According to HHS, the fraudulent use and sale of protected health information is on the rise. The vast majority of HIPAA violations in 2013 were attributed, in part, to workplace theft and mishandling of PHI.
Employers can avoid many of the violations arising out of employee misconduct by instituting proper training protocols.While HIPAA itself provides for no private right of action, individuals are increasingly using its privacy standards as the basis for actions under state laws, including claims for invasion of privacy, negligence, negligent supervision and hiring, and intentional infliction of emotional distress. These actions are, in essence, creating a private right to recover monetary damages where a person's PHI has not been properly protected as required by HIPAA. As a health care employer, do you have proper protocols in place that are consistent with the protections afforded by HIPAA, and sufficient to avoid employee theft or mishandling of PHI?
The consequences of employee theft and negligence
Theft of PHI is often committed by employees. Theft can be in the form of the intentional taking of the private information or from the inadvertent or negligent mishandling of PHI. The result, however, is the same: employer exposure to HIPAA violations and costly civil litigation brought by the person whose PHI was mishandled.
To illustrate, in Abigail E. Hinchy v. Walgreen Co., Walgreens was ordered to pay $1.44 million after a pharmacist looked up the records of her husband's ex-girlfriend and shared the information with her husband. 1 The patient sued, claiming Walgreens was negligent in supervising the pharmacist. While the pharmacist acted wilfully, this kind of situation highlights the necessity for continuous employee training. Simply reading and signing an employee handbook is not enough; employees must be vigilantly reminded workplace HIPAA offenses carry severe penalties, both personally (in the form of immediate termination) and in the form of massive fines and corrective action plans for the employer. Further, security measures, risk assessments and compliance audits should be regularly updated to mitigate the risk of this kind of breach.
What happens when a hospital employee takes work home with her and accidentally leaves 192 billing records on a Boston subway? For Massachusetts General, it meant entering into a resolution agreement with HHS that included a $1 million fine, a three-year corrective action plan and the implementation of a comprehensive HIPAA training program, requiring written certification that all staff received and understood HIPAA policies.
While computer-related breaches make up the majority of HIPAA violations, employers need to ensure that employees exercise the utmost care when handling physical documents as well. Proper policies and training are necessary. Does the employer have policies about creating, disposing of or handling documents containing PHI? Likewise, does the employer have policies addressing the protection and handling of PHI in electronic form? Has the employee been properly educated on the consequences associated with mishandling PHI? Asking the hard questions is a first step to avoid being another Walgreens or Massachusetts General.
Implementing computer procedures
Storing all PHI on secure, encrypted networks with firewalls is the bare minimum that should be done to protect PHI. An employer, however, should implement additional security procedures to maintain control over employees' access to and use of PHI. This is especially true since PHI can be found in hard copy documents and on easily transportable computers. In fact, many of the most egregious HIPAA violations in 2013 were a result of stolen laptops. Because of their mobile nature, healthcare employers should rethink using laptops or tablets for this kind of sensitive patient data. To the extent these devices must be used, backup storage, including cloud storage databases, is highly recommended for security purposes, and healthcare employers should use clearance IDs and a complex password protection system to ensure privacy is maintained.
Social media and HIPAA
By changing the way we communicate, social media sites like Facebook, LinkedIn and Twitter have increased the likelihood HIPAA will be violated by those who possess sensitive, personal medical data. Because employers are generally liable for the acts of their employees during the scope of their employment, and many professionals access social networking sites several times throughout the work day, healthcare employers have good reason to be concerned. As a result, healthcare organizations may want to consider extending their existing policies relating to HIPAA compliance and patient confidentiality to explicitly cover all social media websites. Employees may become more sensitive to the privacy issues stemming from the use of social media if provided with examples of how seemingly small, innocuous statements can violate HIPAA.
In Jane Doe v. Simon P. Green et al., for example, a paramedic got into "hot water" after posting details about a rape victim on his MySpace page. 2 Although he did not mention the patient by name, he described the victim and detailed the victim's statements about the perpetrator. As a result of this conduct, other people began doing their own personal recognizance of the victim. The police found that Mr. Green's posting had compromised the investigation, while the trial court found that the victim had suffered serious emotional distress. As a result, Mr. Green's employer, AMR emergency services, was found to have negligently hired, trained and supervised him and was forced to pay a hefty fine.
Similarly, several doctors have faced severe consequences, including being fired and subsequently reprimanded by state medical boards for posting patient and procedure information — again without disclosing the patients' names — on medical blogs, Facebook and Twitter. 3 Oftentimes, the disclosure of clinical data is enough to constitute a HIPAA violation. These illustrations underscore the importance of being careful when participating in social media. If employees were better educated about the potential HIPAA pitfalls, they could avoid violations.
Requirements for employees and business partners
Ignorance is not an excuse when it comes to PHI and HIPAA violations. The HIPAA Security Rule establishes requirements for companies to take proactive steps and continuously monitor for HIPAA compliance. A PHI policy and security plan should be created that includes workforce training, safeguards and sanctions for policy violations. Thereafter, employees with exposure to PHI information should be educated on the company PHI policies and then be required to sign an agreement that they participated in the training, understand the policies and will abide by the policies.
Moreover, a step frequently overlooked by medical employers is to require outside vendors / business partners that handle, process or transmit PHI to read, fully understand and sign contracts with sections devoted to their duty of strict confidentiality under HIPAA. Further, healthcare employers may want to consider requiring that their business partners (e.g., billing and medical device companies) to have in place HIPAA compliant protection systems or risk being held to have violated HIPAA based on the mishandling of PHI by business partners. Mishaps do occur. For example, last year a transcription company stored data on a non-secure site and left a firewall open, causing thousands of private medical records to appear in the Google index.
Reinforcing the severity of penalties
Healthcare employers are under tremendous pressure to track the storage and handling of PHI. The penalties for failing to train and supervise employees who handle sensitive personal and medical data are severe and include large fines and potential criminal liability.
Moreover, employees are not immune from being penalized for their mishandling of PHI and, as a result, should be aware they have "skin in the game" and can be penalized for their HIPAA violations. Developing solid security and privacy procedures is a start, but employees also need to be made aware of the severe consequences of a breach. HIPAA states that knowingly obtaining or criminally disclosing PHI can result in a $50,000 fine and up to a one-year prison sentence. If the theft is done with "intent to sell, transfer or use for commercial advantage, personal gain or malicious harm," offenders can face up to a $250,000 fine and 10 years in prison. Civil violations start at $50,000 and cap at $1.5 million a year. Further, while there is no private right of action under HIPAA, California's Confidentiality of Medical Information Act does provide a private cause of action, including compensatory and punitive damages. Through a thorough, aggressive and ongoing training program, healthcare employers can demonstrate to employees how the smallest, ostensibly harmless example could establish a breach, thereby mitigating the likelihood of a violation occurring that could result in a lawsuit or massive fine.
Stacey L. Zill, Esq., and Veenita D. Raj, Esq., are litigation attorneys at Michelman & Robinson LLP who represent healthcare clients. Ms. Zill is a member of the Health Care Department; she can be reached at 818.783.5530 or by email at szill@mrllp.com. Ms. Raj is a member of the Labor & Employment Department and can be reached at 818.783.5530 or by email at vraj@mrllp.com. This article is not be relied upon as legal advice. Consult counsel for advice in specific situations.
1Abigail E. Hinchy v. Walgreen Co. et al., case number 49D06-1108-CT029165, in the State of Indiana Superior Court, County of Marion.
2 Jane Doe v. Simon P. Green, Case No. 0704-04734, Circuit Court for the State of Oregon, Multnomah County.
3 Christopher Danzig, April 29, 2011, ER Doctor Forgets Patient Info is Private, Gets Fired for Facebook Overshare. Above the Law.
More Articles on HIPAA:
The Top 10 Game Changers in Health IT
In the Matter of LabMD: What FTC Intervention in Data Security Would Mean for Healthcare
HHS To Send HIPAA Pre-Audit Surveys