HIPAA and Zero Tolerance Policies
Does your organization have a zero-tolerance policy for violations of patient privacy? If not, perhaps recent events indicate the value of having such a policy.
In an example of HIPAA policy enforcement, Tucson’s University Medical Center has fired three employees this week for violating patient privacy. The hospital reported that three workers were dismissed for inappropriately accessing the medical records of patients involved in the high profile shooting rampage that involved Representative Gabrielle Giffords. This incident resulted in the death of six people and left Representative Giffords in critical condition.
Policies and procedures should clearly indicate that patient privacy must be protected. That includes limiting access to health information to those who have a need to know.
Education is critical in your organization. Employees should have training about HIPAA upon hire and annually thereafter. Training topics should cover patient privacy, security, and how the law and rules apply to a person’s individual work setting.
Access to information must be limited to the person’s need to know based on their role. This role-based access should be reviewed annually as a part of your compliance program.
You also must be able to track who has accessed protected health information. Access logs will show you who has looked at a patient’s record. I imagine it was these access logs that led to the discovery of employees accessing the files at the University Medical Center in Tucson. Without access logs, you will not be able to tell if you have had a breach.
Your policies must also include a sanctions policy. Sanctions do not necessarily have to be “zero-tolerance” policies for any kind of error. There may be times when something happens that was a simple mistake. However, if you have a zero tolerance policy, be ready to follow through with it by dismissing staff when they violate the policy.
In the case of a high profile case like the one in Arizona, zero-tolerance is the wisest choice. There is far too much risk that this information could be accessed for all the wrong reasons. In the end, accessing a patient’s information for any reason other than what is required to provide health care is wrong. Accessing it with the potential of personal gain, selling it to media, etc., is totally unacceptable. Note there is nothing to suggest that is what happened with this particular breach; it is, however, a higher risk of such a problem when you have high profile patients.
In the end, having a zero-tolerance policy at your organization, and being sure you enforce it, protects everyone and shows you are serious about patient privacy. It may also protect you should you have to defend yourself in court or to the government in the case of a breach.
Training is critical. Have you done your annual HIPAA training with staff this year?