This article appears in the January 2012 issue of HealthLeaders magazine.
You pick up the phone and someone tells you that a laptop containing thousands of patient files was left behind on the morning train. Or you learn that your own employees have been snooping into sensitive patient records for fun and profit. Or you discover that, for some odd reason, patient records have been posted on a completely unrelated public website for anyone to see, and they've been there for nearly a year.
Each of these scenarios has played out for some unfortunate healthcare executive, and they hold lessons in how to avoid such disasters, plus the best way to respond to such a crisis. Some of the most notorious HIPAA violations occurred within the UCLA Health System at the UCLA Medical Center, where singer Britney Spears was hospitalized in early 2008. After the Los Angeles Times reported that employees had been caught perusing Spears' records with no legitimate reason, the hospital confirmed the HIPAA violations, fired 13 employees, and took disciplinary action against others. It also suspended six physicians.
David Feinberg, MD, MBA, who became CEO for UCLAHS in 2007, says that the experience was a wake-up call for the health system, and that conditions have changed dramatically since then.
"It definitely was a crisis that we turned into a great opportunity," says Feinberg. "We had a very, very lax culture around privacy, and because we happened to treat an A-list of celebrities, it got national attention. But the reality was we were sloppy not only with celebrities, but also with a nurse looking at another nurse's records to see if she was really sick yesterday. That was our culture."
When the Spears case and other alleged violations came to light, the health system disclosed in April 2008 that it had discovered that several employees had snooped into the patient records of dozens of celebrities, including Spears, Tom Cruise, and Maria Shriver.
In response, the California legislature passed a law that imposed escalating fines on hospitals for patient privacy breaches, and the state fined UCLAHS $95,000 in 2009. One employee was indicted for selling protected health information to the National Enquirer, Feinberg says.
The Office for Civil Rights launched an investigation in 2009 and determined that, from 2005 to 2008, "unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients," according to an OCR press release. OCR announced recently that the UCLA Health System has agreed to settle its investigation into the incident for $865,500 and also to commit to a corrective action plan aimed at remedying gaps in its HIPAA compliance. This plan requires the implementation of privacy and security policies and procedures approved by OCR, "regular and robust" training for all UCLAHS employees who use PHI, sanctioning of offending employees, and an independent monitor who will assess UCLAHS compliance with the plan over three years.
Feinberg readily admits that the UCLAHS culture of several years ago did not include sufficient respect for patient privacy, but he also says that UCLAHS was not that different from other healthcare systems at that time. Respect for patient privacy has improved greatly throughout the healthcare community, partly as a result of privacy breaches that received national attention and resulted in people losing their jobs, he says.
Coming down hard on the employees who violated patient privacy sent a strong message to staff, he says.
"It was clear that we were going to use this incident as an opportunity to become a leader in patient privacy," Feinberg says. "Not only did we do some technological fixes, but more importantly, we made a statement to ourselves internally that this would not be tolerated, and we cleaned house. We get the same kind of celebrities now, and nobody looks."
UCLAHS implemented a number of technological improvements, including the active monitoring of about 700 cases considered at risk for inappropriate access, so that all access is reported to network administrators and upper management. Anytime one of those records is opened, the user is asked to document specifically why. Those tech solutions are important, Feinberg says, but the culture change was by far the most important improvement.
The staff at UCLAHS is 85% unionized, and Feinberg says the union has been extremely supportive about the culture change and the punishment meted out for infractions. Feinberg also leveled the playing field so that if a physician acts inappropriately with records, the course of investigation and punishment is as equal as possible when compared to a staff member.
The culture at UCLAHS today is totally different regarding patient privacy, Feinberg says. Employees and physicians now have high respect for the privacy of records and routinely self-report possible violations—almost always minor, inadvertent transgressions—and they monitor each other closely. If an employee walks away from a computer monitor and leaves a patient record on the screen, others are likely to call the person on that error and suggest closing the document, Feinberg says, even though the computer will automatically log off after a short time.
Everyone is on high alert for privacy violations now, and looking over someone's shoulder at a computer screen is likely to result in a polite rebuke, the CEO says.
"Boy, are we in a different place than we were four years ago," Feinberg says. "The key was using what really was sloppiness to improve our culture."
The improvement has been evident in the C-suite just from the time spent on security breaches. In the first months after the scandal broke, senior leaders regularly attended meetings that went on for hours discussing dozens of transgressions and the resulting disciplinary action, Feinberg says.
"Now we meet once a month at the highest level and go over our breaches, and if we don't cancel the meeting because there's nothing to discuss, they're pretty boring right now. A typical issue would be someone in medical records put one person's fax with another person's and it was sent internally," he says. "The intentional breach really doesn't happen here like it used to."
Feinberg notes, however, that an intentional violation of privacy is not the only threat or even the biggest. UCLAHS is currently investigating a case in which an employee's laptop computer was stolen in a home invasion robbery.
At first UCLAHS leaders breathed a sigh of relief when they learned that the patient data on the laptop was encrypted. "But they also stole a list of passwords to the encryption," Feinberg says. "It almost never ends as we move toward more electronic medical records. They can be very, very difficult to secure because stuff like that happens. You can never let your guard down."
That is the kind of breach that is always on the mind of someone like Mark Moroses, chief information officer of Continuum Health Partners in New York City, which includes several major hospitals in the city (Beth Israel Medical Center, St. Luke's-Roosevelt Hospital, and the New York Eye and Ear Infirmary). Continuum has not suffered any significant breaches of PHI, but it employs a number of defenses including the protection of VIP patient records similar to UCLAHS's monitoring efforts. Those records include celebrity patients, but also hospital executives or anyone in the news because of a crime or noteworthy accident, he explains.
"We have a two-strike policy. The first time they get counseled and trained again in the HIPAA regulations, and they have to sign a statement that they understand the privacy protections," Moroses says. "The second time can lead to termination."
Continuum hasn't had to terminate anyone yet for violating HIPAA privacy rules, he says, because staff clearly understand not only that complying with HIPAA is the right thing to do, but also that their employer is monitoring them closely. The health system also was an early adopter of data loss-prevention technology, a set of information security tools that is intended to stop users from sending sensitive or critical information outside of the corporate network.
"It looks at every frame going in and out of the Internet and searches for a combination of PHI—Social Security number, address, ZIP code, name—and will flag it with a report saying this looks like PHI, and then you can investigate what happened," Moroses says.
The beauty of a DLP system is that it shows you what actually happens with PHI, which might not be what your tech professionals expected. The tech experts may think they have plugged every potential hole in the system, every way that PHI could leave without authorization, but DLP will reveal that the information is still leaking out and allow you to trace the origin, Moroses says.
Other technological defenses include encrypting all mobile devices and ensuring that the computer system clears the cache after PHI is viewed, Moroses says. As mobile devices use more and more applications for data transfer and storage, providers face a constant challenge to keep defensive technology up to date, he says. The biggest fear these days is the loss of mobile devices, Moroses says. "It's not some criminal hacking into your system; it's somebody leaving a laptop on the train or the bus."
Continuum uses whole disk encryption on its laptops with PHI, but all the technological solutions rely on a culture that respects privacy, Moroses says.
"It's not a lot of money or something you can't afford," Moroses says. "It really comes down to discipline and a dialogue with the clinical community."
This article appears in the January 2012 issue of HealthLeaders magazine.
Greg Freeman is a contributing writer for HealthLeaders Media.