HIPAA has been a thing for most of my medical career. Although the Health Insurance Portability and Accountability Act was actually enacted on August 21, 1996, it didn’t actually begin to go into effect until April 14, 2003 when the HIPAA Privacy Rule was required. Of the sub-parts of HIPAA, this is the one that most people know the most about.
It is also frequently used to create an inappropriate barrier to information sharing. I can’t count the number of times that hospitals have told me they can’t tell me the status of a patient who I have referred to their emergency department “due to HIPAA.” Apparently they think that HIPAA is a magical force field, and if you’re not part of the hospital’s medical staff, you can’t be allowed in.
Despite the Privacy Rule being in place more than 17 years, I’m working with an IT organization that isn’t doing very well from a Privacy Rule standpoint. They are a mature user of their EHR, having been on the system for at least a decade. However, their use of its features hasn’t kept pace with the evolution of the tool, and they find themselves in a bit of a legal pickle.
I enjoy working on projects like these. It gives me a chance to dust off my database skills and help a group understand its vulnerabilities and how it can improve. Some of these items spill over into the HIPAA Security Rule, circa 2005, with its emphasis on technical safeguards for protecting patient information. In the spirit of sharing some free consulting, I offer you the lessons learned from my client’s situation.
First, have a documented policy and procedure on access to electronic health record systems and other ancillary applications, such as laboratory information systems, radiology information systems, and any other systems where Protected Health Information is stored. These are part of the administrative safeguards in the Security Rule, but beyond that, you can’t claim employees didn’t do the right thing when you never spelled out what actions were right and what actions were wrong. The policy should include a mention of educational resources to be sure that staffers understand the terminology of HIPAA and understand how those elements fit the systems they access.
I remember the health system I was working for when the Privacy Rule went into effect made a series of videos that were themed somewhere in the vicinity of gangsters a la Al Capone, and the fact that they’ve stuck with me this many years later shows that they were memorable. The video linked back to written content that we had to review along with an acknowledgement we had to sign in order to continue being employed. The organization I’m working with at present has an outdated employee handbook with little mention of HIPAA and the obligations of staff to do the right thing.
Second, be sure you have clearly documented job descriptions as well as roles and responsibilities. When you find out that someone administrative was trolling around in EHR charts that have nothing to do with their role in the billing department, you don’t want them to explain that they were “helping Dr. X that day” or that someone was out so they were doing “other duties as assigned” with no way to prove or disprove that what they were doing in the EHR was inappropriate. For those situations where people do have to cross cover, make sure they know where their boundaries are. As an example, someone covering telephone messages for refill requests probably doesn’t need to be accessing the alcohol and tobacco history in patient charts.
Third, make sure you are keeping up with the security features of your EHR. If it allows you to restrict security by job role, make sure you have this set at the most granular level appropriate for the job roles in your organization. Purely clinical employees shouldn’t have access to the billing side of the system, and non-clinical employees who might have to reference clinical information should have their access appropriately controlled. If a billing team member often has to provide copies of office visit notes or test results, give them access to those parts of the system. Do not give them access to document on clinical visit templates or to order medications.
I’ve seen unfettered access more times than I care to recall. If your system allows use of inclusion/exclusion lists to further secure subgroups of patients (such as employees, or professional sports teams, or VIPS) consider using those features.
Fourth, make sure you understand the audit functionalities of your system and that you have a policy in place for regular auditing, even if it is just spot auditing. Of course, if you see high-profile or celebrity patients, you might need to have a more active audit program, but many organizations can get away with spot audits to make sure employees are doing the right thing.
One of the issues facing my client right now is that they didn’t have the right pieces of the audit tool enabled. Although they were tracking access to clinical data, they weren’t properly tracking whether that data was updated, printed, exported, or simply viewed.
Finally, make sure you have a policy that addresses access of patients’ own charts or those of their family members. Even if a staff member is legally permitted access to a patient’s information, whether by being a parent / guardian or through a signed release, it’s probably not a good idea to allow them to access those charts on their own. In my practice, if I want to print a copy of my own lab results for my personal records, I have to work with one of our clinical staff to request the document and have them generate it for me, just like any other patient would. The only difference is that I’m making my request in person rather than over the phone. Our process keeps everyone honest and reduces the risk of inappropriate access.
These are simple things, and you would think organizations would have figured them out by now. Unfortunately, quite a few haven’t.
How does your organization handle similar issues? What’s the wildest HIPAA violation you’ve seen? Leave a message or email me.
Email Dr. Jayne.