The court of public opinion may hold more sway than the court of law as country music singer Garth Brooks is slated to take the stand Monday morning for a second day of testimony in his lawsuit against Oklahoma's largest health care system. Brooks claims he anonymously donated $500,000 in December 2005 because he had a deal with Yukon hospital president James Moore to build a women's center that would honor his mother, who died of cancer in 1999. Moore previously testified that he did not discuss such a deal with Brooks.
St. John's Medical Center acting CEO John Kren was charged with DUI earlier this month after allegedly flipping his truck and later being arrested in the hospital's emergency room. According to the probable cause statement by Teton County Sheriff's Deputy Aaron Dunlap filed Jan. 17 in 9th Circuit Court, Kren, 45, lost control of his Chevrolet pickup truck shortly after 9 p.m. Jan. 13.
This article appears in the January 2012 issue of HealthLeaders magazine.
You pick up the phone and someone tells you that a laptop containing thousands of patient files was left behind on the morning train. Or you learn that your own employees have been snooping into sensitive patient records for fun and profit. Or you discover that, for some odd reason, patient records have been posted on a completely unrelated public website for anyone to see, and they've been there for nearly a year.
Each of these scenarios has played out for some unfortunate healthcare executive, and they hold lessons in how to avoid such disasters, plus the best way to respond to such a crisis. Some of the most notorious HIPAA violations occurred within the UCLA Health System at the UCLA Medical Center, where singer Britney Spears was hospitalized in early 2008. After the Los Angeles Times reported that employees had been caught perusing Spears' records with no legitimate reason, the hospital confirmed the HIPAA violations, fired 13 employees, and took disciplinary action against others. It also suspended six physicians.
David Feinberg, MD, MBA, who became CEO for UCLAHS in 2007, says that the experience was a wake-up call for the health system, and that conditions have changed dramatically since then.
"It definitely was a crisis that we turned into a great opportunity," says Feinberg. "We had a very, very lax culture around privacy, and because we happened to treat an A-list of celebrities, it got national attention. But the reality was we were sloppy not only with celebrities, but also with a nurse looking at another nurse's records to see if she was really sick yesterday. That was our culture."
When the Spears case and other alleged violations came to light, the health system disclosed in April 2008 that it had discovered that several employees had snooped into the patient records of dozens of celebrities, including Spears, Tom Cruise, and Maria Shriver.
In response, the California legislature passed a law that imposed escalating fines on hospitals for patient privacy breaches, and the state fined UCLAHS $95,000 in 2009. One employee was indicted for selling protected health information to the National Enquirer, Feinberg says.
The Office for Civil Rights launched an investigation in 2009 and determined that, from 2005 to 2008, "unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients," according to an OCR press release. OCR announced recently that the UCLA Health System has agreed to settle its investigation into the incident for $865,500 and also to commit to a corrective action plan aimed at remedying gaps in its HIPAA compliance. This plan requires the implementation of privacy and security policies and procedures approved by OCR, "regular and robust" training for all UCLAHS employees who use PHI, sanctioning of offending employees, and an independent monitor who will assess UCLAHS compliance with the plan over three years.
Feinberg readily admits that the UCLAHS culture of several years ago did not include sufficient respect for patient privacy, but he also says that UCLAHS was not that different from other healthcare systems at that time. Respect for patient privacy has improved greatly throughout the healthcare community, partly as a result of privacy breaches that received national attention and resulted in people losing their jobs, he says.
Coming down hard on the employees who violated patient privacy sent a strong message to staff, he says.
"It was clear that we were going to use this incident as an opportunity to become a leader in patient privacy," Feinberg says. "Not only did we do some technological fixes, but more importantly, we made a statement to ourselves internally that this would not be tolerated, and we cleaned house. We get the same kind of celebrities now, and nobody looks."
UCLAHS implemented a number of technological improvements, including the active monitoring of about 700 cases considered at risk for inappropriate access, so that all access is reported to network administrators and upper management. Anytime one of those records is opened, the user is asked to document specifically why. Those tech solutions are important, Feinberg says, but the culture change was by far the most important improvement.
The staff at UCLAHS is 85% unionized, and Feinberg says the union has been extremely supportive about the culture change and the punishment meted out for infractions. Feinberg also leveled the playing field so that if a physician acts inappropriately with records, the course of investigation and punishment is as equal as possible when compared to a staff member.
The culture at UCLAHS today is totally different regarding patient privacy, Feinberg says. Employees and physicians now have high respect for the privacy of records and routinely self-report possible violations—almost always minor, inadvertent transgressions—and they monitor each other closely. If an employee walks away from a computer monitor and leaves a patient record on the screen, others are likely to call the person on that error and suggest closing the document, Feinberg says, even though the computer will automatically log off after a short time.
Everyone is on high alert for privacy violations now, and looking over someone's shoulder at a computer screen is likely to result in a polite rebuke, the CEO says.
"Boy, are we in a different place than we were four years ago," Feinberg says. "The key was using what really was sloppiness to improve our culture."
The improvement has been evident in the C-suite just from the time spent on security breaches. In the first months after the scandal broke, senior leaders regularly attended meetings that went on for hours discussing dozens of transgressions and the resulting disciplinary action, Feinberg says.
"Now we meet once a month at the highest level and go over our breaches, and if we don't cancel the meeting because there's nothing to discuss, they're pretty boring right now. A typical issue would be someone in medical records put one person's fax with another person's and it was sent internally," he says. "The intentional breach really doesn't happen here like it used to."
Feinberg notes, however, that an intentional violation of privacy is not the only threat or even the biggest. UCLAHS is currently investigating a case in which an employee's laptop computer was stolen in a home invasion robbery.
At first UCLAHS leaders breathed a sigh of relief when they learned that the patient data on the laptop was encrypted. "But they also stole a list of passwords to the encryption," Feinberg says. "It almost never ends as we move toward more electronic medical records. They can be very, very difficult to secure because stuff like that happens. You can never let your guard down."
That is the kind of breach that is always on the mind of someone like Mark Moroses, chief information officer of Continuum Health Partners in New York City, which includes several major hospitals in the city (Beth Israel Medical Center, St. Luke's-Roosevelt Hospital, and the New York Eye and Ear Infirmary). Continuum has not suffered any significant breaches of PHI, but it employs a number of defenses including the protection of VIP patient records similar to UCLAHS's monitoring efforts. Those records include celebrity patients, but also hospital executives or anyone in the news because of a crime or noteworthy accident, he explains.
"We have a two-strike policy. The first time they get counseled and trained again in the HIPAA regulations, and they have to sign a statement that they understand the privacy protections," Moroses says. "The second time can lead to termination."
Continuum hasn't had to terminate anyone yet for violating HIPAA privacy rules, he says, because staff clearly understand not only that complying with HIPAA is the right thing to do, but also that their employer is monitoring them closely. The health system also was an early adopter of data loss-prevention technology, a set of information security tools that is intended to stop users from sending sensitive or critical information outside of the corporate network.
"It looks at every frame going in and out of the Internet and searches for a combination of PHI—Social Security number, address, ZIP code, name—and will flag it with a report saying this looks like PHI, and then you can investigate what happened," Moroses says.
The beauty of a DLP system is that it shows you what actually happens with PHI, which might not be what your tech professionals expected. The tech experts may think they have plugged every potential hole in the system, every way that PHI could leave without authorization, but DLP will reveal that the information is still leaking out and allow you to trace the origin, Moroses says.
Other technological defenses include encrypting all mobile devices and ensuring that the computer system clears the cache after PHI is viewed, Moroses says. As mobile devices use more and more applications for data transfer and storage, providers face a constant challenge to keep defensive technology up to date, he says. The biggest fear these days is the loss of mobile devices, Moroses says. "It's not some criminal hacking into your system; it's somebody leaving a laptop on the train or the bus."
Continuum uses whole disk encryption on its laptops with PHI, but all the technological solutions rely on a culture that respects privacy, Moroses says.
"It's not a lot of money or something you can't afford," Moroses says. "It really comes down to discipline and a dialogue with the clinical community."
This article appears in the January 2012 issue of HealthLeaders magazine.
Greg Freeman is a contributing writer for HealthLeaders Media.
Dr. Olushola J. Metiko is paid $201,000 a year as a top administrator at the state Central Prison Regional Medical Center, where he treats patients, oversees patient care and helps manage a facility that recently underwent a major expansion. It is a full-time job with on-call duty and patients—convicted felons—who bring their own special challenges. But Metiko has found the time to perform a second state job, making roughly $50,000 a year reviewing thousands of cases to help determine whether North Carolina drivers should be taken off the road for health reasons that could make them a risk to themselves or other motorists.
Stan Moser became the new chief executive officer of Bozeman Deaconess Health Services on Jan. 1 after a nationwide search and selection process by the hospital's board of trustees. Moser joined BDHS as chief administrative officer in 2010. Over his 25 years of experience in healthcare, Moser directed financial and risk management operations for Mount Kisco Medical Group and spent five years as chief financial officer at Billings Clinic. Moser also served as chief financial officer at non-profit hospitals in California and Washington.
Maureen A. Bryant has been named President and Chief Executive Officer of Provena Mercy Medical Center, Aurora, effective February 6, 2012. Bryant's healthcare career has included more than 24 years in executive leadership positions for hospitals primarily located on the east coast. Her most recent experience has been at Morton Hospital and Medical Center in Massachusetts where she spent two years as the President and CEO and 10 years as the Executive Vice President and Chief Operating Officer. Prior to joining Morton Hospital and Medical Center, Bryant was the Executive Vice President and Chief Administrative Officer at Albany Medical Center in New York for three years.