HIPAA in the News (Part 1 of 3)

Recently, there have been several HIPAA violations in the news. It’s gotten me thinking about the state of HIPAA today. HIPAA was enacted in 1996; those of us who need to know about HIPAA (or who are simply curious) have informed ourselves, right? We’ve read the law, we know what HIPAA means… right?

Sure, we’ve read the law, but what does HIPAA mean in the context of today, in the year 2011? I decided to dedicate a 3-part blog series to an exploration of HIPAA now. I start today by reviewing some of the HIPAA cases that have been in the headlines lately, hoping these cases will highlight the current state of HIPAA.

Violation 1: Records Accessed by Unauthorized Employees at University Medical Center in Tuscon, AZ

In January, three clinical support staff members and a contracted nurse were fired for accessing confidential patient records without authorization at University Medical Center (UMC) in Tuscon, AZ. At the time, Representative Gabrielle Giffords (who was the victim of an assassination attempt on January 8) was being treated at UMC. On its website, UMC stated the following: “With advances in technology, ensuring patient privacy has become the focus of hospitals nationwide. UMC uses sophisticated technology to help prevent and detect inappropriate access to patient information.”

Lesson Learned: Technology advances, but human nature stays unchanged. Humans are curious. Even in the face of HIPAA infractions, we are curious, and we are especially curious about people in the public eye. I suspect that curiosity was the motivator in the case of these HIPAA infractions. What do we learn from this? HIPAA training is crucial for medical staff, and it is important to stress that even in the case of curiosity, HIPAA infractions are serious and punishable.

For help formulating HIPAA policies, see our whitepaper, “In the Labyrinth of Regulatory Compliance: HIPAA” (check out page 10, Formulating Internal Policies).

Violation 2: Backup Tapes Stolen from the New York City Health and Hospitals Corp.

In December, backup tapes belonging to the New York City Health and Hospitals Corp. (HHC) were stolen from a truck while being transported to a storage location. The stolen data included personal information of patients like names, addresses, Social Security numbers, and more, dating back 20 years; 1.7 million individuals may have been affected. The tapes had not yet been encrypted, though HHC stated the following: “Although the data were not encrypted, it exists in a proprietary program that scrambles the records and would make it difficult for individuals without specialized technical expertise and access to the right software and computer hardware to view the private information.”

Lesson Learned: From an IT perspective, backup tapes are critical in the event of a disaster; essentially, they are an insurance policy to make sure the system gets up and running so business can continue. From a compliance perspective, the importance of the security of backup tapes should not be ignored.

Our archiving solution, Netmail Archive, is a secure alternative to backup tapes; lost data can be restored from the centralized (and secure) Archive repository following a disaster, without the need for backup tapes.

Violation 3: Massachusetts General Hospital Settles with U.S. Government for $1,000,000

In February, the General Hospital Corporation and Massachusetts General Physicians Organization Inc. (Mass General) settled with the U.S. government for $1,000,000 over HIPAA violations. The HIPAA violations arose from an incident in which a Mass General employee left documents containing patient information on a subway train. The lost documents included names and medical record numbers of 192 patients and billing documents containing the names, dates of birth, medical record numbers, insurance information, and diagnosis of 66 patients.

Lesson Learned: Again, we see the importance of creating and enforcing a HIPAA policy. In fact, it was stipulated in the settlement that Mass General is required to create and implement a policy regarding the removal of personal health information from the facility. Training of employees is also stipulated in the settlement.

For more information about formulating policies, watch our 4-part Email Records Retention video series (featuring attorney Benjamin D. Wright), available on our YouTube channel.

From these recent events involving HIPAA, we see that HIPAA violations are taken seriously and both individuals and organizations can be held accountable. We also see the importance of creating and maintaining policies regarding access to patient information and the securing of physical data.

Tune in next week for Part 2 of my 3-Part HIPAA Now Series: HIPAA and Social Media

– Jane Bolton Lacombe
Jane is the Product Marketing Coordinator at Messaging Architects.