirements,” he says. “Patients expect some level of confidentiality of their health information, even within healthcare operations. If a workforce member does not have a ‘need to know’ or have access to certain PHI, then they are not allowed to have access to it. This not only makes sense from a public policy perspective in helping keep trust in the healthcare system. It is also required under HIPAA.”
Sources
- Ashley Algazi, JD, Partner, Rivkin Radler, Uniondale, NY. Telephone: (516) 357-3528. Email: [email protected].
- John F. Howard, JD, Senior Attorney, Clark Hill, Scottsdale, AZ. Telephone: (480) 684-1133. Email: [email protected].
A Boston hospital recently announced that it terminated two employees over a privacy breach after an investigation determined that they allowed a third person, not an employee of the hospital, to perform some of their job duties. That person might have accessed patient protected health information, the hospital said.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.