As a consultant, you never know what’s going to come your way. Even projects that seem like they’re going to be straightforward might not be, as was the case with something I worked on recently.
I was dealing with a practice that had an issue with a staff member who was allegedly snooping through employee charts. They asked me to take a look at their audit trails and put together documentation so they could confront her. Finding the data in the EHR was easy since it has an activity log for each patient encounter that can be accessed by clicking a link at the end of the visit note. This is front-end visible data, so any user with the right access can look at it. That made me wonder why they needed to hire a consultant in the first place, other than to be able to say that they worked with an expert resource. I was sad that I didn’t even need to access the database.
The next step was cross-referencing the access time stamps with the actual patient visit time stamps, to either rule in or rule out whether the staffer might have rightfully accessed the charts as a part of the clinical encounter. When the charts are being accessed at midnight, it starts pointing towards an unusual pattern of behavior. When the midnights occur while the employee is supposed to be on vacation, you start to know that you have a winner.
Getting confirmation of the employee’s work schedule and days off was one of the biggest challenges since the practice didn’t want people to know they were investigating the employee. I had to talk to the payroll people to confirm the dates. Much of my engagement was being coordinated through an office manager who was relatively new to the practice, so I assumed that either she was just overwhelmed and wanted me to deal with everything or wasn’t sure of all the data points that needed to come together to make the case for inappropriate access.
Once we had the data in hand, the next step was putting together a report of the intrusions into various charts. Excel is my second language, so I had it all documented in a couple of hours and sent it over.
This is where the engagement turns strange. They wanted me to add documentation to each episode of chart access to specify why it was inappropriate. Sure, I said, send me over your employee handbook and I’ll tie each episode back to the relevant parts of your code of conduct and whatnot. I also offered to review their HIPAA training materials and link my findings back to that as well, functionally putting the nail in the coffin of this medical records misadventure. Since I haven’t been working clinically, I was happy to add a couple more hours to the engagement.
I didn’t hear back for a couple of days and the office manager didn’t respond to follow up emails. I escalated to calling (which I rarely do) and didn’t hear back from the voice mail messages I left either. I finally became irritated and reached out to the physician in charge of the practice, figuring that since he signed my engagement agreement, the buck would stop with him. I caught him in the car, and either he was distracted and just started talking off the top of his head or he had forgotten that they had left out a few key points when they hired me to do this work.
The snooping employee in question turns out to be the ex-wife of one of the practice’s physician owners. The situation is not just an employee discipline problem, but is also linked to a spousal support situation, with concerns that if the employee / ex-wife is terminated, the physician owner / former spouse might have to pay more. He doesn’t want her terminated.
Are you kidding me? Is this not something that could have been brought up when the engagement was outlined? I guess I’ll have to add some interrogatory questions around this type of shenanigans to my engagement intake form.
The plot thickened further. It turns out that the practice didn’t send over the employee handbook because they don’t have one. They also have no documentation of its employees having attended HIPAA training except for a log showing the date the employee watched some YouTube video on HIPAA. That video is no longer accessible, so we have no idea what they watched or whether they agree that they watched it. There is no documentation of a post-test or other evidence of mastery, so it’s going to be awfully hard to tie the misbehavior back to clear violations of office policy. The practice is liable for a HIPAA violation, but they can’t claim that the employee should have known better if there’s no documentation that she ever knew what HIPAA was or how it affected her.
Once this mess became apparent, it was clear why they hired a consultant. No one in the practice wanted to deal with the steaming pile of finger-pointing and ex-spousal angst that it was.
A couple of days later (and after a couple of calls with all parties involved on the practice side), the engagement was again expanded, with additional time for the creation of office policies and procedures regarding HIPAA training, chart access, use of practice resources outside working hours, and more. What started as a simple little project became not only a decent amount of work, but a great story for my next healthcare virtual happy hour. You simply cannot make this stuff up.
I have no idea what forces transpire to make a practice think it’s OK to operate this way in the year 2020, but apparently it has been going on for a long time. They were shocked that I also recommended they discuss this with their various liability carriers and their general counsel, to obtain additional advice on what to do next. I love writing policies and procedures, so it was great to settle into the sofa and spend some quality time with my laptop on a long, rainy weekend. I’m presenting their updated training plan to them next week along with their new employee handbook. Although this after-the-fact effort won’t do much to help them with their problem employee / ex-spouse, it will at least put them on a more solid footing moving forward.
How does your practice handle employee medical records violations? Leave a comment or email me.
Email Dr. Jayne.