Mikael Grondahl

HIPAA: The Importance of Your Privacy – Part 1

If you have been to a doctor’s office, or a hospital within the last decade, you have probably noticed that unless you’re in a very rural area of the world, you rarely see anyone handling paper journals or records anymore. They log on to the terminal in the visiting room, fill out your information and check your records. And you wouldn’t expect anything less, since we do live in a digitalized world, right?

But how do we know that their systems are safe and secure? And that your medical records don’t become accessible to whoever works there? Since it should be on a need to know basis, and Dr. von Peeksalot does not need to know anything about your medical history, or any other personal information for that matter, because you’re not his patient.

There have been numerous incidents with social security numbers and medical records being compromised and readily available to people that shouldn’t have access to them. Some of these due to lack of training, not having, or following proper procedures, and others due to just bad luck when trying to think, and acute integrity deficiency disorder.

In quite a few cases, unencrypted laptops, and even USB memory sticks, containing electronic Protected Health Information (ePHI), have been stolen from cars while the good doctor, or health insurance agent, have been to the movie theater, having an afterwork beer, getting their nails done, or whatever they were busy doing while your information was sitting there unencrypted and up for grabs by the closest criminal.

There are even cases where medical records have been posted by hospital employees on social media, I assume just to try to get a smiley from their nerdy social media “friends”, but I don’t think anyone would be very amused if the medical records belonged to themselves.

There is a law in place meant to protect our Protected Health Information & privacy, it doesn’t mean that all organizations or employees follow these laws and regulations, just like with any other law and regulation, but it is being enforced heavily these days, and the fines are nothing to laugh about…

This law is named HIPAA, and I would recommend you abide by it, unless you’re looking for that job handing out books in prison, or just want to make sure you and your colleagues are forced to find new jobs, which I’m quite sure wouldn’t make you pen pals for life…

A few examples of people who didn’t abide by it – AKA That was a very bad idea

HHS settles with health plan in photocopier breach case
Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc. settled potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $1,215,780.  Affinity Health Plan is a not-for-profit managed care plan serving the New York metropolitan area.

Affinity filed a breach report with the HHS Office for Civil Rights (OCR) on April 15, 2010, as required by the Health Information Technology for Economic and Clinical Health, or HITECH Act. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information.  Affinity indicated that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity.  CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive.

Affinity estimated that up to 344,579 individuals may have been affected by this breach. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives.  In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule and failed to implement policies and procedures when returning the photocopiers to its leasing agents.

In addition to the $1,215,780 payment, the settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI.

Hospital employee allegedly makes fun of patient’s medical condition on Facebook; officials investigating
Providence Holy Cross Medical Center officials are investigating an employee who allegedly posted a patient’s medical information on his Facebook page, apparently to make fun of the woman and her medical condition.

The employee displayed a photo of a medical record listing the woman’s name and the date she was admitted and posted the comment: “Funny but this patient came in to cure her VD and get birth control.”

On the Facebook page, the employee is scolded by some posters, who tell him he is violating the woman’s privacy, as well as the federal law known as HIPAA or the Health Insurance Portability and Accountability Act of 1996.

But he defends the posting and insists he will leave it up, writing: “People, it’s just Facebook…Not reality. Hello? Again…It’s just a name out of millions and millions of names. If some people can’t appreciate my humor than tough. And if you don’t like it too bad because it’s my wall and I’ll post what I want to. Cheers!”

Such postings may grow increasingly common, as medical files move from paper to electronic, exposing personal information to companies for marketing purposes, said Doug Heller, executive director for Consumer Watchdog, a Santa Monica-based organization that helped expose how health care companies were denying patient coverage based on pre-existing health conditions.

Only about a third of all hospitals are believed to have specific policies in place regarding patient information and social media sites, such as Facebook and Twitter, according to published reports. The issue has become an increasing challenge, because so many workers who view health information are also using the Internet day-to-day and could easily violate HIPAA laws, some health experts say. Last year, five nurses in Oceanside were fired after allegedly discussing patients on Facebook.

Californian Sentenced to Prison for HIPAA Violation
A former UCLA Health System employee became the first person in the nation to be sentenced to federal prison for violating HIPAA.

Huping Zhou, 47, of Los Angeles, was sentenced to four months in prison on April 27 after pleading guilty in January to four misdemeanor counts of accessing and reading the confidential medical records of his supervisors and high-profile celebrities, according to the U.S. Attorney’s Office for the Central District of California. Zhou was also fined $2,000.

In 2003, Zhou, who was a licensed cardiothoracic surgeon in China before immigrating to the US, was employed as a researcher with the UCLA School of Medicine.

On October 29, 2003, Zhou received notice that UCLA intended to dismiss him for job performance reasons unrelated to the illegal access of medical records. That night, Zhou accessed and read his immediate supervisor’s medical records as well as those of other coworkers.

Over the next three weeks, Zhou abused his access to the organization’s electronic health record system to view the medical records of celebrities and high-profile patients, including Drew Barrymore, Arnold Schwarzenegger, Tom Hanks, and Leonardo DiCaprio.

According to court documents, Zhou accessed the UCLA record system 323 times during the three-week period. In the plea agreement, Zhou admitted he obtained and read patient health information on four specific occasions — with no legitimate reason, medical or otherwise — after he was terminated from his job.

Zhou did not improperly use or attempt to sell any of the information he illegally accessed, according to the press release. In January Zhou’s attorney Edward Robinson was quoted in the UCLA student newspaper The Daily Bruin saying Zhou did not know that accessing the records was a federal crime.

In the next HIPAA blog, I will give you an overview of the law, so stay tuned…

To find out how Cygna Auditor can help you with staying compliant, please visit our HIPAA Compliance page.