Not a week goes by without some compliance-related enforcement action announcement in the news. The Department of Justice recently announced that a now-former hospital worker pled guilty to wrongfully accessing and distributing her ex-boyfriend’s medical records. The 41 year-old woman admitted to using her log in credentials to access her ex-boyfriend’s medical record even though she was not part of the medical team assigned to his care. She then took a picture of a medical photograph in the chart and sent the photo to someone who sent it to the ex-boyfriend and others through a messenger app. The message included “taunting language and emojis.”
The woman was sentenced to five years’ probation, fined $1,000 and restricted for five years from working in any organization where she would have access to others’ private medical info.
This is a striking scenario because of the sheer likelihood that it could occur in any healthcare org. Every company that trains its employees on HIPAA stresses the relevant aspects of protected health information (PHI): need to know, medically necessary limits, proper use & disclosure, but what type of restrictions do you have on access? Does your org provide care to, and maintain the PHI of, its own employees or other VIPs (e.g., dignitaries, public figures, employee family members)? What protections exist to prevent the employee/patient or other staff members from viewing those records?
Whenever feasible, it’s best to limit access of a patient’s PHI to only those team members directly involved in his/her care. And while all patients have the right to view their own medical records, they must follow the process established by the practice to do so; the same applies to the practice employee in his/her role as patient.
Regular reinforcement of the company’s HIPAA policies, with a sprinkling of scenarios from the DOJ’s enforcement actions, is an absolute necessity – not just the annual, general HIPAA training most companies provide. Speaking of which, how good is your practice’s monitoring of training completion? Some companies’ policies have no “teeth” and six months or more can go by before anyone notices delinquent trainees.