Accidentally Sharing PHI with the Public
Conversations between clinical co-workers about patient diagnosis, treatment, and medications should never occur in public spaces so they cannot be overheard. It may not seem important discussing medicine around non-medical people in a public place like the hospital cafeteria. However, this kind of PHI breach can result in significant financial consequences for hospitals and healthcare organizations.
Healthcare organizations can also inadvertently disclose PHI through circumstances other than a data breach. For example, a healthcare organization may disclose PHI to a patient's employer, or a patient may be filmed or photographed without their consent. PHI in the form of paper records can also accidentally be disclosed by taking it offsite and then accidentally getting lost or stolen. Healthcare organizations should be especially sensitive to this possibility in today's work from home environment (WFH). Also, emailing PHI information to the wrong person or using personal email accounts that are not encrypted can result in HIPAA compliance breach.
- Memorial Hermann Health System – $2.4 million
- New York Presbyterian Hospital – $2,200,000
- Massachusetts General Hospital– $515,000
- Luke's-Roosevelt Hospital Center – $387,000
- Brigham and Women's Hospital– $384,000
- Boston Medical Center – $100,000
Incorrect Disposition of PHI
Patients can become more vulnerable to their healthcare information being exposed to the public if the disposal of PHI is not properly executed by healthcare workers. PHI should be carefully disposed of by shredding of records and destroying hard drives by industry accepted practices.
- Parkview Health – $800,000
- Cornell Prescription Pharmacy – $125,000
- FileFax Inc. – $100,000
Any documents or files with PHI need to be kept in a secure location. Paper files should always be locked in file cabinets and never left unattended. Electronic PHI needs to be secured with strong passwords and encryption. Also, two factor authentication (2FA) to access the servers and networks are also critical. Only just a username and a strong password are not secure enough to thwart today's sophisticated hackers. Employees should also be trained to never share login credentials since their coworkers may not have the same access rights. If an employee handling PHI steps away from their desk, then they should lock their workstation. Specialized screen covers should also be used so that information is only viewable to the person sitting in front of the workstation.
Antivirus and antimalware on devices with PHI should be kept updated via automatic processes to assure that devices are always secure. Specialized hardware-based firewalls will add additional security. There is no substitute for strong passwords that are frequently changed and two-factor authentication (2FA) to thwart hackers.
HIPAA violations can occur if employees or contractors access PHI that they are not authorized to access. Training should emphasize that accessing PHI just for "curiosity" is still nevertheless a breach, and the intent does not matter as the fine will be the same. "I was just curious" is one of the most common reasons employees give when they violate HIPAA rules. People are curious about their families, friends, coworkers, and celebrities. When these violations are discovered, they may involve criminal charges. One health system in Los Angeles was fined $865,000 for failing to protect access to medical records. An employee, Dr. Huping Zhou, was found out to be accessing unauthorized patient records 323 times and for this violation he was sentenced to four months in federal prison.
Unauthorized Release of PHI
Sometimes members of the media can try to use social hacking such as pretending they are a family member to get information about public figures and celebrities. Also, this kind of violation can happen when PHI is released to family members who are not authorized. In addition to clinical care and billing professionals, only parents and children, and those with power of attorney or allowed access to a person's PHI.
When it comes to discussing PHI the principal of "need to know" should be used to decide who should be in the communication loop. Healthcare organizations should implement access privileges with the Minimum Necessary Standards principle. Typically, the people involved should be only the patient, the doctors and others providing care and handling medical billing.
It is an excellent compliance best practice to make sure that disclosure authorization forms are signed and maintained in files. The authorization form should specify what type of information is authorized for release and the expiry date of the authorization. The authorization form could also include classes of individuals, the types of PHI, and the reasons for disclosure. Every authorization should have an expiration date otherwise it is not considered a HIPAA compliant. Care should also be taken to make sure that new authorization forms are signed if needed after an expiration date. Health care workers must also verify the identity of any individual or entity to whom they are providing PHI.