Insider Threat Examples: HIPAA Violations Go UnPenalized In Iowa

When I got my Sunday Des Moines Register out of the orange box across the road this morning, the front page headline leaped out at me, “Medical privacy law fails to stop snooping.”
In one of the incidents described, a woman was incredibly embarrassed and humiliated after all the intimate details about an operation she had on her uterus, including her full name, that were in her doctor’s files were apparently published in marketing material…

“The article [which was published in her hometown newspaper] included her full name and occupation. There were details of what was called her “embarrassing” and “odd” medical problem of heavy menstrual flow. The article described her physician’s treatment and said, “Now Jill no longer experiences heavy and irregular periods.” Jill says she was subjected to public ridicule, humiliation and depression. She is now suing a medical-services company and its public relations firm for the alleged unauthorized use of her name and medical condition in a promotional piece that masqueraded as a news article.”

Isn’t this amazing?
Doesn’t it make you mad to know that we’ve had the Health Insurance Portability and Accountability Act (HIPAA) in effect for years, and still the Department of Health and Human Services (HHS) has only just recently applied just one sanction for what seems to be ongoing news reports of flagrant HIPAA violations?
It seems many other Iowans have also been victims of inappropriate access to their protected health information (PHI), largely as a result of insiders getting into patient files simply because of curiosity and gossiping and not for any job-related requirement.

“Jill isn’t the only Iowan to complain of medical-privacy violations. A Des Moines Sunday Register review of state and federal records shows that dozens of Iowa health care workers have been disciplined by their employers for snooping through the medical records of HIV-positive men, pregnant teenagers, victims of domestic violence and emergency-room patients.
Not one of them has been prosecuted for violating the federal patient-privacy law known as HIPAA, an acronym for the Health Insurance Portability and Accountability Act. When enforcement of the law began in 2003, it was touted as an effective tool in the fight to improve patient privacy.”

The article details many situations where healthcare provider workers continued to access and tell others outside of their provider about patient details, even after multiple warnings to not do so.
Do you ask your healthcare provider what they do to safeguard your protected health information (PHI)? The more people ask and make this an issue, to more compelled healthcare providers will be to follow the HIPAA requirements.
If you are responsible for information security and privacy at a healthcare provider, are you pushing the personnel and contracted staff to be sure and follow the required safeguards? I know many information security and privacy practitioners I’ve spoken with from healthcare providers have told me many tales of the huge challenges involved.
If you are doctors, nurses, or otherwise employed by a healthcare provider, please know and follow the requirements for keeping your patients’ information privacy and PHI appropriately safeguarded!
Earlier this year I went to a new doctor, and was given a stack of sheets to fill out and sign on the first visit. One of the sheets was almost bare expect for a brief couple of sentences similar to, “I have read and understand this medical center’s notice of privacy practices. I understand that I will not receive treatment or care unless I sign my name to indicate my receipt of the notice of privacy practices.” It then had a line for my signature. However, within that large pile of papers, I could not find the notice of privacy practices (NPP)!!
When the doctor came, I asked her where the NPP was. She said, “Oh, it’s basically the same as every other doctor provides.” Then she looked at me like I was asking a ridiculous question.
“But,” I replied, “You are asking me to provide my signature to indicate that I have actually received a copy, that I read it, and I understand it. I can’t sign this paper without getting a copy and reading it.”
The doctor…yes, the doctor…rolled her eyes and muttered something about not having to “dig one of those out” for a long, and “no one else ever wants to see them,” but then she did get me a copy. And after reading it, I pointed out to her how it could be improved upon. It was actually very horribly written, heavy with legaleze, but probably was considered to technically meet the HIPAA requirements for the components of an NPP.
If patients don’t hold their healthcare providers accountable to follow information security and privacy requirements, and if the HHS does not hold them accountable, then who is going to keep *YOUR* intimate medical details from being printed in promotional materials for medical vendors who provide training or equipment to your provider? Who will keep the healthcare provider workers from spreading your intimate PHI all over town…or posting on the Internet?
You don’t want to end up in a situation like Jill, do you?

Tags: , , , , , , , , , ,

Leave a Reply