Avoiding HIPAA Violations
AVOIDING HIPAA VIOLATIONS
by Michael L. Smith, J.D., R.R.T.
Every respiratory therapist knows that the Health Insurance Portability and Accountability Act (HIPAA) requires hospitals and health care providers to maintain the confidentiality of their patients' protected health information (PHI). RTs may not know that the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is investigating HIPAA violations and imposing sanctions on hospitals and other covered entities for violations. RTs also may not know that the Department of Justice is criminally prosecuting particularly egregious HIPAA violations.
HIPAA violations still occur despite the fact that we have years of training and experience in protecting patient privacy. Hospitals and health care systems take HIPAA violations seriously and frequently terminate employees for those violations. RTs can avoid violating HIPAA, and the consequences associated with a violation, by avoiding the following mistakes.
Never use a patient's PHI for personal gain. Unfortunately, this example is not too obvious to include here. A nurse in Arkansas pled guilty to criminal charges of deliberately misusing a patient's PHI for personal gain. The nurse provided PHI on a patient to her husband so that her husband could use the information in a lawsuit involving the patient. The nurse pleaded guilty to wrongful disclosure of the patient's health information. Another hospital employee in California pleaded guilty to selling celebrity medical information to at least one media outlet. Numerous celebrity medical records were involved, but the prosecuting attorney did not release the names of the celebrities.
Never snoop in a patient's medical records. A hospital in Houston fired 16 employees for snooping into the medical records of an acquaintance out of curiosity. A hospital in Arkansas suspended a doctor and fired two employees who snooped into the records of a local newscaster to satisfy their own curiosity. RTs should know that hospitals track the computer activity of their employees and their medical staff. Those same hospitals fire employees who inappropriately access patient records.
Never share PHI with people who have no legitimate reason to know the information. The OCR investigated a hospital and an employee in its surgical department based upon that employee providing a surgery schedule to a hospital supervisor. The surgery schedule included the name and PHI of one of the supervisor's employees who was scheduled for surgery. The supervisor had no legitimate reason to know about his employee's PHI.
Never share your computer passwords and log on information. Most hospitals have a policy requiring their employees to keep their computer passwords and log on information confidential. Those same hospitals are monitoring their employees' computer activity using those same passwords and log on information. RTs who share their passwords and log on information with other people will eventually be required to explain instances of inappropriate access to PHI and the violation of their hospitals' policies.
Never leave a computer unattended without logging off of the computer. Many hospitals have written policies requiring employees to log off their computers before leaving those computers unattended. RTs should not leave a computer unattended without logging off even if their hospital does not have a written policy.
Never communicate PHI to a patient by a method that the patient has not approved. RTs should confirm where their patients have authorized them to leave PHI. The OCR has investigated complaints against health care providers who left telephone messages including PHI at a patient's home telephone number when the patient gave specific instructions to only be contacted through a cellular number.
Never discuss a patient's PHI in such a manner that other individuals with no right or need to know the information can overhear the information. A hospital disciplined two of its employees for discussing a patient's PHI with the patient in the waiting room, which allowed other patients and visitors to overhear the discussion. The patient's complaint was investigated by the OCR, which found the hospital employees did not take reasonable efforts to avoid the disclosure of PHI. RTs are often treating patients in emergency rooms and other areas that do not provide the best privacy. Only discuss what you absolutely must discuss with the patient in order to provide care. If possible, those patients should be moved to a more private area before discussing PHI.
Never leave a patient's paper records open and available for prying eyes. Paper records containing PHI are still common and will continue to exist for the foreseeable future. RTs need to remember that HIPAA requires hospitals and health care providers to have reasonable safeguards in place to protect patient records including paper records. RTs should follow their employer's policies and procedures on paper records including the policies on the destruction of paper records.
RTs can avoid violating HIPAA by only accessing the records they need to provide appropriate care to their patients and by using reasonable safeguards to protect those patient records.
Michael L. Smith, JD, RRT is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Florida. This article is for general information only and is not a substitute for formal legal advice.
This article was originally published in Advance for Respiratory Care and Sleep Medicine.