Employees pose greatest threat to PHI security

Article

Last week, Grace Hospital in Winnipeg fired a pharmacist because the healthcare worker had allegedly accessed patient health information from 56 hospital patients, just “out of curiosity,” according to a report in the Winnipeg Sun.

Last week, Grace Hospital in Winnipeg fired a pharmacist because the healthcare worker had allegedly accessed patient health information from 56 hospital patients, just “out of curiosity,” according to a report in the Winnipeg Sun.

After an audit by the privacy staff of the eChart Manitoba, the electronic health record used by its healthcare professionals, hospital administrators were able to identify inappropriate access to PHI, said Real Cloutier, the vice president of the Winnipeg Regional Health Authority.

Six tips on preventing pharmacy data breaches

“Accessing, reviewing, or browsing through patient records out of curiosity is not permitted,” Cloutier said.

“eChart continues to be a valuable system that has helped improve the efficiency and quality of patient care,” he continued in the report by Winnipeg Sun. “Equally important, however, is it has enabled us to better identify and address instances where patient information was accessed inappropriately.”

Hospitals liable for employees’ acts

Hospitals know that they are liable for the acts of their employees in civil law and under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which are enforced by the Office of Civil Rights and states attorney generals, said Kenneth R. Baker, BS Pharm, JD, a pharmacist and an attorney of counsel with the Arizona law firm of Renaud Cook Drury Mesaros, PA.

 

According to the 2012 HIMSS Analytics Report: Security of Patient Data, the majority  (79%) of security breaches were perpetrated by an employee in 2012. “This information from the HIMSS Report should cause hospitals and other healthcare employers to emphasize rules for handling and protecting protected information and possible penalties,” said Baker, one of Drug Topics’ regulatory and legal columnists.

Fines can be steep as demonstrated by a $2.25 million settlement that a large chain pharmacy agreed to pay in 2009 to settle potential violations of the HIPAA Privacy Rule, Baker explained. In that case, the chain also had to develop and implement a plan of corrective action to ensure that protected PHI would be properly disposed, such as prescription bottle labels and old prescriptions, he said.

Privacy officer, plan, and training

Hospitals are required to have a privacy officer and written policies and procedures in place to ensure that they are in full compliance with their HIPAA obligations, said Ned Milenkovich, PharmD, JD, a pharmacist and a principal at Much Shelist, Chicago, Ill.

“All employees within the covered entity are required to follow these policies and procedures. The covered entity is also required to undertake periodic training of its employees to ensure that they are following the requirements set forth under HIPAA,” said Milenkovich, another Drug Topics’ regulatory and legal columnist. “Review by outside legal counsel annually is also a very good way to ensure compliance.”

Mobile devices and security breaches

The 2012 HIMSS Report suggested that mobile devices, such as cell phone, tablets, and laptops, were contributing factors in 31% of security breaches in 2010. So what should hospitals do to help mimimize their risks of a security breach of PHI?

 

“The HIPAA security rules govern how electronic equipment must be secured to prevent the loss of protected health information. Like the HIPAA privacy rules, the security rules require policies and procedures to be in place and followed by covered entity personnel,” Milenkovich said.

In addition, safeguards-such as physical, technical, and administrative-should be in place and reviewed by the information technology experts to ensure compliance, he said.

“Of note, minimum encryption requirements should be undertaken with respect to all electronic devices carrying protected health information, to minimize the risk of a security breach,” Milenkovich said.

Baker agreed and added that individuals with access to PHI records should be properly trained and required to sign a document that they understand their responsibilities and obligations to protect PHI.

He also suggested secure password protection on mobile devices and a way to remotely remove information if a mobile device with PHI is stolen.

 

Related Videos
fake news misinformation | Image Credit: Bits and Splits - stock.adobe.com
Dr. Charles Lee
Related Content
How Health-System Specialty Pharmacists’ Actions Impact External Pharmacy Patients

How Health-System Specialty Pharmacists’ Actions Impact External Pharmacy Patients

December 8th 2023
Article

The analysis revealed deeper issues created by payer and manufacturer lockouts placed on Integrated Health System Specialty Pharmacies.

pharmacist and patient

Reach Your Business Goals in 2021

March 25th 2021
Podcast

In part 1 of our podcast series with American Associated Pharmacies (AAP), AAP President and CEO Jon Copeland dives into key pharmacy industry trends.

Evaluating a Pharmacist-Led Medication Refill Management Service

Evaluating a Pharmacist-Led Medication Refill Management Service

December 6th 2023
Article

A study presented at ASHP Midyear 2023 found that primary care physicians said a refill management service helped reduce burnout and improved the quality of patient care.

Over the Counter podcast

ThoughtSpot Series: Closing the Healthcare Gap

January 7th 2021
Podcast

Our final episode in our ThoughtSpot 2020 podcast series features NPhA president Dr. Ryan Marable and immediate past president Dr. Lakesha Butler, who share insights on health disparities and the social determinants of health.

Slideshow: Evaluating Perioperative Opioid Use and Analgesic Options

Slideshow: Evaluating Perioperative Opioid Use and Analgesic Options

December 4th 2023
Article

Three poster presented at the ASHP Midyear Clinical Meeting delved deeper into perioperative pain management.

Celebrating American Pharmacists Month

Celebrating American Pharmacists Month

October 2nd 2023
Article
© 2024 MJH Life Sciences

All rights reserved.