Technology and Common HIPAA Risks
By Eric Humes, President
Keystone IT Consulting
(314) 621-9500 | Email
The following account is a work of fiction.
All Jan could think about was the stress of the financial burden that her husband Mike had put on their family with his auto accident. With the recession in full swing, her husband’s job had been furloughed – only working 3 days per week with no chance of overtime. She had been a nurse for Dr. Williams at his regional clinic for the past 4 years. She made decent money, but not enough to support their family of 5 with the overall decrease in household income. That strain intensified when she got the call today from her husband. He was just notified that the people in the other car were seeking compensation for their injuries and had filed a lawsuit against him.
One day a few weeks later, Jan was working from home catching up on charting from the day before. The clinic was closed on account of a snowstorm that had hit during the night and all patient appointments had been cancelled. She was thankful for the unexpected day off and for their new ability to connect to their NextGen EMR from home. As she worked through her patient’s charts performing a search for each one, she happened to notice a familiar name appear on the screen. She looked twice and for a brief moment thought to herself, “what are the chances”? She stumbled across the lead plaintiff in the case against her husband. With great interest, she opened his chart. Her interest grew as she discovered that he had been to the clinic after the accident… For fear of leaving an electronic paper trail by printing his ePHI across the VPN tunnel to her home printer, she held down Alt on her keyboard while hitting the PrtScrn key. She then pasted the screen-capture to MS Word and printed it from there. She was quite proud of herself for remembering something that their IT guy taught her when attempting to assist her one day.
Later that night, as her husband complained about the impending lawsuit and its potential financial consequences, Jan smiled and reached into her bag for the printout from earlier. “I think this will help,” she said as she handed it to him.
The next day, Mike phoned the patient. During the conversation, he made it known that he had medical information, which he believed, weakened the man's case. Mike suggested that he consider dropping the lawsuit.
After hanging up with Mike, the patient made two phone calls. First he called the clinic where Jan worked. Then he called the district attorney.
As Jan arrived to work the next morning, Jan was fired. “You may very well have put this whole clinic in jeopardy,” said Dr. Williams. After Jan left the building, Dr. Williams called a meeting of all the nurses, physician assistants, and support staff and explained why Jan had been fired. Outlining the laws on patient privacy, he informed them that no breach of these laws would be tolerated under any circumstances.
Meanwhile, Jan’s problems were just beginning. The district attorney forwarded the patient's complaint to a federal prosecutor, and within a month, both Jan and her husband were indicted. Jan was charged with violating the Health Insurance Portability and Accountability Act (HIPAA) and with “conspiracy to wrongfully disclose individual health information for personal gain with maliciously harmful intent in a personal dispute.” Her husband was charged with witness tampering. The couple hired a criminal defense attorney, who negotiated a plea agreement with the federal prosecutor. Jan pleaded guilty to one count of wrongful disclosure of protected health information for personal gain. In exchange for her plea, the charges against her husband were dismissed.
Today, Jan is awaiting sentencing. She faces up to 10 years in prison, a fine of as much as $250,000, and up to three years of supervised probation. The state nursing board will eventually revoke her license.
While the above story is fiction, it represents a situation that we can all relate to. Hopefully if confronted with a similar circumstance we will exercise better judgment than Jan. The use of technology as a means by which electronic protected health information (ePHI) can be made more readily accessible, has created a world where HIPAA violations are much more prevalent. Technological advancement is driven by the quest for obtaining and storing more data and transmitting that data more quickly. The Internet was developed by universities to easily share data on research projects with other universities. Today we use the Internet as a medium by which to not only share information but also to transmit highly confidential information such as ePHI.
Some HIPAA violations are inadvertent—a stolen laptop with patient records stored on the hard drive, for example. Jan’s actions struck at the heart of what HIPAA is supposed to avoid. She accessed patient records; gathered information; and then provided that information to someone else, knowing it would be used in a way that was harmful to the patient.
Jan’s actions could have put the clinic itself in danger of prosecution, but Dr. Williams handled the situation in the best way possible. He fired her on the spot after the patient notified him of the breach. Then he called a meeting to educate staff about the importance of patient privacy and what can happen in the event of a violation.
There are basically two types of HIPAA violations - negligent and purposeful.Below are several technology related examples of each.
Common examples of negligent technology violations:
- Improper disposal of old computers and backup tapes
- Inadequate physical protection of computers or network containing ePHI
- Faxing PHI to an incorrect fax number in error
- Failure to provide a private environment to discuss and/or document PHI
- Leaving detailed PHI in a voicemail message
- Sending unencrypted ePHI in an email
- Blogging/Facebooking/Tweeting about a patient situation – even if anonymously doing so
- Careless handling of user names and passwords
- Inadequate network firewall
- Exposing EMR systems to malicious code (malware) when connecting to the Internet
- Failure to maintain Business Associate Agreements with vendors
- Allowing patients or visitors to be near unattended and unlocked computers
- Failure to cover monitors with privacy filters in public accessible areas such as check-in/check-out stations
- Accessing or using ePHI without having a legitimate need to do so
- Allowing another employee to utilize any systems via your password
- Disclosure of PHI to an unauthorized individual
- Sale of PHI to any source
- Accessing ePHI on a website or cloud-based EMR that is not secured*
- Connecting unapproved devices to the network
- Failure to encrypt ePHI before transporting (physically or electronically)
- Misuse of confidential patient information for personal use
- Deliberately compromising EMR security measures
A note about “cloud” or internet-based computing: Today, there is no HIPAA compliance rule for backup applications, online storage of ePHI, or disaster recovery services. Therefore, no software application or service is truly "HIPAA compliant," because there are no regulations that specifically govern this area of technology.
The HIPAA rules cover all other forms of communication used in a healthcare facility, such as computer screens, patient orders, whiteboards for nursing assignments, communication boards used in patient's rooms, laboratory slips, faxes, face sheets, etc.
Simply put, HIPAA restricts the sharing of PHI. PHI should be shared with as few individuals as needed to ensure patient care. In this age of EMRs, it’s the sharing that is becoming easier and easier, thus making it harder and harder to be compliant.
Eric Humes, CEO, Keystone IT Consulting
317 N 11th, Suite 300, St. Louis, MO 63101