Employees pose greatest threat to PHI security

Last week, Grace Hospital in Winnipeg fired a pharmacist because the healthcare worker had allegedly accessed patient health information from 56 hospital patients, just “out of curiosity,” according to a report in the Winnipeg Sun.

After an audit by the privacy staff of the eChart Manitoba, the electronic health record used by its healthcare professionals, hospital administrators were able to identify inappropriate access to PHI, said Real Cloutier, the vice president of the Winnipeg Regional Health Authority.

Six tips on preventing pharmacy data breaches

“Accessing, reviewing, or browsing through patient records out of curiosity is not permitted,” Cloutier said.

“eChart continues to be a valuable system that has helped improve the efficiency and quality of patient care,” he continued in the report by Winnipeg Sun. “Equally important, however, is it has enabled us to better identify and address instances where patient information was accessed inappropriately.”

Hospitals liable for employees’ acts

Hospitals know that they are liable for the acts of their employees in civil law and under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which are enforced by the Office of Civil Rights and states attorney generals, said Kenneth R. Baker, BS Pharm, JD, a pharmacist and an attorney of counsel with the Arizona law firm of Renaud Cook Drury Mesaros, PA.

According to the 2012 HIMSS Analytics Report: Security of Patient Data, the majority  (79%) of security breaches were perpetrated by an employee in 2012. “This information from the HIMSS Report should cause hospitals and other healthcare employers to emphasize rules for handling and protecting protected information and possible penalties,” said Baker, one of Drug Topics’ regulatory and legal columnists.

Fines can be steep as demonstrated by a $2.25 million settlement that a large chain pharmacy agreed to pay in 2009 to settle potential violations of the HIPAA Privacy Rule, Baker explained. In that case, the chain also had to develop and implement a plan of corrective action to ensure that protected PHI would be properly disposed, such as prescription bottle labels and old prescriptions, he said.

Privacy officer, plan, and training

Hospitals are required to have a privacy officer and written policies and procedures in place to ensure that they are in full compliance with their HIPAA obligations, said Ned Milenkovich, PharmD, JD, a pharmacist and a principal at Much Shelist, Chicago, Ill.

“All employees within the covered entity are required to follow these policies and procedures. The covered entity is also required to undertake periodic training of its employees to ensure that they are following the requirements set forth under HIPAA,” said Milenkovich, another Drug Topics’ regulatory and legal columnist. “Review by outside legal counsel annually is also a very good way to ensure compliance.”

Mobile devices and security breaches

The 2012 HIMSS Report suggested that mobile devices, such as cell phone, tablets, and laptops, were contributing factors in 31% of security breaches in 2010. So what should hospitals do to help mimimize their risks of a security breach of PHI?

“The HIPAA security rules govern how electronic equipment must be secured to prevent the loss of protected health information. Like the HIPAA privacy rules, the security rules require policies and procedures to be in place and followed by covered entity personnel,” Milenkovich said.

In addition, safeguards-such as physical, technical, and administrative-should be in place and reviewed by the information technology experts to ensure compliance, he said.

“Of note, minimum encryption requirements should be undertaken with respect to all electronic devices carrying protected health information, to minimize the risk of a security breach,” Milenkovich said.

Baker agreed and added that individuals with access to PHI records should be properly trained and required to sign a document that they understand their responsibilities and obligations to protect PHI.

He also suggested secure password protection on mobile devices and a way to remotely remove information if a mobile device with PHI is stolen.