5 Patient Privacy Scenarios that May Surprise You
To provide proper patient care and to carry out daily business functions, healthcare organizations must obtain patients’ sensitive medical details and demographic and account information. In return, patients should be able to trust that the information they provide, known as protected health information (PHI), will be maintained securely and confidentially. Since HIPAA was enacted in 1996, healthcare organizations across the country have been working to achieve these standards and to ensure the privacy and confidentiality of patients’ PHI. Misdirected faxes, documentation mix-ups, and employee snooping are common patient privacy violations; but there are less-obvious privacy risks. Here are five that could land your practice in HIPAA hot water.
1. Disposal of PHI
Scenario: Betty is a coder in a busy medical practice. She deals with PHI of hundreds of patients each week. Occasionally, Betty must dispose of patients’ printed PHI. She understands this information is sensitive and must be disposed of securely, but the nearest secure shred receptacle in her practice is down the hall. She keeps a “shred pile” under her desk in a box, and empties it in the secure shred receptacle once a week. Betty last emptied the box three days ago, but this morning when she arrived to work, she noticed it was empty. She later learned that a new custodial employee emptied the box in the regular trash.
Prevention: If you are like Betty, and hang on to PHI for periodic visits to the secure receptacle, consider some safer alternatives. For example, supplement the larger containers with some smaller ones placed strategically throughout the facility to ensure better accessibility for employees. Many vendors that offer secure disposal services also offer smaller secure desktop or under-the-desk receptacles.
If you keep an unsecured shred pile, make sure it is physically away from visitors and unauthorized persons. At a minimum, be sure you dispose of this information in the secure receptacles several times each day, and definitely before the end of each shift. Not only will this reduce risk to your practice and improve privacy safeguards, but it will also allow you to get up and move around more frequently during the day, which can improve your health and focus.
Get rid of any unsecured boxes or containers stored under or around your workstation. Marking these containers with the words “shred” or “do not throw away” is not adequate to prevent this information from being inadvertently disposed of in regular trash by custodial staff.
If you are a manager or privacy officer, add this item to your risk assessment so you remember to periodically evaluate your employees’ workstations for compliance.
2. Phishing/Social Engineering
Scenario: John works for a large health system. One afternoon he notices an email from his information systems (IS) department. The message states that his email has been compromised and instructs him to immediately reset his username and password information by clicking on the attached link, which John promptly does. The next day, the director of John’s IS department calls stating that the organization experienced a significant breach of information affecting more than 3,000 individuals, which he has traced to John’s computer. He asks if John has recently provided anyone with his username and password or received any suspicious emails.
Prevention: This scenario and others like it are known as “phishing.” Phishing is a common form of fraud designed to trick people into giving out sensitive information such as usernames, passwords, and account information. Phishers use sophisticated techniques to convince their victims to do what they want, including posing as someone from their organization, even using the company logo (which can be easily obtained on the company’s website) in their signature line. They also use emotion and urgency to compel their victims to give them information, such as making the email recipient believe they have done something wrong and must act quickly to fix it.
Educate yourself and your staff regularly on how to recognize phishing attempts. It takes only one mistake for a hacker to gain access to your system and do serious damage. Make sure staff is familiar with basic precautions, such as never giving out usernames and passwords over the phone, online, or via email. Employees should always hover over links before clicking on them. This will allow them to view the address and ensure the site is one they know and trust.
If your organization has not already done so, consider engaging a consultant with strong experience in health information security. They can assess your company’s vulnerabilities and develop a plan to correct them before they result in a breach — possibly saving your company thousands, even millions, of dollars in fines and penalties.
3. Treating Patients with Visitors in the Room
Scenario: Linda is the manager of a specialty practice. One day she receives a phone call from a patient, Bob, who is very tearful and clearly upset. Bob explains that while staying in the hospital recently, Dr. Smith, a physician at Linda’s practice, rounded on him. At that time, Bob’s adult children were in the room visiting. He explained that Dr. Smith entered the room and immediately began talking with Bob about his medical condition, which included a long history of illicit drug use. His children were not aware of this history because it happened a long time ago. Bob explains that he is simply devastated that this information was disclosed. His children are very upset and are now refusing to allow him to see his grandchildren.
Prevention: Although visitors such as family, friends, and clergy are more common in the inpatient environment, this issue can occur in any healthcare setting. Providers and other members of the care team must use caution when speaking to patients with visitors present. Employees and providers should receive regular training on these important scenarios. Ultimately, providers should alert patients when they are about to discuss private medical information and give them an opportunity to excuse visitors. For example, “Hi Bob, I’m Dr. Smith, I’d like to talk with you about your private medical information. It should only take about 10 minutes. Would you like your visitors to step out of the room while we talk?”
It’s important to ask this with each new visitor. We don’t always understand the relational dynamics between the patients and their visitors, and should never assume. Although it may seem rude to continually ask the patient each time a new visitor enters the room, it’s actually good business practice, and will likely give your patients even more assurance that you value their privacy.
4. Portable Electronic Devices
Scenario: Dan is an auditor for a consulting firm. He is traveling out of town this week and plans to take some work with him so he can complete another big audit project. He saves the project files (which include billing data reports, encounter information, and claims) to his laptop. In total, these files contain PHI of approximately 1,000 individuals. Unfortunately, Dan inadvertently leaves his laptop in the taxi that dropped him off from the airport to his hotel. He contacts the cab company, but the driver reports that several customers have been in the cab since Dan’s trip, and the laptop is nowhere to be found. The laptop was not encrypted.
Prevention: Although nothing in HIPAA regulations states that encryption is required, it’s considered an industry best practice and a minimum safeguard for protecting information on any portable electronic device (i.e., laptop, thumb drive, portable hard drive, compact disk, smart phone, etc.). Many devices now come standard with encryption, and those that don’t can be encrypted with little additional cost.
PHI should never be stored or transported on a portable device that is not encrypted and passcode protected. If PHI must be stored on a portable device that cannot be encrypted, take decisive steps to physically protect the data, such as keeping it in a locked room. Organizations should also have policies and procedures to guide employees on the secure storage, destruction, and transport of such information. Practice managers and/or privacy officers should regularly evaluate compliance with these policies through periodic risk assessments in their facilities.
5. Social Media
Scenario: Susie is an oncology nurse for a large healthcare system. Due to the nature of the conditions treated at Susie’s practice, she sees her patients frequently and has developed friendships with many of them. One of her patients, Jennifer, sends her a friend request through a well-known social media site. Susie accepts and sees that Jennifer posted a very complimentary message about the care she received at her recent doctor’s appointment, and specifically mentions Susie by name. Susie responds to the post, “Thank you for the kind words, Jen. I’m sorry your treatment isn’t responding the way we had hoped.”
Susie is called into her manager’s office later that week, and learns that while Jennifer had been open about her cancer on social media, Susie’s message had been viewed by a number of people who interpreted Jennifer’s prognosis as not good. This had resulted in a lot of emotional distress for Jennifer and her friends over the last several days, and she had filed a formal grievance with the practice. Susie received serious disciplinary action as a result.
Prevention: Although social media can be a valuable tool, it can also pose new risks for which organizations may be unprepared, particularly with regard to patient privacy. Some states even require employers to report privacy incidents to licensing boards such as the nursing or medical licensure boards, which can result in sanctions against employees’ and providers’ licenses.
To prevent a situation like Susie’s, avoid blurring the lines between your professional and personal life by steering clear of relationships with patients on social media. If your company uses social media as a marketing tool, ensure there are policies and procedures to provide guidance on appropriate use. Your organization’s privacy officer or an attorney experienced in HIPAA privacy law can provide valuable input as these policies are developed or revised.
A Perfect Scenario
Remember, patient privacy is a sensitive and important matter, and breaches of PHI can lead to significant consequences for patients, employees, and the organization. Although privacy matters can be diverse in size and scope, always treat others’ PHI as though it’s your own. Be sure your practice regularly assesses patient privacy risks, provides ongoing education, and reviews privacy policies and procedures to address vulnerabilities. If an incident does occur, contact your privacy officer or legal counsel immediately, so they can assist and ensure breach reporting regulations are satisfied, and that the issue is corrected to prevent similar incidents from occurring in the future.
Marea Aspillaga, BS, CHC, CPC, COC, CPMA, has more than 13 years of management and compliance experience in both private and employed professional practices. She serves as the system director of compliance and privacy of professional practices for the Baptist Health System in Kentucky. Aspillaga is a member of the local chapters in Lexington and Louisville, Ky.