According to the U.S. Department of Health & Human Services’ Breach Portal, sometimes called the “Wall of Shame,” 418 breaches of HIPAA were reported in 2019. Some 34.9 million Americans had their protected health information (PHI) compromised. How is this still happening?
Healthcare companies and practices make the biggest mistake by believing human behavior can be perfect all the time. For example, the employee may not have their encrypted work phone with them, so they choose to use their personal phone to send patient information. Email had the worst breaches ever in 2019.
Also resulting from this assumption about human behavior, healthcare providers cheap out and refuse to pay for sufficient security measures for their network. A cheap security system may not contain proper firewalls and leave devices vulnerable, while wholly unencrypted devices can be a nightmare. Healthcare employees leave their cell phones, laptops, or iPads in their vehicles while they run out for coffee or to the grocery. And what happens next? The vehicles are broken into, and PHI is at risk.
Several occurrences of this type took place involving employees at the Dallas Children’s Hospital. An unencrypted, non-password protected Blackberry was lost at the DFW airport in November 2009, and Children’s reported the breach to the Office of Civil Rights (OCR) in January 2010. It contained the electronic PHI of 3,800 patients.
Later, an unencrypted laptop was stolen from Children’s in April 2013, containing electronic PHI of 2,462 patients. However, the hospital failed to report the theft. The OCR fined Children’s $3.2 million for HIPAA noncompliance on these two data breaches.
This brings up another big tip: The OCR will be much more forgiving to those who report their own breach events, rather than being found out or reported by someone outside the organization.
Even then, Dallas Children’s Hospital, which is part of Children’s Health, the seventh-largest pediatric healthcare provider in the U.S., did not take encryption seriously and continued to issue unencrypted Blackberries and laptops to employees until 2013, despite being notified about the necessity for encryption back in 2007.
In addition, companies need to reinforce a “minimum information necessary” motto with their employees. Employees only need to access the patient information and medical history necessary for treatment or for payment. Snooping — just simply being nosy — can qualify as a violation and can lead to major fines. The world witnessed this when a UCLA Health System researcher went to jail for reading 323 confidential records held by the university’s school of medicine, which contained medical records of various California celebrities.
Another common mistake is when paper PHI is disposed of incorrectly. Making sure medical records are shredded is of extreme importance. In Montgomery, Alabama, records were discovered in a garbage truck and all over the ground around the truck. They included names, numbers, x-rays, ultrasound, MRIs, and were clearly labeled “Radiology Department, Baptist Medical Center.”
Here are a couple other tips to protect patients’ privacy:
- Lock your screen always, so no one can peer into patients’ PHI
- Ask your supervisor to purchase a privacy screen for your phone or laptop
The easiest of slip-ups in HIPAA compliance come from conversational violations or “loose lips.” A common example of this is when doctors and nurses talk about a patient at the coffee bar, elevator, or in the hallways with others around. Believe it or not, it happens all the time.
One alarming example of this was in a medium-sized hospital. There were many patients around, and the doctors and nurses were holding private conversations. An associate chief medical officer said, “Maybe we should open up the death rooms!” When asked what that was, he responded, “We only use them to talk away from the gathering family members whose loved one is about to die.” Protected health information comes in all forms, positive and negative. I advised him to open the rooms for all conversations involving PHI, including if someone was cured of cancer. That is private information too!
While it may be fun to create this rapport or engage in such jocularity at work, non-compliant verbiage can become a very expensive joke.
These aspects cover the waterfront for HIPAA’s privacy and security rules, but it is best for every healthcare provider to have at least one in-house compliance person. Said compliance professionals should attend webinars to keep themselves constantly informed as to how providers are being breached and save their employers millions of dollars in fines born of carelessness.
Concomitantly, healthcare CEOs must develop up-to-date strict policies and mandatory compliance training quarterly. It is also recommended to prohibit access to work emails, communications, and attachments using personal cellphones.
David Silva, CHC, CPHQ, is a healthcare compliance and quality professional with over 15 years of experience in leading teams in investigations, assessments, corrective action plan creation, and validation audits.