EHRs – The New Threat to HIPAA

Posted

What would you do if you discovered an employee in your organization was violating your patients’ privacy rights?

It’s happening more frequently, as the portability and availability of Electronic Health Records (EHRs) have made it easier for medical professionals and staff to violate HIPAA laws. Despite legally mandated protections of patient information, there has been a sharp increase – and resulting uproar – in the improper viewing and misuse of patients’ protected health information.

  • Earlier this year, the University Medical Center in Tucson, AZ fired three support staff members who inappropriately accessed confidential EHRs.
  • In late 2010, the Mayo Clinic in Rochester, MN terminated two medical professionals, including a physician, who did the same.
  • In 2009, a federal judge in Little Rock, AR sentenced a doctor and two former hospital employees to a year’s probation after they admitted to accessing the records of a well-known patient.
  • The UCLA Medical Center has had to take action against more than 100 employees who improperly accessed the medical records of celebrity patients.  One of those people was indicted and sentenced to four months in prison.

Unauthorized access to patient records by those not directly involved in treatment is a violation of the HIPAA privacy rule. The HITECH Act, part of the American Recovery and Reinvestment Act of 2009, increases the penalties for violations. The HITECH Act strengthens the civil and criminal enforcement of HIPAA privacy rules aimed at restricting and regulating the use and disclosure of Patient Health Information and increases the scope of legal liability being enforced upon those who are non-compliant.

In other words, health information security and privacy experts agree that healthcare employers and facilities need to protect themselves and take a strict approach by:

  • Ensuring their policies, procedures and training regarding patient privacy are up to date and include discussion of EHRs
  • Blocking access to EHRs for employees who do not need to see them
  • Setting up oversight of EHR access with both technical and manual auditing
  • Enforcing strict penalties for those who are caught snooping, including termination

As former U.S. Attorney Jane Duke of Arkansas said at the time of the Little Rock sentencings, “HIPAA protections apply to every person in the community, regardless of their position or stature. Likewise, the penalties for violating HIPAA apply equally to every person with access to protected health information.”

If you have any questions or would like to discuss how other healthcare facilities are dealing with issues related to PHI privacy, please contact Morgan Hunter HealthSearch today.

Leave a Reply

  • (will not be published)