The injuries suffered by a professional football player brought the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations ("HIPAA") onto center stage of the media during the days following July 4. Jason Pierre-Paul, a defensive end for the New York Giants, suffered a firework-related injury to his hand during the Independence Day celebrations. Mr. Pierre-Paul's medical record became the talk of the internet when Adam Schefter of ESPN posted a picture of Mr. Pierre-Paul's medical record along with the following message on his Twitter account: "ESPN obtained medical charts that show Giants DE Jason Pierre-Paul had right index finger amputated today." In response to the incident, the CEO of Jackson Health System, which operates the hospital where Mr. Pierre-Paul is being treated, stated that an "aggressive internal investigation looking into these allegations is underway."
While Jackson Health System continues to investigate the incident to determine the root cause of the alleged breach, compliance officials may want to use this highly-publicized incident as a teaching moment to remind workforce members of their ongoing obligations to protect patient privacy. HIPAA requires covered entities to ensure reasonable and appropriate technical, administrative, and physical safeguards are in place to protect patients' protected health information. Covered entities are also required to limit workforce members' access rights based on their particular job functions and inform workforce members of the sanctions that will be imposed against "snooping" employees who use or disclose patient information in violation of HIPAA.
Even if a hospital or other provider is not servicing high-profile patients, common snooping may still be a problem. The Department of Health and Human Services, Office for Civil Rights (OCR) has issued clear guidance that snooping does not meet one of the breach exceptions because it is intentional and in bad faith. Workforce members need to be reminded that patient information should only be accessed to perform job functions, and snooping (whether for improper motive or simple curiosity) is strictly prohibited. Even sharing information about patients with other workforce members who do not need the information to perform their job violates HIPAA.
The cost of failing to comply with HIPAA has proven to be high in snooping cases. OCR has investigated a number of these cases and entered into resolution agreements with covered entities requiring payments as high as $865,000. Significantly, these costs do not include the costs associated with investigating, remediating, and mitigating a breach under HIPAA. A covered entity may also be hit with enforcement at the state level and lawsuits from affected patients, which are on the rise. The costs can be extraordinary even when there is an apparently straightforward breach that only affects one individual.
Success at the game of HIPAA can be maximized through diligent training and monitoring -- and sanctioning workforce members for violations. Here are a few steps from our HIPAA playbook that can help minimize HIPAA violations by workforce members:
- Periodically review OCR enforcement actions and case settlements to determine if additional training or safeguards should be implemented.
- Implement robust training to ensure workforce members are aware of their obligations to protect patient privacy, regardless of the patient, and the sanctions that will be imposed for failure to comply—including termination of employment if warranted.
- Determine the extent to which technical and/or physical safeguards can be placed on the medical records to track, trigger alerts, flag, or restrict access to the records.
- Review your HIPAA policies and procedures to ensure that they address workforce members' access rights.
For More Information
For questions regarding the content of this alert, please contact: