By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
The start of a new year represents new opportunities to refocus on HIPAA compliance efforts. Ransomware and phishing attacks seem to be drawing the majority of recent headlines, but a couple of human-based incidents have also come out recently. The insider or individual based issues offer a good reminder that security can only be as strong as the weakest link and some unexpected activity will always occur.
The first recent example came from a hospital in Chicago. The hospital revealed that an employee snooped through patient records over a year long period and the access did not relate to any official or necessary business purpose. As should be well known, randomly running through patient records is not permitted under HIPAA. Any access and use must be justified and necessary for a valid job function. A valid job function is not curiosity or any other self-driven idea.
Unfortunately, snooping is an all too common occurrence as curiosity can lead even individuals with the best of intentions down a bad path. If snooping is a constant risk, what can (and really should) be done? The HIPAA Security Rule offers a good solution: auditing and monitoring. The concepts of auditing and monitoring data ccess are not new subjects. HIPAA expects organizations to review and assess use of data held for the purpose of finding inappropriate access or disclosure. While auditing and monitoring can be challenging, the challenges are becoming less severe over time. More automated solutions to conduct the first couple of layers of analysis are coming online all of the time, which decreases the amount of manual labor needed while increasing the number of records that can be reviewed. While those processes do exist, they must be turned on and/or acquired. Merely trusting that snooping will not occur or can be found through small sample sized random audits is insufficient.
Despite the limitations of small sample size audits, there is still a place for manually driven reviews. The prime example for manual review is with the so-called “VIP” patient, which does not need to be limited solely to a celebrity. A VIP patient could be any individual that is expected to draw a disproportionate amount of attention. While celebrities are good examples, other more local ones are executives from the organization, an accident or crime victim, or anyone with a fair amount of community recognition. If an individual like that presents for treatment, the privacy and security teams may want to consider special audits of just that individual’s record since misplaced curiosity may be more likely to arise.
The second individual driven HIPAA violation from early in 2020 is a bit of a unique one. In the second example, an individual falsely alleged privacy violations and then claimed to be the subject of harassment for blowing the whistle. The basis of the false complaints, namely violations of privacy, are believable enough to drive concern. For better or worse, there are likely concerns if not outright violations of privacy requirements that occur on a daily basis. Since those concerns are always present, any complaint should be taken seriously and investigated. Based on available information, the complaints in this instance where investigated, which enabled detection of the concerns, though maybe not by the healthcare organization. In maybe taking his scheme a bit too far, the individual sent his complaints not just to the healthcare organization, but the Department of Justice and the FBI. In alerting agencies with more investigative capabilities, the individual’s inconsistencies were detected by the FBI.
While the example is a bit extreme, it does offer the lesson that all privacy complaints should be fully investigated. Not only does HIPAA require the investigation, the investigation is part of the means by which an organization demonstrates the full scope of its HIPAA compliance. When reviewing a complaint, it is more than justifiable for an organization to determine that the complaint does not identify a real issue. Sometimes an individual may not fully understand why a particular action can or did occur. However, it is important to consider the complaint and then make an honest self-assessment because it is an opportunity to vet operations. Such vetting and updating should not be a one and done or rare occurrence. Instead, making compliance a living and breathing part of daily operations will drive better protections of patient information.
The other aspect of an investigation is what to do with the results. A frequent question that will come up is how to communicate findings to the individual that submitted the complaint. If no issue or violation is found, then the answer is usually a lot easier. In that instance, the individual can be informed that after a thorough review, no issue was found. Depending upon the nature of the complaint, a short explanation could be included as to why the complaint did not identify a real issue. The thornier instance is when a violation was found. Revealing too many details could create unintentional liability in other areas, for instance by getting into employment related issues. However, the individual submitting the complaint also will not want to feel like they are being brushed off. Given those competing interests, careful case by case attention should be given to each response. While it may not be satisfying to hear that a template response cannot be prepared, understanding the need for individualized attention upfront is also helpful.
A new year always starts off with a lot of promise. Despite issues already being reported, the promise lies in other organizations being able to learn from and build upon these early lessons. While everyone in an organization is fresh and motivated, take the time to continuing building a culture of compliance.
This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.