New Federal, State Laws Raise the Stakes When Dealing With Employees Who Snoop Into Patient Health Information
Published: 2009-08-12 23:16:49
Author: Eve Collins | Atlantic Information Services, Inc. | July 15, 2009
Health care organizations have more reason than ever to keep employees from snooping into patient records. New laws at the federal level, and in some states, make it clear that letting nosy employees slide is no longer an option.
The HITECH Act’s definition of a ‘breach’ now applies to when a person snoops into patient records: “The term ‘breach’ means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” The law also requires CMS and the HHS Office for Civil Rights to investigate complaints where a preliminary inquiry shows that “willful neglect” is the cause. And the law raised the penalties the government can hand down.
Providers might also want to watch what is happening in their own states. California enacted two laws to address breaches of patient information in 2008. In May, the state handed down its first administrative penalty against a hospital under the two laws by assessing the maximum penalty of $250,000 on Kaiser Permanente Bellflower Medical Center. Bellflower self-reported incidents of employees accessing patient information without authorization during a high-profile patient’s stay.
But individuals are at risk too. In some cases, the nosy employees can be prosecuted under federal or state laws, depending on what they do with the patient’s information.
Attorney Kirk Nahra says health care organizations are battling two different issues here: access issues and policing issues. “The problem that many health care businesses have had is that it’s difficult to restrict access. A nurse in a hospital setting might need access at any moment to anyone’s information,” he points out. “That tends to shift the emphasis to the back end, which is, ‘How do we make sure people are only using what they need?’”
With a celebrity’s records, extra controls on the data and swift punishment for transgressors should help, Nahra says. “If you take action on a person who accesses the information…the swift consequences reduce the risks” that it will happen with that perpetrator again or that others will try it. “You also want to do audits and track who has access to [the celebrity’s records].” One or two nurses would need access, but 100 would not, he says.
Full story
Published: 2009-08-12 23:16:49
Author: Eve Collins | Atlantic Information Services, Inc. | July 15, 2009
Health care organizations have more reason than ever to keep employees from snooping into patient records. New laws at the federal level, and in some states, make it clear that letting nosy employees slide is no longer an option.
The HITECH Act’s definition of a ‘breach’ now applies to when a person snoops into patient records: “The term ‘breach’ means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” The law also requires CMS and the HHS Office for Civil Rights to investigate complaints where a preliminary inquiry shows that “willful neglect” is the cause. And the law raised the penalties the government can hand down.
Providers might also want to watch what is happening in their own states. California enacted two laws to address breaches of patient information in 2008. In May, the state handed down its first administrative penalty against a hospital under the two laws by assessing the maximum penalty of $250,000 on Kaiser Permanente Bellflower Medical Center. Bellflower self-reported incidents of employees accessing patient information without authorization during a high-profile patient’s stay.
But individuals are at risk too. In some cases, the nosy employees can be prosecuted under federal or state laws, depending on what they do with the patient’s information.
Attorney Kirk Nahra says health care organizations are battling two different issues here: access issues and policing issues. “The problem that many health care businesses have had is that it’s difficult to restrict access. A nurse in a hospital setting might need access at any moment to anyone’s information,” he points out. “That tends to shift the emphasis to the back end, which is, ‘How do we make sure people are only using what they need?’”
With a celebrity’s records, extra controls on the data and swift punishment for transgressors should help, Nahra says. “If you take action on a person who accesses the information…the swift consequences reduce the risks” that it will happen with that perpetrator again or that others will try it. “You also want to do audits and track who has access to [the celebrity’s records].” One or two nurses would need access, but 100 would not, he says.
Full story