A HIPAA Must: Keep Volunteer Smartphone Use at Bay
Most health care facilities have safeguards in place to keep transmission of patients’ protected health information (PHI) private between health care employees and business associates. Being compliant with Health Insurance Portability and Accountability Act (HIPAA) privacy laws shouldn’t stop there, however. It’s also wise to review your volunteer policies and procedures before PHI becomes public information.
For example, there was a case featured in the article, “Identify Theft Ring Results in Smartphone Ban at Health System,” (January 2013, Report on Patient Privacy (RPP), volume 13, issue 1) where a 21-year-old volunteer’s misuse of a cell phone at Jackson Memorial North hospital landed him in jail and caused a ban for future volunteers. The March 2012 incident involved 556 patients.
Although the volunteer, Loverson Gelmine, didn’t have access to the hospital computer, he still managed to steal PHI containing Social Security numbers by photographing paper records in the emergency room using his smartphone. Gelmine’s theft ring came out in the open when three men were found in a McDonald’s parking lot, trying to file fraudulent tax returns via the restaurant’s free WiFi connection. They were using the Social Security numbers Gelmine had sold them.
Prevent Smartphone Misuse in Your Facility
To prevent this from happening to other hospitals, Elizabeth Litten, a partner with Fox Rothschild LLP in Princeton, N.J., explained in the RPP identity theft article tips to better manage volunteers, visitors, or other onsite workers:
- Reassess the use of volunteers on campus and whether they should be used in units where information is sensitive (mental health ward) or not closely watched (emergency department).
- Conduct background checks and take the same precautionary steps you would when hiring potential employees.
- Make sure to clearly identify volunteers with obvious nametags or special clothing to set them apart easily from staff.
- Show all staff where volunteers are allowed and not allowed to go in the hospital and get all personnel on board to enforce it. Keep volunteers away from patient care areas.
- If a volunteer needs access to PHI to perform his or her duties, limit its visibility. Try to remove Social Security numbers from patient documents and don’t give them access to complete patient files.
- For paper records, place red sheets of paper between pages containing PHI. The red sheets will be like red flags that can be easily seen if a volunteer is searching through private information.
- For electronic PHI, have computer screens that can’t be viewed from the side, only straight on.
Since the incident, Jackson Memorial has new policies and procedures to help prevent future HIPAA breaches:
- There is a thorough orientation for volunteers; and a privacy rule form must now be signed.
- Volunteers are banned from smartphone use in patient-care areas. Volunteers are immediately dismissed if seen with a smartphone in these areas.
- Nursing leaders in every unit give volunteers documentation explaining responsibilities and permitted duties. Both the nurse leader and volunteer must sign this.