Thursday, July 2, 2009

Don’t Forget HIPAA Privacy Rules

As we move towards EMR’s, the ability to know who has looked at the medical record may get more and more in trouble. While we are all curious about our friends, neighbors, and celebrities (local or global), it is important to respect each others privacy. This local Arkansas story shows the importance of this respect.

Hospital emergency room coordinator Candida Griffin, patient account representative Sarah Elizabeth Miller and Dr. Jay Holland, a family doctor who worked part time at the hospital, each face up to a year in prison and $50,000 fine if convicted of the misdemeanor charge.

I would hope that all three of the people listed above would have “known better.” When this story broke earlier this week, the staff in the OR and I had a nice discussion on who gets HIPAA training and how much each get.

I think as part of their punishment, they and perhaps the facility (St Vincent Health System) should have to do refresher courses on HIPAA privacy rules.

The hospital said in November that it fired up to six people for looking at Pressly's records after a routine patient-privacy audit showed that as many as eight people gained access to them.

It was not immediately clear whether others fired from the hospital would face charges. U.S. Attorney Jane Duke declined to comment about the charges Tuesday.

With paper charts, there isn’t a trail proving you or I accessed the chart without need to do so. With EMR’s there is but this trail is not fool-proof. If I haven’t logged off and you look over my shoulder, then ….

If you haven’t logged off and I ask for a quick look at patient 007’s lab work and you do me a “favor” of checking quickly. See, not perfect. No harm was intended and patient 007’s info may never be “leaked” to the press, but someone who perhaps had no need to access it did so.

My circulating nurse in the OR during the discussion revealed that she had heard a lot of talk about the Ann Pressley case which she admits she should not have. She didn’t access the chart. She was working in another hospital’s ER. It was the police and EMT’s doing the talking. There is no trail to “prove” those violations of patient privacy trust.

We need to be more careful in discussing patients and cases. We still need to be able to discuss difficult or unusual cases, but this can be done without breaking a patient’s trust or privacy. Names and identifiers don’t have to be used when stumped by a rash or odd presentation.

Dr Holland had no malicious intent, just curiosity. Be careful.

Arkansas Democrat Gazette article Doctor, ex-hospital employees charged over Pressly records (subscription required) written by Linda Satter

3 charged with getting TV anchor's medical records by Jon Gambrell (no subscription required)

Bookmark and Share

2 comments:

Chrysalis Angel said...

Do you know who I feel is at most risk for this violation? Hospital employees, doctors, nurses, staff in various departments. Click of the button and your employer, and your colleagues all know what doctor you saw, when you saw them, and more.

I won't forget when my medical information was brought up in an interview. They even knew what stage cancer I'd had. My first clue.

tom@emergencyexcellence.com said...

Here is a concise summary of the HIPAA requirements -- http://emergencyexcellence.com/ed_toolkit/HIPAA.pdf.

HIPAA has sharp teeth and we should not be surprise when it is strictly enforced in the emergency department.

Tom Scaletta, MD
President, EmEx
www.EmergencyExcellence.com
877-700-3639