Prying Eyes Put EDs at High Risk for HIPAA Violations
By Stacey Kusterbeck
Almost 30 years since it was enacted, ED staff still occasionally (and blatantly) violate HIPAA. “It’s the human nature problem, not unlike being unable to not look at an accident on the highway,” says Nathan A. Kottkamp, JD, a partner at Richmond, VA-based Williams Mullen. When an ED patient is someone staff know personally, or a celebrity, it is hard to overcome the urge to “just take a peek.”
“With better technology, however, medical records systems are able to identify things like the one-off view of a record, and the repeated views with inputs that are consistent with someone providing clinical services,” Kottkamp notes.
If a celebrity is brought to an ED, staff sometimes perform a manual review to check for unauthorized access. “Technology, however, will enable this regularly for all patients,” Kottkamp predicts.
Recently, multiple security guards working in an ED inappropriately accessed medical records of 419 patients, leading to a HIPAA investigation.1 The security guards used their login credentials to access patient records, which included names, addresses, dates of birth, some treatment notes, and insurance information. The hospital agreed to pay a fine of $240,000 and implement a corrective action plan.
To avoid a disaster like this, Kottkamp says EDs should provide “training, training, and more training. The concept is simple: Stay in your lane. But the execution, in a meaningful way, is the challenge.”
Contrary to what most patients probably believe, unauthorized access of records by staff is not an unusual circumstance, says Jade Davis, JD, an attorney in the Tampa, FL, office of Hall Booth Smith. “It is, unfortunately, a recurring dilemma,” Davis laments.
The ED presents some unique challenges in terms of HIPAA compliance. “Although these situations can occur in any healthcare setting, they tend to be more prevalent in emergency care,” Davis says.
The close proximity of patients, family, and visitors in ED treatment and waiting areas is a contributing factor. “We have consistently seen it challenging to prevent unintentional HIPAA violations in emergency department settings,” Davis reports. To prevent problems with HIPAA compliance, Davis recommends EDs take these steps:
• Ensure policies are in place to protect the privacy of patients’ identifiable health information.
• Train staff on those policies.
• Implement measures to maximize compliance with the policies.
• Provide supplemental training if there are any incidents of non-compliance by an individual or group.
“This will help ED providers be more aware of what to be mindful of, and how to mitigate issues,” Davis explains.
HIPAA requires role-based access. This means employees are granted access only to personal health information (PHI) as required for them to perform job functions. “Typically, a security guard does not require access to PHI to perform their job duties,” notes Christina Steiner, JD, a senior director with Alvarez & Marsal’s Healthcare Industry Group in New York City.
However, role-based access can be costly. It is particularly problematic for EDs using older, legacy-based systems. “This is why compliance can sometimes be challenging — and why employees have access to sensitive information that they shouldn’t have and do not need to perform their jobs,” Steiner explains.
In Steiner’s experience, the most frequent issue with HIPAA in the ED is an employee disclosing PHI in a public space. Ideally, EDs maintain a private area in which to speak with families who are waiting for loved ones. Additionally, EDs need to be mindful of others overhearing they are triaging patients or engaged in other patient care-related activities.
“EDs should also perform an annual privacy assessment to ensure that they are operationalizing all of the requirements laid out in HIPAA and state privacy laws,” Steiner recommends.
HIPAA requires hospitals to put into place various access controls on computer systems that house PHI. “These controls must allow users to access PHI only for legitimate work functions,” emphasizes Lani M. Dornfeld, Esq., a healthcare attorney at Brach Eichler LLC and part of the firm’s healthcare law practice group.
Security guards might be granted access to the hospital’s IT systems housing PHI for legitimate work functions. For example, if the security guards were in charge of initial check-in upon entering the ED, they might need to access the hospital’s electronic medical record. But those guards must be expressly authorized to view those records. Otherwise, someone could allege the guards accessed the records for nefarious purposes.
For EDs to be in compliance with HIPAA, access controls alone are not enough. “Organizations also must provide periodic staff training on the permissible parameters of use for each staff member’s work functions,” says Dornfeld, who is Certified in Health Care Privacy Compliance by the Health Care Compliance Association.
In Dornfeld’s experience, the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR), when investigating privacy violations, typically requires copies of any relevant educational materials used by an ED as part of its investigative document demands. After viewing those materials, the OCR would consider the ED’s training in terms of frequency and content. For example, if the incident involved inappropriate access, the OCR would want to see that access controls were covered in training. “The hospital’s ability to prove it conducted appropriate training is a positive factor the OCR would take into account in determining penalties under HIPAA,” Dornfeld says.
The frequency or content of training is one of many factors investigators would consider. “Decisions are made more broadly on the level of compliance with specific requirements of HIPAA, based on an overall review of all facts and circumstances and evidence produced by an organization,” Dornfeld explains.
EDs also can land in trouble if staff exceed the parameters of what HIPAA calls “permissible incidental uses and disclosures” of PHI. “These occur as a byproduct of another permissible or required use or disclosure,” Dornfeld says.
For example, people in the waiting area might overhear a patient’s name called. A patient in a treatment bay might overhear part of a conversation between the physician and patient in the adjacent bay. As long as leaders have put in place reasonable safeguards and abide by HIPAA’s “minimum necessary” standard, these situations are unavoidable but acceptable. “However, when processes become lax, violations can occur,” Dornfeld warns.
It is problematic if the hospital fails to regularly review electronic medical record activity to confirm only authorized users are accessing the system, and that such access is for legitimate work functions and purposes. It also is problematic if staff continually forget to use discretion in where and how loudly conversations about patients are happening. “Although HIPAA does not require EDs to reconfigure the physical layout of the ED, reasonable measures must be taken to reduce incidental uses and disclosure,” Dornfeld says. There are a few ways to accomplish this:
• Remind staff members to talk in a lower tone of voice when engaging in conversations that include PHI.
• Ensure traveling workstations are not left unattended, unless the staff person has logged out.
• Ensure no computer screens in use or any printed patient records can be seen by unauthorized persons.
• Ensure system activity is monitored regularly.
“HIPAA carries hefty penalties for improper use or disclosure of personal health information,” Steiner says.
If ED staff violate HIPAA, the hospital may face investigations, fines, and other penalties, including litigation and bad publicity. “In some instances, where the breach was the result of malicious intent on the part of an individual, criminal penalties may apply,” Dornfeld adds.
For example, if a user of an electronic medical record accesses an ED patient’s record and purposely uses that health information with an intent to cause harm to the individual, criminal charges might be filed.
A person who knowingly obtains or discloses individually identifiable health information in violation of the HIPAA Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties rise to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses. The fine can exceed $250,000 or can carry a 10-year prison sentence if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain, or malicious harm. “The Department of Justice is responsible for criminal prosecutions under the Privacy Rule,” notes Davis, the Tampa attorney. It is not just the OCR the hospital has to worry about. Patients and families also might take legal action against emergency care providers. “They may learn their PHI was breached, through receipt of a breach notification letter from the hospital — or, potentially, through media outlets reporting on breaches,” Dornfeld says.
HIPAA does not provide for a private right of action by individuals harmed by impermissible breaches of their PHI. That means patients cannot sue a hospital or ED based on HIPAA. “However, aggrieved individuals who have suffered damages have filed lawsuits under various state law theories,” Dornfeld reports.
It is possible a patient in this situation could successfully sue for malpractice or other negligence, invasion of privacy, breach of implied contract, or breach of fiduciary duty. The hospital is legally bound to maintain the confidentiality of medical records.
“The patient can claim negligence against the hospital, or the doctor, for a breach of confidentiality,” Davis says.
There also are options for state lawsuits. “But the historic success of these suits has been low,” says Kottkamp, the Richmond attorney.
One reason is patients would need to show damages to prevail in litigation. The fact an emergency care provider inappropriately viewed someone’s medical record might have caused emotional harm, but is unlikely to have resulted in financial harm. “Furthermore, it is likely that most of these cases end up being settled, so we’ll never know exactly how they are resolved,” Kottkamp suggests.
Legal action aside, if ED staff violate patients’ privacy, hospitals can expect to be the focus of plenty of negative news coverage. “These types of stories tend to attract numerous broadcast segments and articles,” Steiner observes. Even after the news coverage has subsided, the public perception of the ED as untrustworthy is likely to linger. “There is a major reputational risk for any facility if it becomes known that the staff cannot be trusted to resist the temptation to look at records of ED patients,” Kottkamp says. “It may be that the court of public opinion is the best recourse for those who are treated improperly.”
REFERENCE
1. U.S. Department of Health & Human Services. Snooping in medical records by hospital security guards leads to $240,000 HIPAA settlement. June 15, 2023.
Ensure policies are in place to protect the privacy of patients’ identifiable health information, train staff on those policies, implement measures to maximize compliance with the policies, and provide supplemental training if there are any incidents of non-compliance by an individual or group.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.