There's one message Dena Boggan, CPC, CMC, CCP, a privacy and security officer in Mississippi, wants to get across during her HIPAA training: "I tell my employees if they don't remember anything else about HIPAA, remember this -- only access that information which you need to do your job. Period. I tell them if they follow that one simple rule, they'll do just fine."
Some healthcare employees just can't help themselves lately, especially when high-profile patients occupy their hospital beds.
Two hospitals have fired employees over the past month because they determined they inappropriately accessed patient records. In other words, the employees snooped around – and not for reasons related to treatment, payment, or healthcare operations – the three pillars upon which HIPAA allows healthcare workers to look at patient records.
Last month, University Medical Center in Tucson fired three clinical support staff members and a contracted nurse for "inappropriately accessing confidential medical records," the hospital reported on its website.
The records were related to the shootings at a Tucson supermarket that killed six and wounded 13 -- including U.S. Rep. Gabrielle Giffords (D-AZ).
This month, the University of Iowa Hospitals and Clinics in Iowa City fired three employees and placed another two on unpaid leave after the hospital learned they inappropriately accessed the electronic medical records of 13 University of Iowa football players.
The fallout is simple: People lost jobs, hospitals' reputations took hits, and the healthcare industry as a whole gets another demerit for lack of privacy controls. The best thing hospitals can do in these situations is learn from it. And that's what Boggan does.
The HIPAA compliance officer at St. Dominic Jackson Memorial Hospital in Jackson, MS, calls the latest snooping incidents "great training tools in the form of reminders. It also gets our employees thinking about the consequences of snooping in records, so we roll these out in our weekly HIPAA tips to all employees, as well as our physicians."
Nancy Davis, the privacy/security officer for Ministry Health Care in Sturgeon Bay, WI, feels the same.
"When these types of stories are published, we unofficially circulate (in-house) and privacy and security networking groups," Davis says. "We will also use this as an example in our next quarterly staff update."
The only fight trainers will always lose is the battle to curiosity. People want to nose into other peoples' business, especially when it comes to high-profile cases like the ones in Arizona and Iowa. Sometimes, they even get paid for that information.
The good news is hospitals are beginning to crack down. Last May, Huping Zhou, 47, of Los Angeles became the first person sentenced to prison for misdemeanor HIPAA offenses for accessing confidential records without a valid reason or authorization, according to the U.S. Attorney's Office in the Central District of California.
United States Magistrate Judge Andrew J. Wistrich sentenced Zhou, a former UCLA Healthcare System employee who admitted snooping at patients' records, to four months in prison.
A federal judge on October 26, 2009, sentenced a doctor and two former hospital employees to a year's probation; they admitted to snooping at the records of Little Rock, AK, TV reporter Anne Pressly, who was murdered. Pressly was found severely beaten in her Little Rock home on October 20, 2008, and died five days later.
Back then, U.S. Attorney Jane Duke said in a statement she hoped the Little Rock snooping sentencings "send the message that the HIPAA protections apply to every person in the community, regardless of their position or stature. Likewise, the penalties for violating HIPAA apply equally to every person with access to protected health information."
The bottom line, Boggan says, is HIPAA and HITECH regulations are "serious business, and there for a reason. It amazes me how this continues to be a problem, but it is human nature to be curious about things of which we have no business."
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.