Thursday, August 27, 2015

Unauthorized PHI Access Punishment

Employees Punished for Patient Record Snooping

Carilion Clinic., a Roanoke, Va.-based nonprofit network of hospitals and outpatient facilities, has fired or disciplined 14 employees over a problem common at many healthcare organizations: patient record snooping.
In the wake of a recent “high profile case” in the region, 14 employees were found to have accessed patient medical records without a legitimate patient-care need, says Vicki Clevenger, vice president and chief compliance officer at Carilion, in a statement. “Based on the findings of our internal investigation, appropriate actions have been taken with each employee, up to and including termination,” she says.
Record snooping is a common problem for many hospitals and other healthcare organizations. And when snooping is discovered, the consequences vary widely.
In addition to firings, “discipline may include a warning, retraining or suspension,” says privacy attorney Adam Greene. “HIPAA requires that a covered entity impose a sanction on any workforce member who violates privacy or security policies, but provides the covered entity with wide latitude to determine the appropriate level of sanction.”
Some healthcare providers institute a progressive system, with the level of sanctions increasing for multiple violations or for particularly egregious violations, Greene notes. “Some healthcare entities employ more of a zero-tolerance approach, terminating any workforce member who violates a privacy or security policy,” he adds.
Many other organizations have terminated record-snooping employees. Among those is Allina Hospitals and Clinics, a Minnesota health delivery system. In 2011, the organization fired 32 employees for inappropriately looking at the electronic health records of patients involved in a mass drug overdose case.
Detecting  and policing inappropriate access must be a priority for every healthcare organization, says privacy attorney Kirk Nahra. “This requires monitoring and audit checking. Every facility needs to be thinking about these issues because they happen regularly.”
Greene suggests organizations regularly review audit logs manually - choosing a random selection - and through algorithms that may detect suspicious patterns - such as an unusually large number of people accessing a file.
Some healthcare organizations, however, also pay special attention to monitoring access to health records of employees. “I have heard of at least one healthcare organization that provides that any employee who is treated as a patient will be given a list of all persons who accessed the patient’s records, deterring co-workers from snooping into the record,” Greene says.
Becky Hood, CIO of Everett Clinic, a multispecialty physician practice in Everett, Wash., says her organization uses a monitoring system from FairWarning to help red-flag inappropriate record access.
Not long after the system was rolled out at Everett Clinic, 13 staff members and physicians were fired due to a various incidents involving inappropriate record access, she says. “Our policy leans toward no-tolerance [of record snooping], but we’ll investigate each situation to determine if the incident was malicious, accidental or if a staff member didn’t understand [the rules],” she says.
As for Carilion Clinic, the organization typically finds out about patient privacy concerns in two primary ways, Clevenger says. “Individuals may raise specific concerns, or Carilion may proactively monitor a high-profile patient’s medical record.”
As part of its patient privacy and security efforts, Carilion Clinic says it provides ongoing education to employees regarding privacy rules and regulations and monitors their access to patient records. When potential issues are discovered, Carilion Clinic launches an immediate investigation.

(HIMSS Media website, ISMG website)