It’s happened to all healthcare organizations – a miskeyed fax number, a misfile in the patient chart missed during audit – leading to a HIPAA unauthorized disclosure. While unauthorized disclosures are a hard truth in the process of exchanging protected health information (PHI), some sting a bit more than others.
Recently a family in Oklahoma suffered a tragedy no parents should ever have to go through – the death of their two-year-old. However, according to Oklahoma news sources, what happened next caused the family additional grief. Local hospital employees allegedly inappropriately accessed the child’s medical chart, noting that the child had been adopted. According to the family, one hospital employee then called the child’s birth mother, informing her of the death. The family states that the birth mother, who had terminated her rights as a parent, then contacted and threatened the family, even showing up in person to the child’s funeral. Ultimately the adoptive family argued the birth mother had no legal right to know about the situation and filed a protective order against the birth mother as well as reached out to the hospital regarding the breach of the child and family’s privacy.
While the initial story itself is incredibly sad and a clear unauthorized disclosure of PHI, perhaps more shocking is a further development in the story indicating that hospital cafeteria workers also accessed the child’s chart. While some cafeteria employees may have access to electronic health records for dietary orders, this story indicates that a sole employee had written her access credentials on a sticky note and other employees knew where to find them. While access records indicate she accessed the child’s chart multiple times on a given day, she was not on duty, likely meaning that other cafeteria workers inappropriately accessed the chart under the guise of the situationally authorized individual.
No Covered Entity ever wants to be responsible for a family’s grief compounded by a HIPAA unauthorized disclosure. Unfortunately, in this instance, that’s exactly the case. So what can Covered Entities do to avoid this situation in the first place?
Training is Key
- First, training is key. All employees with access to PHI must be properly trained on a minimum of an annual basis. For those employees routinely accessing PHI, layering is key! At ScanSTAT, we’ve implemented weekly, monthly, quarterly, and annual training to ensure all employees handling PHI are up to date. While that may not be reasonable and appropriate for all organizations, frequent training helps to minimize unauthorized disclosures.
Implement Access Controls – and Check Them!
- Second, it’s important to have access controls in place. There must be some record of who is accessing the EHR and when. While the hospital in this instance was able to review their access logs to see who reviewed the chart, they were misleading – the person assigned the credentials was not the one truly using them without any other technical way of knowing who was using the credentials. Furthermore, entities should institute routine audits to see who is accessing the EHR and when. Could the hospital have caught the cafeteria workers inappropriately using another colleague’s credentials by cross-referencing her access with her days off? Maybe not, but maybe so. It’s important to understand baseline access so an organization can identify out of the ordinary access.
Educate on Policies and Procedures
- Third, implement strong Policies and Procedures that not only include the Breach Risk Assessment process protocol, but also any sort of corrective action policy. By creating an organization of trust and reporting, entities are more likely to stop a situation like this from occurring. Employees should know how to report a possible unauthorized disclosure and shouldn’t fear any sort of retribution for reporting. On the other hand, employees should also be aware that there’s a difference between an intentional and unintentional unauthorized disclosure. The corrective action policies should be reviewed with employees on an annual basis, outlining that an intentional breach of privacy could lead up to and include termination. Reviewing the confidentiality and HIPAA policy with employees on a minimum of an annual basis also reminds employees of their promise of maintaining confidentiality outside the confines of their employment at the specific facility. Instituting, reviewing, and setting expectations in conjunction with Policies and Procedures can make a large difference in preventing breaches.
Prevent and Mitigate
It’s critical for organizations to do what they can to prevent unauthorized disclosures in the first place, but when they do occasionally happen, and they will happen, it’s important to spring into action and minimize their impact. Instituting the three steps above provides a wonderful foundation to prevent and mitigate breaches. In fact, we know from experience!
While the rest of the healthcare industry averaged over one breach per day in 2017, ScanSTAT finished last year with only 11 single patient breaches and an accuracy rate of 99.97%. Of course, there are other solutions to help minimize unauthorized disclosures, like using a trusted business associate for help with release of information. Relying on a highly trained and focused staff can make all the difference in not only alleviating HIPAA liability, but also avoiding the public relations nightmare of having your organization’s name in lights over a single patient incident.
Interested in learning more about how ScanSTAT can help prevent unauthorized disclosures and relieve you of the burden of release of information? Reach out to us today or call us at (816) 381-9850 to see how we can help!