Employees Punished for Patient
Record Snooping
Carilion Clinic., a Roanoke,
Va.-based nonprofit network of hospitals and outpatient facilities, has fired
or disciplined 14 employees over a problem common at many healthcare
organizations: patient record snooping.
In the wake of a recent “high
profile case” in the region, 14 employees were found to have accessed patient
medical records without a legitimate patient-care need, says Vicki Clevenger,
vice president and chief compliance officer at Carilion, in a statement. “Based
on the findings of our internal investigation, appropriate actions have been
taken with each employee, up to and including termination,” she says.
Record snooping is a common problem
for many hospitals and other healthcare organizations. And when snooping is
discovered, the consequences vary widely.
In addition to firings, “discipline
may include a warning, retraining or suspension,” says privacy attorney Adam
Greene. “HIPAA requires that a covered entity impose a sanction on any
workforce member who violates privacy or security policies, but provides the
covered entity with wide latitude to determine the appropriate level of
sanction.”
Some healthcare providers institute
a progressive system, with the level of sanctions increasing for multiple
violations or for particularly egregious violations, Greene notes. “Some
healthcare entities employ more of a zero-tolerance approach, terminating any
workforce member who violates a privacy or security policy,” he adds.
Many other organizations have
terminated record-snooping employees. Among those is Allina Hospitals and
Clinics, a Minnesota health delivery system. In 2011, the organization fired 32
employees for inappropriately looking at the electronic health records of
patients involved in a mass drug overdose case.
Detecting and policing inappropriate access must be a
priority for every healthcare organization, says privacy attorney Kirk Nahra.
“This requires monitoring and audit checking. Every facility needs to be
thinking about these issues because they happen regularly.”
Greene suggests organizations
regularly review audit logs manually - choosing a random selection - and
through algorithms that may detect suspicious patterns - such as an unusually
large number of people accessing a file.
Some healthcare organizations,
however, also pay special attention to monitoring access to health records of
employees. “I have heard of at least one healthcare organization that provides
that any employee who is treated as a patient will be given a list of all
persons who accessed the patient’s records, deterring co-workers from snooping
into the record,” Greene says.
Becky Hood, CIO of Everett Clinic, a
multispecialty physician practice in Everett, Wash., says her organization uses
a monitoring system from FairWarning to help red-flag inappropriate record
access.
Not long after the system was rolled
out at Everett Clinic, 13 staff members and physicians were fired due to a
various incidents involving inappropriate record access, she says. “Our policy
leans toward no-tolerance [of record snooping], but we’ll investigate each
situation to determine if the incident was malicious, accidental or if a staff
member didn’t understand [the rules],” she says.
As for Carilion Clinic, the
organization typically finds out about patient privacy concerns in two primary
ways, Clevenger says. “Individuals may raise specific concerns, or Carilion may
proactively monitor a high-profile patient’s medical record.”
As part of its patient privacy and
security efforts, Carilion Clinic says it provides ongoing education to
employees regarding privacy rules and regulations and monitors their access to
patient records. When potential issues are discovered, Carilion Clinic launches
an immediate investigation.
(HIMSS Media website, ISMG website)
No comments:
Post a Comment