By Jenn Riggle
Photo courtesy of Hoggheff aka Hank Ashby aka Mr. Freshtags
It sounds like something out of a Charles Dickens’ novel. While most of us were busy preparing for the holidays, two stories were unfolding in different parts of the country where hospital employees lost their jobs because they of HIPAA (Health Insurance Portability and Accountability Act) violations.
The first story takes place in Houston, where 16 hospital employees were fired for accessing the medical record of a medical resident who was hospitalized after being shot during an attempted robbery.
According to George Hulme’s blog for Health Information Trust Alliance, this looks like a simple case of hospital employees “snooping” to find out confidential patient information. The sad thing is that even though the employees may have accessed the medical record out of concern, they didn’t have the right to do this simply because they worked there.
The National Association Medical Staff Services (NAMSS) reminds us that HIPAA requires hospitals to deliver “appropriate sanctions” when employees violate the law. But rather than using this incident as a teaching opportunity and suspending them and offering more HIPAA training, the hospital quickly terminated the 16 employees.
Another thing to think about: How was the hospital able to identify the people who viewed her record? Hulme hypothesizes that the hospital was monitoring and logging patient record access and was alerted to the increased interest in this patient’s medical record. Truly, Big Brother is watching you.
The second story takes place in Mississippi where a hospital administrative assistant was forced to resign because hospital officials believed that a tweet she sent to the Mississippi Governor Haley Barbour violated HIPAA regulations.
According to news reports, the governor wrote on his Twitter page that he was, “Glad the Legislature recognizes our dire fiscal situation. Look forward to hearing their ideas on how to trim expenses.”
The employee sent a tweet to the governor saying, “Schedule regular medical exams like everyone else instead of paying UMC employees over time to do it when clinics are usually closed.”
While the employee clearly references a check-up the governor had at the hospital, no real patient information was shared. In fact, according to reports, the employee didn’t believe she violated privacy laws. She’s quoted as saying, “I wasn’t really jabbing at him…That’s just what people do on Twitter.”
Maybe the biggest mistake this employee made was making a snarky comment to someone in a position of power. This comment wouldn’t have been appropriate if she sent it to the governor via e-mail or said it to him in person – let alone made it in a public forum like Twitter. Her tweet referenced a past hospital visit and implies that the hospital gave preferential treatment to a patient – which made both the hospital and the governor uncomfortable.
While these are completely different stories, they both show that hospital employees are unsure about HIPAA regulations and how they apply to them.
The Takeaway: Hospitals need to share stories like these with their employees to help bring clarity to regulations that often seem murky and confusing.
Hi Jean:
As I’m sure you know, HIPAA violations are a VERY big deal in the health care world. In your first example, I am not surprised the employees were fired. As to the big brother comment, any health care system that does not maintain an audit trail on who looked at/changed any medical record is negligent. That is a fact of life.
Regarding the second Twitter incident – I might have fired her for bad judgement – but not for a HIPAA violation. It feels like an excuse in the second case.
(Thanks – I am now in the research business, using SM as the raw material. Used to be in the health business – and this post crosses both.)
Tom O’Brien
MotiveQuest LLC
@tomob
I’m totally in consent with your two tales. HIPAA Violation is increasing tremendously. It becomes essential to remain updated with the latest security measures and to remain comply with HIPAA security law. Just few days back I have also found one website http://hipaatraining.net/. This site provides comprehensive HIPAA training courses in multiple formats, as well as services and products for covered entities & business associates to meet HIPAA compliance. They also provide online HIPAA training as well as self study kits.
Hey, if Big Brother needs to be watching more carefully when celebrities’ records are accessed inappropriately, then the same should be true when the records are those of private citizens. We all need and deserve our privacy, no matter what the motives of the snoopers may be. That’s why the HIPAA laws exist.
The overriding problem here is financial liability, and that’s why the hospitals are working at a hair-trigger.
I am not a lawyer, but from seeing client experiences, although your idea makes logical sense, it doesn’t make legal sense. If they don’t act immediately, they’re probably going to be liable for millions in possible damages, and at the very least, hundreds of thousands of dollars in legal fees.
This problem is growing in America’s sue-happy culture, and it’s one of the key reasons beyond productivity social networking sites are banned at many employers, as well as I’m finding very commonly employees being banned from participating on ANY social networks, even in off hours, as a condition of employment. Sometimes, taking it even having their likeness recorded in audio or video format for distribution online.
I agree with your statement regarding using the events as an opportunity to train employees properly. We as a society seem to move in punitive circles and focus on lawsuits moreso than trying to get to the root of the issue and correct it before it occurs again.
Good post!
I’m agree with your statement on there using the events as an opportunity to train employees properly. Great post!