Congress recently passed legislation—the Health Information Technology for Economic and Clinical Health Act (HITECH Act)—that should speed up the adoption of electronic health records. In anticipation of more hospitals using this technology, HITECH provides more privacy and security protections provided under HIPAA—the Health Insurance Portability and Accountability Act.
As you may be aware, even though health professionals are trained to be aware of HIPAA rules and regulations, privacy violations in healthcare settings happens frequently. To be sure, health professionals are routinely disciplined or fired for violating the privacy rights of patients, and some have even been disciplined for accessing their own personal electronic health records. Recently, several health professionals in an Iowa hospital were fired for snooping through patient’s medical records. A patient order coordinator looked at the medical records of her boyfriend’s ex-wife, meanwhile another worker reviewed the medical records of the mother her adopted child. (See other examples below).
Dan McNeil of AFT’s Legal Department explains the basics of HIPAA.
HIPAA allows anyone who feels that their rights have been violated to lodge a formal complaint with the hospital or the federal Office for Civil Rights (OCR). According to the OCR, the most common complaints involve wrongfully using or disclosing protected health information, failing to protect health information, failing to allow patients’ access to their protected health information, and disclosing more health information than necessary.
Health professionals accused of violating HIPAA rules can be investigated by their hospital and could face disciplinary action. The penalties for HIPAA violations include remediation/training, progressive discipline, suspension and termination. Health professionals can also face punishment from the federal government for HIPAA violations. The HITECH legislation includes significant monetary penalties and prison sentences for certain HIPAA violations.
HITECH requires hospitals to notify a patient within 60 days if it is discovered that their privacy has been breached. Hospitals also must notify the secretary of Department of Health and Human Services in all cases and if the breach of protected health information involves more than 500 residents of a state, hospitals have to notify the news media.
Examples of HIPAA violations
- A nurse and an orderly at a state hospital discussed the HIV/AIDS status of a patient and the patient's spouse within earshot of other patients without making reasonable efforts to prevent the disclosure. Upon learning of the incident, the hospital placed both employees on leave; the orderly ultimately resigned. The hospital took further disciplinary action with the nurse, which included documenting the employee record with a memo of the incident; one year probation; referral for peer review; and further HIPAA. In addition, the state attorney general's office entered into a monetary settlement agreement with the patient.
- Nurses and staff in a California emergency room took pictures of a stabbing victim and posted them on Facebook. The breach of patient privacy led to the firing of four staff members; another three were disciplined. The photos were posted for two days before co-workers reported it to hospital administrators.
- After treating a patient injured in a rather unusual sporting accident, the hospital released to the local media, without the patient’s authorization, copies of the patient’s skull x-ray as well as a description of the complainant’s medical condition. The local newspaper then featured on its front page the individual’s x-ray and an article that included the date of the accident, the location of the accident, the patient’s gender, a description of patient’s medical condition, and numerous quotes from the hospital about such unusual sporting accidents. The hospital asserted that the disclosures were made to avert a serious threat to health or safety; however, OCR’s investigation indicated that the disclosures did not meet the privacy rule’s standard for such actions. The OCR required the hospital to develop and implement a policy regarding disclosures related to serious threats to health and safety, and to train all members of the hospital staff on the new policy.
- Two workers in a hospital in New Mexico were fired for taking cell phone pictures of a patient receiving treatment and posting the images to MySpace. The photos were discovered after anonymous tip to a hospital supervisor. The hospital supervisor oversaw the removal of the photos from the website and cell phones.
- A nurse practitioner with privileges at a multi-hospital healthcare system accessed the medical records of her ex-husband. The healthcare system terminated the nurse’s access to its electronic records system; reported the nurse’s conduct to the appropriate licensing authority; and, provided the nurse with remedial HIPAA training.
- In California, five nurses were fired after hospital administrators discovered they were discussing patients on Facebook. The nurses have appealed their firings, saying that they did not violate patient privacy.