Long-awaited federal audits are finally here under the Health Insurance Portability and Accountability Act (HIPAA). The shift toward proactive enforcement of patient privacy laws sends a clear message: Healthcare providers of all sizes, and their business associates, must be accountable for securing patient information—or they can face fines.
While some providers may groan, the times require serious protection against very real threats to patient privacy, ranging from cybercrime to careless lapses. Increasingly, government and media reports reveal atrocities, such as embarrassing patient images posted to social media, often the result of healthcare workers snapping photos and sharing them.
Such incidents not only violate patients’ rights, but also human dignity.
Ideally, federal audits will impose needed pressure, leading to heightened awareness of risks and the importance of a culture of vigilance in places where it is lacking. Even simple precautions and good daily habits can prevent abuses.
The need to respect privacy
The challenge is to create a mindset of high respect for privacy, and to enforce policies and procedures that reduce the chance of violations.
Think of the senselessness and the consequences of a case reported last month by USA Today. A New York nurse took photos of an unconscious patient’s penis, and then shared the photos with co-workers. The nurse initially faced a felony charge, but agreed to give up her nursing license for a reduced sentence. Nursing homes are particularly ripe for similar types of abuses involving nakedness, as ProPublica has reported.
Incidents are far from isolated. Earlier this year, the National Council of State Boards of Nursing (NCSBN) released survey findings, indicating 48% of responding nursing boards (33 in total) faced social media challenges. In some cases, complaints related to images of wounds and procedures photographed on mobile phones and then shared.
Settlements and fines
Even for smaller practices, settlements and fines can be steep. Last September, for instance, a group of radiology oncologists in Indiana agreed to pay $750,000, resulting from the theft of a laptop bag from an employee’s car. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information, and clinical information of approximately 55,000 current and former cancer patients. The government’s investigation found that the medical group had not conducted a proper risk analysis.
The government determined that a proper device and media-control policy could have educated employees on their responsibilities for safeguarding devices with patient information.
The 2016 audit program
In 2016, the audit program will focus on a review of policies and procedures followed by healthcare providers and their business associates.
According to the government’s announcement, auditors will review documents and share draft findings with auditees, who will have the opportunity to respond.
Auditees will be alerted by email and asked for information. For organizations with automatic spam filtering and virus protection, the government cautions that you are expected you to check your junk or spam email folder for emails from OCR (email address: OSOCRAudit@hhs.gov).