HIPAA was enacted in 1996 by then president, Bill Clinton, designed to set minimum standards and guidelines for the healthcare industry in regards to the privacy of patient information (University of Michigan). Since 1996, the legislation has grown in structure and formalities, including the implementation of punitive actions against violators and enforcement methods. Even still, violations occur. Some violations are unintended activities by healthcare professionals who fail to realize the risk of their actions and other violations are intentional inquiries and disclosures, malicious in nature.
The use of outdated forms or the incorrect form, as well as not completing them properly are the mildest form of HIPAA violations (Mauer, 19). By failing to have the patient complete the appropriate forms properly, loopholes are created that leave the patient or the medical facility unprotected (Repa). To prevent this, healthcare workers should make certain they have the most current forms available through the Department of Health and Human Services website and familiarize themselves with the forms to be able to notice any mistakes before the patient leaves the facility (Bush).
Some violations of HIPAA are a result of good intentions by the medical staff, such as is the case with a nurse named Deanne. She explains that she has worked as an RN at a hospital for over fifteen years and recently was suspended due to a HIPAA violation after accessing the medical records of a patient:
“I believed we had seen [the patient] in our clinic just recently. If we had seen her she would have most likely had a follow-up appointment scheduled, which I would have asked our schedulers to cancel as the patient [had just passed away]. I had honorable intentions as we have an automated system that calls to remind patients of their appointments. I was trying to prevent her family from getting such a call.” (AllNurses)
While Deanne’s intentions were noble, as she explains it, simply trying to stop an automated call that could have brought emotional pain to a grieving family, the access was a violation as she had no medically relevant purpose to access the file of a patient. Deanne was suspended as a result and has not yet received a final determination from her employer (AllNurses).
An incident at the DePoo Chemical Dependency Facility in Florida serves as an example of another unintentional HIPAA violation. The program director for the facility had permitted an unauthorized employee to enter in areas of the facility where private information could have been viewed. “Under HIPAA regulations, the ‘potential’ for such disclosure can constitute a violation, even where there is no actual communication of [personal information].” (Merion) It is important to note that the opportunity for an incident to occur is just as much a violation of HIPAA as the revelation of sensitive and private information. In this situation, the facility chose to educate their staff about how this seemingly menial act of allowing an individual to enter a secured area can still violate a patient’s privacy (NYMITY).
Some of the worst cases of HIPAA violations involve the malicious snooping by healthcare workers into the private files of patients to learn information that they have no relevant need to know. High profile victims include George Clooney and Britney Spears, each who had their medical records viewed by staff members who were not involved with their treatment (Murer, 1). Farrah Fawcett’s records were viewed by healthcare staff and subsequently sold to media outlets (Parker-Pope). This past April saw the first criminal sentencing by a federal court of a healthcare worker who had viewed celebrity medical records; Huping Zhou was sentenced to four months in a federal penitentiary for his “lack of respect for patient privacy.” (Mrozek) Jenn Riggle suggests that criminal sentencing may not be the best method of handling HIPAA violations that involve privacy violations to a patient’s records, writing “The National Association Medical Staff Services (NAMSS) reminds us that HIPAA requires hospitals to deliver “appropriate sanctions” when employees violate the law. But rather than using this incident as a teaching opportunity … and offering more HIPAA training, [the employees were terminated].” (Riggle) In the case of George Clooney’s records being accessed, he stated “while I very much believe in a patient’s right to privacy, I would hope that this could be settled without suspending medical workers.” (CNN)
The best method for avoiding HIPAA violations is education. By properly training employees about what HIPAA prohibits and what is permitted, employees can be educated to avoid simple but costly mistakes (Gross). Andrea Thomas-Lloyd of Lancaster General Hospital takes advantage of the Health Information Privacy and Security (HIPS) Week to re-educate her staff on compliance, involving also the hospital’s privacy analyst; she explains “It is really a sort of grassroots effort to, one, develop awareness that there is a privacy official and a privacy department they can contact and two, to try and address any questions and concerns that they have while we are there… It has to be personal for them to understand it.” (Dimick) Michael Dermer, CEO of a healthcare technology company believes that training is not sufficient enough and that there should also be checks and balances implemented in the technology system to remind employees of HIPAA regulations (Masterson).
Healthcare workers must understand the legal risks of viewing patient information or discussing patient information and their employer should work with them to help educate the staff and diminish the risk of accidental violations. While employers are able to reduce risks, preventing intentional violations by staff that view and disclose information is much more difficult. The employer should make certain that employees know that they have methods to trace violations and have policies in place to take appropriate action against those violators. As IT Specialist Lee Clemmer says, “Liability for employers has increased enormously. Your employer just can’t take the risk…curiosity definitely killed the cat–and you’re the cat!” (Clemmer)
“HIPAA Violation – Nursing for Nurses.” Allnurses: A Nursing Community for Nurses. 12 Mar. 2010. Web. 18 May 2010. <http://allnurses.com/general-nursing-discussion/hipaa-violation-479131.html>.
Bush, Jennifer. “The HIPAA Privacy Rule: Three Key Forms – Feb, 2003 – Family Practice Management.” Family Practice Management, Feb. 2003. Web. 17 May 2010. <http://www.aafp.org/fpm/2003/0200/p29.html>.
Clemmer, Lee. “Consequences of Computer Hacking: Are the Risks Worth the Benefits?”BrightHub. 5 May 2010. Web. 18 May 2010. <http://www.brighthub.com/computing/smb-security/articles/42893.aspx>.
“27 Suspended for Clooney File Peek.” CNN. 10 Oct. 2007. Web. 17 May 2010. <http://www.cnn.com/2007/SHOWBIZ/10/10/clooney.records/index.html>.
Dimick, Chris. “Keeping HIPAA Education Fresh.” Journal of AHIMA. 11 Dec. 2008. Web. 18 May 2010. <http://journal.ahima.org/2008/12/11/keeping-hipaa-education-fresh/>.
Gibson, Elaine, and Harry Croft. “Discipline Is Better Than Punishment So What’s the Difference.” HealthyPlace. 02 June 2009. Web. 18 May 2010. <http://www.healthyplace.com/parenting/challenge-of-difficult-children/discipline-is-better-than-punishment-so-whats-the-difference/menu-id-1437/>.
Gross, Barrie. “Decreasing the Legal Risks of Employee Termination.” All Business. Web. 18 May 2010. <http://www.allbusiness.com/legal/labor-employment-law-at-will/10175092-1.html>.
Masterson, Les. “Guarding Against HIPAA Violations.” HealthLeaders Media. 23 July 2008. Web. 18 May 2010. <http://healthplans.hcpro.com/content/HEP-215611/Guarding-Against-HIPAA-Violations>.
Mauer, Frank. The Privacy Rule, Databases, Treatment, Clinical Research, Coded Samples and De-Identification. Weill Cornell Medical College, 17 June 2009. Web. 15 May 2010. <http://med.cornell.edu/research/for_pol/forms/HIPAA_for_RCNs_061709.ppt>.
“Key West Rehab Center Cited for HIPAA Violation.” Merion Publications. Web. 17 May 2010. <http://health-information.advanceweb.com/editorial/content/editorial.aspx?CC=59348>.
Mrozek, Thom. “Release No. 10-079.” United States Department of Justice. 27 Apr. 2010. Web. 16 May 2010. <http://www.justice.gov/usao/cac/pressroom/pr2010/079.html>.
Murer, Cherilyn G. “HIPAA Meets Celebrity.” Murer Consultants, Inc. June 2008. Web. 16 May 2010. <http://www.murer.com/files/uploads/docs/hippameetscelebrity-june08.pdf>.
“Key West Rehab Center Cited For HIPAA Violation.” NYMITY. Web. 17 May 2010. <http://www.nymity.com/Free_Privacy_Resources/Previews/ReferencePreview.aspx?guid=f85c62b7-f153-4642-938f-65432dadfd13>.
Parker-Pope, Tara. “More Celebrity Snooping by Hospital Workers.” NYTimes.com. 3 Apr. 2008. Web. 15 May 2010. <http://well.blogs.nytimes.com/2008/04/03/more-celebrity-snooping-by-hospital-workers/>.
Repa, Barbara K. “How Can I Get a Free HIPAA Release Form?” Caring. Web. 17 May 2010. <http://www.caring.com/questions/hipaa-release-form>.
Riggle, Jenn. “A Tale of Two HIPAA Violations.” Web log post. The Buzz Bin. 7 Jan. 2010. Web. 16 May 2010. <http://www.livingstonbuzz.com/2010/01/07/a-tale-of-two-hipaa-violations/>.
“Why HIPAA?” University of Michigan School of Public Health. The Regents of the University of Michigan, 29 July 2009. Web. 18 May 2010. <http://www.sph.umich.edu/faculty_research/hipaa/why_hipaa.html>.