Although recent security breaches at Target and other retailers have gotten more media attention, hospital data breaches are becoming more common – and alarming – with each passing month.
Here are some examples:
- In February 2014, Arnold Palmer Hospital reported a missing flash drive containing Protected Health Information (PHI) that included last names, medical record numbers, dates of birth, gestational ages, birth weights and dates of hospitalizations of 586 children.
- In March 2014, Elliot Hospital in Manchester, N.H. reported four computers stolen from an employee’s car containing information such as names, dates of service and various billing codes.
- In May 2014, the Office for Civil Rights (OCR), the enforcement arm for HIPAA violations, announced a $4.8 million settlement with New York and Presbyterian Hospital and Columbia University following an investigation into a joint breach report regarding the disclosure of the ePHI of 6,800 individuals (including patient status, vital signs, medications, and laboratory results) following a complaint by an individual who found the PHI of a deceased partner on the Internet
The Department of Health and Human Services (HHS) has a web page where you’ll find the names of many leading hospitals and healthcare organizations that have collectively been responsible for hundreds of data breaches involving millions of patients. Hackers aren’t to blame for most of these data breaches. Only 8% of the breaches listed on the HHS website are due to hacking or IT incidents. The other 92% are mainly caused by a hospital’s own employees or business associates. Most breaches are caused by simple human errors, such as stolen or lost laptops containing unencrypted PHI, unattended computers with no auto-logoff, passwords taped underneath a keyboard, and accidentally posting PHI to a public website. The OCR reports that virtually every privacy complaint it receives that results in corrective actions involves an organization’s employees.
Data breaches carry serious costs that can run into the millions when you consider notification costs, legal/regulatory penalties, class action lawsuits, remediation activities and lost business due to reputational damage. Because of the new Civil Monetary Penalty System (CMPS) in the HIPAA Omnibus Final Rule, the maximum penalty for a HIPAA violation involving willful neglect has risen from $25,000 to a shocking $1.5 million. And a single data breach usually involves multiple HIPAA violations.
Because humans are involved in most data breaches, a hospital’s Human Resources department can play a key role in helping safeguard the confidentiality of patient data. It’s imperative for everyone in HR to understand the nuances of HIPAA regulations – and for HR representatives to be involved in HIPAA compliance initiatives and activities.
Hospital HR teams can help improve the organization’s level of compliance and reduce the probability of a breach or a complaint and the related costly repercussions. HR should be part of a cross-disciplinary HIPAA compliance team that includes representation from clinical management, quality, member/provider services, compliance staff and IT, supported by the executive leadership team. There are four primary areas where HR can lead the way in a hospital’s HIPAA compliance program:
Training That Gets Specific
Lack of appropriate and specific training is a primary contributor to security breaches and complaints. Many organizations think that a general 30-minute online HIPAA training presentation followed by 10 questions is sufficient for people to know what they should do in a given situation. But employees need to know their specific responsibilities regarding PHI.
By providing clear examples of day-to-day activities involving PHI, the HR staff can help employees know how to handle those situations properly (e.g., a patient request to not be included in the hospital directory, how to report a complaint, and so on). Other reminders like posters, periodic emails and reference cards can also provide specifics and help reinforce the importance of the confidentiality of patient health information.
HR has a responsibility to include the latest HIPAA rules in training programs and materials. Keeping an accurate training log helps HR apply appropriate penalties to those who don’t complete HIPAA training – and provides evidence of training to OCR if the hospital is investigated or audited.
The hospital’s code of conduct and/or employee handbook also needs to convey the organization’s commitment to the confidentiality of patient health information.
Policies for Limiting Access
For seven years in a row, the #3 and #4 reasons for complaints to OCR are “inappropriate” and “more-than-necessary” employee access to health information. Some hospitals have not taken the time to determine and document which employees need access to exactly what health information in order to do their jobs. As a result, employees often have access to information they don’t need. Without proper training (or with malicious intent), they may take advantage of that access. Much damage can be caused by a disgruntled employee who gets terminated but still has access to PHI. By clarifying position descriptions, HR can help set effective policies for authorizing and terminating access to patient data.
The hospital’s sanctions policy for HIPAA violations needs to be clearly communicated and enforced by HR. During the 2012 HIPAA audits, OCR auditors requested evidence of applied sanctions for violations.
Rural hospitals have significant problems with employees snooping into medical records of colleagues, ex-partners and others in the community. Larger hospitals and rehab centers must deal with improper snooping into the medical records of celebrities and prominent public figures. An organization can suffer significant financial and reputational damage stemming from a breach of such information.
A hospital can implement tiered sanctions based on considerations such as:
- Was the access or disclosure intentional or not?
- Was it malicious in nature?
- Did the employee know the affected individual(s)?
- How many people were affected?
- Was this the person’s first violation?
- Was the information further disclosed?
Administering Group Health Plans
If a hospital has a self-insured health plan for its employees, it’s considered a covered entity under HIPAA. Typically the plan is administered to some degree by the benefits function inside HR – activities such as enrollment, eligibility, appeals, and other administrative duties. HR needs to be aware of additional HIPAA requirements associated with group health plans. These depend on the information available to various HR employees and the interactions with vendors and other business associates who need access to PHI. There are also specific requirements involving plan documents and the segregation of access to employee health information.
HR’s Leadership Role
A hospital needs robust HIPAA compliance oversight in order to evaluate privacy breach and complaint trends and their causes, ensure consistent sanctions, and monitor remediation plans.
An HR representative should always be involved in these compliance oversight activities. The hospital’s “HIPAA working group” can proactively prevent privacy/security problems from arising in the first place – and can make recommendations for additional resources needed to reduce or eliminate security risks.
A hospital can greatly reduce its risk exposure when the HR department conducts in-depth HIPAA training, effectively limits PHI access, and establishes and enforces strong sanctions for HIPAA violations. These efforts can help a hospital keep its name off HHS’s growing list of HIPAA violators.
This article was originally featured in Executive Insight Magazine
Register for one of Clearwater’s complimentary webinars on risk analysis and risk management basics and get to grips with these issues and more.
Latest posts by Mary Chaput (see all)
- Call for State Privacy Laws to Align with HIPAA - February 13, 2017
- IF YOU HAVE TO DISCLOSE, LOOK YOUR BEST - December 27, 2016
- OCR is using audits to find risks and vulnerabilities that might not otherwise be known. - December 14, 2016