In March, Griffin Hospital, a 160-bed acute-care hospital, was forced to inform 957 patients that their confidential health records had been improperly accessed by a former radiologist. According to reports of the incident, the radiologist’s employment with the hospital ended in early February, and over the next month the radiologist accessed the information on their PACS (Picture Archiving and Communication System) using others’ user names and passwords. The hospital found out about the incident because some patients reported they were contacted by the radiologist, apparently soliciting their business for a new venture. Although there were some patient data in addition to medical images, apparently no financial information or social security numbers were contained in those specific records.
The reaction of the hospital was decisive and proper. They notified all 957 patients whose files were — or could have been — accessed by the radiologist. They informed the media and cooperated with the office of the state Attorney General. They posted detailed information about the breach on their website, including contact information for their legal/compliance officer for additional information. They issued a press release that reiterated their commitment to patient confidentiality in general and to HIPAA Security in particular. They also stated that they have changed all the passwords on their PACS systems. And lastly, they notified the U.S. Secretary of Health and Human Services.
There are several instructive lessons to be learned from this episode for ASCs:
First, ASCs and other physician-owned facilities are definitely under a microscope, and any real or perceived episode involving the compromise of patient safety, billing, fraud, security, etc., can potentially have disastrous results. This specific episode made limited headlines nationally; imagine what would have happened had this been an ASC or other physician-owned facility.
Second, since most ASCs have a rather complex ownership and employee/contractor arrangements, and those relationships can be very fluid, the dynamics are definitely there for a lot of trouble. Anyone in the organization who feels they have been wronged or mistreated could be motivated to take some kind of action that would be potentially damaging to the facility.
Third, the combination of large data storage systems and remote broadband internet access allows for a potentially large data breach with little outside evidence. A person walking out of an ASC with 957 patient files would attract some attention. A person accessing 957 patient records over a T1 line is not obvious to outside observers. Coupled with a general lack of attention to HIPAA Security in healthcare in general, there is a potential for great harm.
Here are other specific items from the story that make for a good checklist for any ASC:
1. The radiologist used others’ user names and passwords. You should never share user names and passwords.
2. User names/passwords should be changed frequently. After any employee or contractor leaves the ASC, all passwords should be changed.
3. You should have a HIPAA Security policy in place. (It is completely different from HIPAA Privacy, which covers paper records.) It should be reviewed frequently with your clinical and business staff, at least yearly.
4. In Feb. 2009, in conjunction with the ARRA/HITECH Act, the HIPAA Security Rule changed dramatically, with significantly higher fines and more stringent reporting requirements. If you have not looked at your HIPAA Security policies since then, you are at risk. Note: The new HIPAA Security policies apply even if your ASC is not eligible for — nor is applying for — ARRA/HITECH funds.
5. If you have a HIPAA Security breach — or even if you merely suspect such a breach — you should follow the procedures set out by CMS, which is what Griffin Hospital did.
There is a lot of attention on electronic medical records, with some in favor of it and many people opposed to it for a variety of reasons, including the real and perceived security threats. There is a lot of attention — some positive but quite a bit negative — on ASCs and other physician-owned facilities. These two factors make HIPAA Security Rule compliance a high priority.
Making sure your ASC is up to par and compliant with the revised HIPAA Security Rule makes good business and clinical sense, and will help keep you out of the news.
Marion K. Jenkins, PhD, FHIMSS, is founder and CEO of QSE Technologies, which provides IT consulting and implementation services for ASCs and other medical facilities nationwide. Learn more about QSE Technologies at www.qsetech.com.
Read more insight from Marion Jenkins:
– Unsolicited E-mails: Should You Unsubscribe?
– E-mail Scams: “Phishing Season” is Still Open
– Digital Copiers and Printers: A Little-Known HIPAA Security Risk
