A recent story in Oregon’s Lund Report, Longview Hospital Appears to be Accessing Non-Patient Prescription Data, raises concerns about patient attribution and responsibility for unpermitted disclosures and/or breaches of protected health information (PHI). The report alleges, “when doctors leave PeaceHealth St. Johns Medical Center, officials there are able to access prescription records for the physician’s new patients – even when those patients are not affiliated with the PeaceHealth system.” What can we take away from this incident, and how can organizations ensure they are not—even inadvertently—violating federal and state laws that are designed to protect patient privacy?
The article demonstrates the importance of strong policies and procedures to guide health information exchange services that make outside patient information available for treatment. Even as organizations seek efficiency and better care coordination through technology, whistleblowers, patient advocates, and the legal community will not allow “business as usual” responses to unpermitted disclosures of PHI because of inadequate or ignored policies around accessing patient information. HIPAA violations are not cheap. According to the American Medical Association, penalties for violations can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year.
It is essential that provider organizations have proper controls to prevent unpermitted disclosures when leveraging health information exchange (HIE) services. Procedures that prevent employees from accessing health records after they leave employment of a healthcare provider organization can be confounded by systems that allow access from home computers. HIPAA Security and Privacy violations can arise unless organizations have termination procedures in place, and follow them religiously.
It appears the problem in the PeaceHealth case was that a physician’s National Provider ID (NPI) was used to identify which patient external records in the CoverMyMeds system could be accessed by the health care system’s employees. When the physician left PeaceHealth, their NPI should have been immediately “disassociated” with the PeaceHealth system so that PeaceHealth would no longer receive patient records associated with that physician. The story’s source contends that patient records from the physician’s new practice could be accessed by PeaceHealth employees.
Similar problems can occur with HIE services that deliver PHI to any HIPAA Covered Entity, including hospitals, physician practices, payers and accountable care organizations based on patients that have been attributed to these organizations for Treatment, Payment, and/or Healthcare Operations. If those attributions, or rules that govern them, are not kept current, PHI could be inappropriately delivered to a covered entity after the patient (or physician) has moved on.
The obvious lesson here is that HIPAA covered entities using such services must have controls in place to ensure NPI information is immediately updated when a provider leaves, or when patients or members should no longer be attributed to their organization, and should conduct training and auditing to ensure those procedures are followed.
Additionally, this case shows that patients should have control over, and easy visibility into who uses their PHI. Access could be set up proactively so that patients can designate their primary care provider or specialist, and determine when information can be shared with other providers. They should be able to keep an updated list of their providers if they choose. In the past, ideas like this were dismissed as impractical, or “wishful thinking.” However, with more than 70% of adults using smart phones in 2015, real-time patient-directed approval of PHI-sharing is now possible. Mobile technology enables consumers to control many aspects of their life; why not put control of our PHI directly in our own hands?
Has your organization discussed issues like this, and what steps have you taken to avoid a similar problem?