• All Roads Lead Back to Employees

  • The Office for Civil Rights (OCR) notorious “Wall of Shame”, summarizes Resolution Agreements and Press Releases of those companies who have been fined and found in violation of some part of the Health Insurance Portability and Accountability Act (HIPAA) or Health Information Technology for Economic and Clinical Health Act (HITECH). 

    HIPAA's privacy rule defines workforce as "employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity." It further directs that training include "all workforce members on its privacy policies and procedures, as necessary and appropriate to carry out their function."  The security rule states, "all members of its work force (including management.)"

    After reviewing 14 violations from 2014 through 2015, totaling over $14,398,200 in fines, it appears that each of the violations leads back to an employee’s actions or lack of inaction. Here is a sampling of violations: 

    • $215,000 -- Electronic protected health information (ePHI) of 7 individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County. Skagit County, Washington.
    • $1,975,220 -- OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center. 
    • $4,800,000 -- The investigation revealed that a breach at New York Presbyterian Hospital/Columbia University Medical Center operated a shared data network and a shared network firewall. Cause of the breach was when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI.  Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. 
    • $125,000 -- Parkview Health System, Inc. employees, with notice that the retiring physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road. 
    • $800,000 -- Cornell Prescription Pharmacy (Cornell) were found to have unsecured documents containing the protected health information (PHI) of 1,610 patients in an unlocked, open container on Cornell’s premises.
    • $750,000 -- Cancer Care reported a breach of electronic protected health information (ePHI) after a laptop bag was stolen from an employee’s car. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care patients. 
    • $850,000 -- Lahey Hospital and Medical Center (Lahey) notified OCR that a laptop was stolen from an unlocked treatment room. The laptop was on a stand that accompanied a portable CT scanner; the laptop operated the scanner and produced images for viewing through Lahey’s Radiology Information System and Picture Archiving and Communication System. The laptop hard drive contained the protected health information (PHI) of 599 individuals.

    It is clear from each of these violations, an employee or employees of these entities may have been able to deliver a different outcome. All employees from the executives to those employees in the front office, are required to protect the Protected Health Information (PHI) of their patients. Whether the entity is ignoring the implementation the required policies and procedures, or the employee decides not to follow the adopted policies, safeguarding patient PHI is not an option. 

    Leadership should create a culture of compliance for their entity, along with a roadmap of compliance training and communication.

    Keys to compliance are: 

    • Annual training is required of all staff.
    • Develop a responsive communication process to address questions that arise after training and in an ongoing manner.
    • Develop a reference repository of up-to-date policies and procedures.
    • Develop a process for evaluating training program effectiveness, reliability, and validity.
    • Develop a verification process to ensure that users have completed security awareness training before receiving access to electronic PHI.
    • Periodic reminders included in sign-on security reminders.
    • Company newsletters.
    • Training programs.
    • Lunchtime sessions.
    • Promotional products.
    • E-mail messages.
    • Banners and screen savers.
    • Fliers or handouts.
    • Web pages.
    • Guest Speakers. 

    Embracing and promoting a culture of compliance is your greatest asset for adhering to the required regulatory safeguards.

    Judith Lindsay, CHP and CEO of JAL Consult tackles all the elements of HIPAA compliance puzzle. Successfully assisting organizations to make sense of it all by implementing the correct policies and procedures that are reasonable and appropriate for their entity. Judith provides consulting, training and is available for speaking engagements. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult