HIPAA: Health Insurance Portability and Accountability Act

You are a staff nurse in an emergency room for a large hospital, one of three in the state, owned by a for-profit corporation. Your manager tells you that a prestigious news crew will be coming to the emergency room to film nurses providing care to patients and using the latest equipment. Your manager tells you that the crew has completed the hospital’s HIPAA training course. You ask your manager if the patients will be given the opportunity to consent to be filmed. The manager tells you that consent is not necessary because no patient names will be used.

You are aware that an ABC news documentary, Save My Life: Boston Trauma, resulted in large fines because patient permission was not obtained before filming. While the hospital administrators required that news crew members and reporters complete HIPAA training and sign confidentiality agreements, the Office of Civil Rights (OCR) said that all patients needed to give written consent and the opportunity to withdraw consent at any time.^5,6

You mention the Boston case to your manager, but he dismisses it and tells you not to be a troublemaker. Further, he states that the hospital needs the positive exposure that this story will bring. What is your next step?

You will:

1. comply with your manager’s suggestions without saying another word.
2. make an appointment with the hospital’s HIPAA privacy office.
3. file a complaint with the OCR.
4. send an email to the hospital administrator, outlining the situation.

Ignoring the event, or answer 1, can cause the organization more damage. If you fail to report your observations and suspicions and filming takes place without patient consent, a patient or family member could file a complaint with the OCR. If this happens, your hospital may be fined, and reputation damage might ensue.⁷ If you report the potential violation internally by talking to the privacy officer (answer 2, you will allow your employer the opportunity to take steps to reduce or eliminate the potential HIPAA violation). Furthermore, your actions will be helping to ensure that similar incidents do not occur in the future.

You are an Occupational Therapist case manager who works for a Long-Term Care facility. While you are eating lunch in the company’s cafeteria, you overhear other employees who work in the housekeeping office, talking about how they were able to review the medical record of a neighbor through the online system. You are aware that access to protected health information (PHI) should be limited to those that “need to know” for the purposes of payment, treatment, or healthcare operations.

As an OT, you attended the company’s required HIPAA training. You are aware that a covered entity, such as a health insurance company, is subject to HIPAA security rules.⁸You recall that security rules must be reasonable and appropriate.⁹ You remember that access controls must ensure that only authorized users have access to the minimum necessary information needed to perform job functions. You are shocked that housekeeping staff gained access to patient information. You wonder if you should confront the two housekeeping employees and try to teach then a lesson about privacy.

What will you do?

1. Take the housekeeping staff aside and tell them they violated HIPAA rules.
2. Report the incident to the company’s HIPAA privacy officer.
3. Go to the manager for housekeeping and demand that the staff is disciplined.
4. Finish your lunch and go about your own business.

Ignoring the situation is not an option since you witnessed a HIPAA violation. The problem of data exposure, or failure to protect data, puts the organization at risk for fines and penalties. The case management company is a covered entity and, by law, must enforce the minimum necessary standard.^10,11 This means that employees should only have access to data that they “need to know” for their jobs. Information technology systems and security must be in place to ensure that housekeeping employees cannot access PHI or ePHI.¹²

The best choice is to contact the company’s HIPAA privacy officer. Discussing the matter with the two housekeepers or the manager of the housekeeping department might not result in a system-wide risk analysis, which is necessary to discover and correct other potential vulnerabilities. The risk analysis will identify the persons or classes of persons, and the types of access they need to perform their job duties. For example, case management company leaders may permit physicians, nurses, or others involved in care coordination to read the entire medical record of those they manage. They will prohibit access to those who do not need to see the records of patients/clients to perform their job duties.

All members of the healthcare team can learn from resolution agreements from companies who violated HIPAA rules. Fresenius Medical Care of North American paid $3.5 million for failure to protect patients’ PHI. Furthermore, the OCR demanded that Fresenius execute a risk analysis and risk management plan, revise policies and procedures on facility access controls, improve encryption, and educate its employees on HIPAA policies and procedures. The Fresenius matter involved unauthorized access, tampering, and theft of data when it was reasonable and appropriate to provide HIPAA protections.¹³

The Security Rules outlines Access Control Standards that could prevent these violations. Inimitable usernames should be created for each employee to help track access. Visibility settings for each username should limit user access to only the PHI needed for their job role. Furthermore, procedures for accessing PHI during an emergency are required. Emergency access to PHI should be reviewed with the medical staff, and clear guidelines should be set. Additional required Access Controls include automatic logoff after inactivity and encryption/decryption processes. These measures help reduce chances of unauthorized persons viewing PHI, while digitally protecting sensitive information.¹³

You are a nurse manager for an outpatient clinic where detoxification from prescription drugs takes place. A news reporter calls the clinic and asks for an interview with you and some patients. The reporter requests to do a story for the local newspaper about the opioid crisis and the treatment of addicts.

What should you do?

1. Decline the interview at work but offer to meet at a neutral location without patients.
2. Decline the interview and report the request to the HIPAA privacy officer.
3. Tell the reporter to call the Media Officer for the clinic.
4. Gather three well-functioning patients and do the interview.

The best choice is to decline the interview and report the telephone call to the HIPAA Privacy Officer for the healthcare system. Telling the reporter to call the Media Officer of the Public Relations Department of the clinic is also acceptable; however, some reporters will continue to call physicians or nurses who work for the clinic, hoping to find someone who will consent to an interview. Alerting the HIPAA Privacy Officer will help ensure that the entire facility follows approved policies. Your decision is based on your knowledge of HIPAA rules plus what you have learned from HIPPA violations, such as the one below.

This HIPAA violation took place when a patient of a specialty practice contacted a local television reporter to complain about a problem he encountered with the practice. The reporter telephoned the patient’s physician to validate the patient’s claims and to ascertain details. The physician disclosed protected health information to the reporter without the patient’s consent or the facility’s permission. In fact, the privacy officer of the practice had instructed the physician to ignore the reporter or respond with “No comment.” The Office of Civil Rights’ (OCR) investigation found that the physician’s actions were reckless and irresponsible.

Further, OCR scrutiny revealed that the administrator did not discipline the physician or institute corrective actions to prevent a reoccurrence.¹⁴The OCR imposed a $125,000 fine and demanded a corrective action plan that included two years of HIPAA compliance monitoring.¹⁵ The corrective action plan dictated that the specialty practice submit policies and procedures consistent with the HIPAA privacy rule within 60 days for HHS approval.

If you observe a physician or someone in authority at your facility violating HIPAA rules, should you report that person? Could you lose your job for reporting a well-admired physician or a popular nursing administrator? A covered entity or a business associate cannot threaten, intimidate, or retaliate against any person who files a HIPAA complaint or participates in a HIPAA investigation.¹⁵

You are a nurse executive for a nursing home and are researching billing companies for your facility. Your nursing home plans to establish a Business Associate Agreement with an outside billing company to bill for services. You review the websites of several billing companies. During the process, you discover patient information, including names, dates of birth, and social security numbers exposed on the Internet for one billing company.

What should you do?

1. Call the billing company’s administrator and report what you found.
2. File a report with the OCR.
3. Obtain guidance from your company’s HIPAA Privacy Officer.
4. Make a note not to use the billing company with the exposed data.

The best choices are either filing a complaint with the OCR or obtaining guidance from your HIPAA Privacy Officer. If you decide to file a complaint and want action to be taken, you must provide your name and contact information. If you submit your complaint anonymously, the OCR might not investigate it. Most complaints can be filed online using the complaint portal assistant which can be found at the following website.

Those that need help filing a complaint can email the office at OCRMail@hhs.gov or call 1-800-368-1019.

The OCR can impose financial penalties for HIPAA violations that occur through negligence. This is what happened when ACH, a company providing contracted physicians to hospitals and nursing homes, hired a billing company. In early 2014, hospital personnel discovered patient names, dates of birth, and social security numbers exposed on the Internet. Initially, ACH filed an OCR breach notification report testifying that 400 patients were affected. After further investigation, ACH filed a supplemental breach report avowing that an additional 8,855 patients could have been affected.¹⁶

The OCR examination revealed the following:

1. ACH shared protected health information with a vendor without a Business Associate Agreement (BAA) as required by HIPAA.
2. ACH lacked written HIPAA policies and procedures.
3. ACH did not conduct a risk analysis or implement security measures required by HIPAA rules.

A nurse researcher was fired from her job because the university did not need her services for any more studies. After her termination, she illegally accessed the medical records of her supervisor, her coworkers, and several celebrities. She wrote and sold stories about celebrities to sleazy magazines.

What are some of the possible outcomes of her actions?

1. Jail time
2. Fines
3. Loss of RN license
4. All of the above

Answer: 4. The nurse researcher committed a federal crime and will likely lose her license, be fined, and may be sentenced to time in jail. Case precedence was set when a former cardiothoracic surgeon, Zhou, who was fired from UCLA School of Medicine for performance issues unrelated to HIPAA, accessed the medical records of his supervisors, coworkers, and celebrities such as Arnold Schwarzenegger, Drew Barrymore, Leonardo DiCaprio, and Tom Hanks. The courts found that Zhou broke the rules in order to get back at those who terminated him. Zhou pleaded guilty. While he did not sell the information or use it improperly, he viewed the records illegally. Zhou was sentenced to 4 months in federal prison for the HIPAA violation.¹⁸The nurse researcher went one step further than Zhou because she sold the information for personal monetary gain.

While not quite as severe, another incident illustrates what can happen when an organization does not cease access to ePHI for a person who is no longer employed. A medical center’s information technology chief failed to stop access to ePHI after a hospital employee resigned and separated from service. The failure resulted in the former employee having access to the protected health information of 557 patients. Additionally, the hospital used a Google-based patient scheduling calendar and did not have a business associate agreement with Google. The hospital paid $100 per patient in fines each time patient information was released inappropriately.¹⁸

As a clinical nurse educator for a pharmaceutical company that oversees clinical drug trials in large metropolitan hospitals, you carry sensitive patient information in your briefcase and laptop. While traveling to a hospital in North Carolina, you accidentally leave your unlocked briefcase in the airport waiting room. The briefcase is recovered, but the list of patients enrolled in the study in the North Carolina hospital, and their case histories, is missing.

What do you do?

1. Report the matter to your supervisor.
2. Stop the trial and discharge all of the patients whose case histories are missing.
3. Report the matter to the OCR.
4. Use your laptop to print the case histories and say nothing.
5. Report the case as a missing paper to the airport’s lost and found office.

Your first action is to report the incident to your supervisor, who will guide you and ensure you are following company policies. Actions steps will most likely include contacting the HIPAA privacy officers for both the hospital and the pharmaceutical company. The pharmaceutical company, in this case, is a business associate, and a business associate agreement should be in place.

A New York research institute paid a fine close to 4 million dollars for a breach of research data, including 13,000 participants’ full names, addresses, dates of birth, medical diagnoses, laboratory test results, prescribed medications, medical study particulars, and social security numbers. The breach occurred when an unencrypted laptop was left in full view on the backseat of an employee’s automobile and was stolen.¹⁹

Another research center, this time in Texas, suffered a similar fine and breach. Unencrypted data for 33,500 research patients were exposed when an unencrypted laptop and two flash drives were stolen.

In both cases, the following violations occurred:

1. Absence of technical safeguards by the research institute to prevent data theft and/or accessing ePHI by unauthorized individuals.²⁰
2. Lack of policies and procedures governing the removal of equipment used to store ePHI.²¹
3. Failure to encrypt data or use another reasonable security measure to safeguard it.²²

Since nurses are often the collectors of research data and may carry laptops into patient homes or clinics for this purpose, they must make sure to safeguard the data adequately. Proper safeguarding measures could mean locking briefcases, coding patient data, perhaps using numbers or coding instead of names.

You are a Physical Therapist at a Chicago hospital. Your employer provided HIPAA training as part of your initial orientation ten years ago, but you have not been trained since. Your curiosity gets the best of you when a high-profile individual is admitted to the hospital. You review the medical record without the “need to know,” and you relate what you saw to another employee in the break room. The other employee reports you to the Privacy Officer. You are scared that you will lose your job and that the patient might sue you if he finds out you reviewed his chart without the need to do so.

Your supervisor is likely to:

1. Ignore the report from your colleague as she knows you had no malicious intent.
2. Place you on probation with a monitored corrective action plan.
3. Dock your paycheck for $250.00 for 10 paydays.
4. Suspend you for violating hospital policy and HIPAA rules.

The privacy officer is likely to suspend or fire the PT who reviewed medical records inappropriately or put her on probation with a monitored corrective action plan. The corrective action plan will include additional HIPAA training and close observation. Even if the patient finds out about the violation, he cannot sue because there is no private course of action for HIPAA violations.

This scenario is similar to a situation that happened at Chicago Northwestern Memorial Hospital when at least 50 employees, including nurses, reviewed an actor’s medical records without the “need to know” his condition.²³

The consequences of healthcare professionals violating HIPAA are many, including any or all of the following:

1. Being reported to your professional board and facing disciplinary actions
2. Employment discipline
3. Employment termination
4. Fines and penalties

Disciplinary action by a Board of Nursing for a HIPAA violation can be stiff. For example, when Martha Smith-Lightfoot, a nurse practitioner, left employment at the University of Rochester Medical Center (URMC), she took a detailed spreadsheet of 3,000 patients with PHI to her new employer. She did this without the consent of the patients or her employer. In fact, the breach was discovered when several patients complained about being contacted by Martha’s new employer. The New York Board of Nursing imposed a one-year suspension and three years of probation for Smith-Lightfoot. In addition, the New York Attorney General fined URMC and instituted a detailed corrective action plan which included a policy review and further training.^24,25

You are Facebook friends with many of your coworkers. You work at a large children’s hospital where you take care of children mainly from low-income families. You notice that a coworker posted several narratives about an extremely ill child on your unit who has a disease that is preventable by vaccination. While the posts do not name the child, they are detailed, describing the child’s age, his symptoms, the rarity of the illness, his parent’s reactions, and the care given. Additionally, the posts identify the hospital, the unit, and the posting professional and her credentials. You consider the details to be Individually Identifiable Health Information (IIHI).

What is your first action?

1. Call the posting coworker and ask her to delete the posts.
2. Print the posts and take them to the hospital’s HIPAA Privacy Officer.
3. De-friend the posting coworker and remove your profile from Facebook.
4. Call your professional State Board and report the matter.
5. Do nothing since the posting coworker did not publicize the patient’s name.

Your first action should be to print the posts and take them to the hospital’s HIPAA Privacy Officer. You print them because you know that they can be removed. Your action is based on protecting your organization and the patient, plus complying with HIPAA privacy rules. A similar incident happened at Texas Children’s Hospital when a nurse posted IIHI about a child who became extremely sick with the measles. The child had not been vaccinated, which is unusual in Houston. The nurse was suspended while an investigation took place. During the suspension, she removed many of the posts. Eventually, she was fired.²⁶ The lesson learned is that healthcare professionals should never post about patients on social media. Even though the patient's name may not be mentioned, other information could link the post to the actual case.