Business
Prying eyes: Protecting patient records
■ Cases of identity theft steal headlines, but simple curiosity is the biggest culprit for security breaches inside hospitals and practices. Here's how to prevent it -- and how to catch the snoopers.
By Pamela Lewis Dolan — Posted Oct. 1, 2007
- WITH THIS STORY:
- » Privacy complaints
- » Into the breach
- » Related content
Electronic access to patient data has made it easier to look up information -- sometimes too easy.
You've probably heard stories about employees or others tapping patient information systems for identity theft. But the more frequent problem is snooping -- curious staff or others with system access who look at information they're not authorized to see.
It sounds innocent, but HIPAA and an increasing number of state laws that cover disclosure of information breaches don't make distinctions based on intent. An information breach is an information breach, which means physician practices not only have to find ways to keep gawkers away but also must be ready to carry out consequences -- or face them -- if a breach occurs.
A case in point: New Hampshire Orthopedics in Manchester, N.H., discovered that someone who wasn't supposed to look at a patient's information had done so -- and was telling others about what was in the file.
An employee had tapped into the electronic medical record system of Elliot Health System, which the practice and employees were authorized to use. The patient whose files were breached was an employee at the orthopedic practice. When workers started to gossip about what they had found, a practice manager contacted Elliot, which used a system audit to trace the breach back to two employees.
New Hampshire Orthopedics fired the employees, but Elliot was in the hot seat, as state law required the hospital to file a disclosure and contact the patient. The practice's name was included in the publicly available report.
The hospital launched a "robust" effort to educate employees, doctors and contracted EMR users, said Katherine St. Jean, Elliot's director of compliance, who headed the investigation. New Hampshire Orthopedics deferred comment to her.
Everyone needs to know that "you don't need to go into that record if you don't have a part in the treatment for that patient," St. Jean said.
Tighter laws and policies
Before HIPAA, the culture inside the practice was very different, St. Jean said, and paper-based systems were conducive to that culture. If doctors or nurses were curious about a patient, they took a quick look at the file, which could be taken easily from a shelf or a file holder.
Even though most peeks are still innocent, they now violate laws. The struggle is in reprogramming people, St. Jean said.
Many don't understand that an innocent peak can be illegal, said John Christiansen, a privacy attorney from Seattle.
"If you don't have a legitimate purpose for looking at a record ... the fact is you are creating a disclosure of the information to yourself, and that is illegal," Christiansen said. "The fact that you didn't share the information is a good thing -- it minimizes the potential for harm -- but there's no distinction in the law for 'no harm, no foul.' "
And if a practice is allowing it to happen, or not doing enough to prevent it, practice owners could be liable as well, he said.
Under the law, practices are required to keep patient records confidential. So even the most benign breaches need to be addressed, Christiansen said. If they aren't, and a major violation occurs and an investigation is launched by the Office of Civil Rights, the last thing you want to do is give the impression that you aren't serious about patient privacy, Christiansen said. A pattern of noncompliance could result in action by the Justice Dept., though so far, it hasn't prosecuted any cases along those lines.
Legal doesn't always mean OK
HIPAA does not mandate how practices should deal with non-criminal breaches of security. But at the very least, practices can find themselves faced with major headaches or bad publicity. Notification laws that are now in place in at least 35 states require practices to inform patients of any breach, and in some cases, those laws, like New Hampshire's, require public disclosure to a state regulator as well.
There is an effort to make such rules national. Earlier this year, Sens. Patrick Leahy (D, Vt.) and Edward Kennedy (D, Mass.) introduced their proposed Health Information Privacy and Security Act, which would require notification within 15 days of a breach.
Regardless, experts believe hospitals and practices should notify patients every time a breach occurs, no matter how severe or mild.
St. Jean admits that notifying patients every time a minor breach occurs can make her job hectic. But "I think that it's advantageous for the patients to see how quickly we respond to this, and they know we do take it seriously."
St. Jean said the patient in the orthopedic practice case was "a little taken aback" when St. Jean called to tell her what happened, but in the end was happy she had been told.
As an attorney, Christiansen said he advises clients to look at HIPAA as "the floor, not the ceiling" when it comes to establishing policy. That applies not only to notification laws but also to creation of policies on how patient records are handled in your practice.
Marlene Giesecke, RN, a consultant for PivotHealth who is on assignment at Queens Long Island Medical Group in New York, said policies should spell out exactly what is and is not allowed and the penalties for breaking the rules.
Even though most EMR systems have role-based access, a tool that makes the systems HIPAA compliant, access doesn't equate to a legal right to review a file. The practice's policies should reiterate HIPAA rules and restrict access only to information needed to do one's job, even if the system allows other access, experts say.
Punishment for breaking the rules can vary based on severity, but the policy should be clear as to what the consequences are, Giesecke said.
Everyone also knows that mistakes happen and that the wrong file can be opened inadvertently. Experts say policies should distinguish between mistakes and violations, but it should be established at the time of an employee's hire, or when an EMR is brought into the practice, that patient privacy is a serious matter and that a pattern of slip-ups will not be tolerated.
Christiansen believes in the "three strikes and you're out" rule when it comes to mistakes. He suggests a warning for the first offense, probation and close monitoring the second time, and suspension or termination for the third offense.
Easier to snoop -- easier to catch
The auditing function in most EMRs can help a practice determine if a breach was a mistake or whether snooping is widespread in the office.
At its most basic level, the audit shows which files were opened when and by whom. Giesecke described obvious red flags: files opened outside of office hours; an extraordinary number of files opened compared with the number of patients seen; files changed by non-physicians; the opening of files belonging to VIPs, employees or family members of employees; and for larger practices, files opened by employees in a department different from the one where the patient was seen.
A more detailed audit can help distinguish mistakes from snooping. For example, if a file for Jonathon Smith was opened by an employee who claims she was looking for Johnathon Smith, experts say the audit can show how long the "wrong" file was opened, which file the user went to next, and a history of files the user opened.
Jack Danahy, chief technology officer and co-founder of Ounce Labs, a Waltham, Mass.-based company that analyzes software for possible security risks, said establishing a strict environment is the best way to prevent violations.
Simply telling employees they are being watched helps prevent many cases of snooping.
"If it's known there is a log that goes out at the end of the week that records who looked at what ... they are less likely to snoop," he said.
But an audit function is effective only if it's regularly used, Giesecke said. She recommends running an audit that looks for red flags at least once a month. Other audits can include a more detailed look at employees on probation or under suspicion.
An audit also can be done on a specific patient's file, which was how St. Jean at Elliot determined the employees at New Hampshire Orthopedics had illegally accessed the files of their co-worker.
In addition to an audit, a warning can be placed on vulnerable files that will pop up every time such a file is about to be opened, stating that activity on the file will be watched closely. Giesecke said this warning is placed on every file her practice feels could raise curiosity, including files of employees and their families.
Even though accessing an electronic file is physically easier than pulling a paper file off a shelf, St. Jean said the technology has made the files more secure.
If the hospital had been working with paper files, "there would have been no trail," St. Jean said.
"It really has never been so secure, and that's a really good thing for us and our employees ... but also for all our patients."