Precipitating Event: Celebrity patients claimed XYZ Hospital employees snooping in records and selling to the paparazzi.
On June 5, 2009 HHS began investigations of two separate complaints from celebrity patients alleging that their medical information was appearing in the press without their permission.
(i) During a couple periods in 2005 and 2008, numerous XYZ Hospital workforce members repeatedly and without a permissible reason examined the protected health information of XYZ Hospital patients.
(ii) During the period 2005-2008, a workforce member of XYZ Hospital employed in the office of the Director of Nursing repeatedly and without a permissible reason examined the protected health information of many patients.
(iii) During the period 2005-2008, XYZ Hospital did not provide and/or did not document the provision of necessary and appropriate HIPAA training for all members of its workforce to carry out their function within the XYZ Hospital.
(iv) During the period 2005-2008, XYZ Hospital failed to apply appropriate sanctions and/or document sanctions on workforce members who impermissibly examined protected health information.
(v) During the period from 2005-2009, XYZ Hospital failed to implement security measures sufficient to reduce the risks of impermissible access to protected health information by unauthorized users to a reasonable and appropriate level.
minor modifications for readibility
"failed to implement security measures sufficient to reduce the risks of impermissible access to protected health information by unauthorized users"
The snooping is, of course, bad but the HIPAA Police are saying that not having a way of knowing if employees are snooping is also a HIPAA violation. XYZ Hospital got in trouble because they were not checking if employees were snooping.
Ask Yourself: Do you have automated reports that show medical record access?
"repeatedly and without a permissible reason examined the protected health information of XYZ Hospital patients"
Of course snooping is a HIPAA violation. But the snooping went on for 4 years without being recognized.
Ask Yourself: Are you checking if employees are snooping in paper or electronic medical records?
"failed to apply appropriate sanctions and/or document sanctions"
Sanctions (or punishments) must be documented and enforced.
Ask Yourself: If your employee violates a policy, is there a documented sanction or consequence.
XYZ Hospital is a big sprawling health systems with many computer systesm, buildings, locations and thousands of employees. It is a lot of work to train and monitor all these moving parts.
Automated reports with intelligent algorithms is one way to address the complexity of large health systems. Random, unannounced inspections (that do not interrupt workflows) are equally effective.
Like checking out a book at the public library, small practices using paper medical records need check out procedures to ensure that snooping is not occurring.