Curiosity Killed the Cat

Last year, a court sentenced a cardiac surgeon to four months in prison for violating the federal privacy law known as HIPAA. The penalty surprised those of us who have studied HIPAA. We thought imprisonment would be reserved for those who profited financially from disclosing confidential information. While the surgeon had illegally accessed information over 300 times, he had not sold the information, but had kept it to himself. The case gave a clear warning to health care providers. The HIPAA police are here and they mean business!
History of HIPAA
In 1996, Congress enacted HIPAA to encourage the use of electronic patient records. Congress hoped the law would reduce health care costs. The law included provisions for assigning each American a unique patient identification number. A patient’s entire medical history and related financial information would be attached to that number and accessible over the Internet. Strong opposition to HIPAA arose because of privacy concerns. Responding to those concerns, the Department of Health and Human Services (HHS) issued privacy regulations in 2002. The regulations require health care providers to protect information they receive from their patients. Recently, the federal government has begun vigorously enforcing HIPAA.

In a 2010 case similar to the one involving the surgeon, the government disciplined a nurse who accessed her ex-husband’s medical records at the hospital where she worked. Significantly, her actions also violated her ethical obligation to protect patient confidentiality. Her nursing board could revoke her nursing license for her actions.

Recent Cases - Pharmacies
In the early part of 2000, the HIPAA police learned that CVS pharmacies nationwide had been tossing old patient records into dumpsters behind the stores. This clearly violated HIPAA’s requirement that such records be shredded. To settle the enforcement action, CVS paid $2.25 million in fines and submitted to long-term monitoring of its privacy practices.

In 2010, the HIPAA police slammed Rite Aid Pharmacies with a $1 million fine. That year, the government also initiated an investigation into Walgreen’s HIPAA practices.

Since the enactment of laws requiring those who purchase cold medicines containing ephedrine to sign a pharmacy log, we’ve all seen the ephedrine logs beside the pharmacy cash registers. Last year, the HIPAA police cited a local pharmacy for positioning the log on a counter in a way that exposed the names of customers who had signed the log.

In another case, a pharmacy employee accidentally put one patient’s insurance card into a bag containing another patient’s medication.

Finally, another pharmacy chain did not comply with HIPAA’s requirement that all of its business associates sign confidentiality contracts agreeing to protect patient information. The associate in question was the pharmacy’s lawyer.

Inadvertent Disclosures – “Don’t Talk So Loud!”
HIPAA requires health care providers who talk about their patients to speak quietly so that they are not overheard. Last year, the government disciplined a physician who chose to discuss his patient’s HIV treatment in the clinic waiting room while other patients were present. It also disciplined a hospital nurse who chatted too loudly about her patient’s HIV diagnosis.

Other inadvertent disclosures that are illegal include:
1. Positioning computer screens on counters in a way that they could be viewed by people in the waiting areas of the clinic
2. Leaving patient charts out where they can be read
3. Talking to a patient on the telephone about his condition in a location where others can overhear the conversation
4. Leaving messages with people at the patient’s home or office or on answering machines without patient consent
5. Discussing a patient’s condition without patient consent – this may happen in cases where the provider seeks a second opinion or advice on a case
6. Talking about patients in office “huddles” when the huddle includes people who are not on the patient’s treatment team.

A Word to the Wise
Health care providers who receive a patient complaint concerning privacy practices or who are contacted by government investigators about potential privacy violations should immediately contact their practice attorney for guidance. We have learned from recent cases that HIPAA violations can result in significant fines, imprisonment, loss of staff privileges, and loss of professional licensure. Providers should not try to handle these cases without legal counsel.