Preventing Criminal Violations of HIPAA That Can Really Hurt
Since the HIPAA Privacy and Security regulations were enacted several years ago, there have been few enforcement actions against "covered entities" like ambulance services. That is not unusual in the first few years of a regulation, when government enforcement agencies allow for an "educational curve" and give violators the benefit of the doubt. But government officials have signaled that this is about to change.
And on other fronts, the government has been very active in pursuing numerous individual health care providers, invoking the very tough criminal penalties section of HIPAA against them. Criminal penalties for individuals who violate the law are very tough and include up to 10 years in prison, restitution and up to $250,000 in fines. A criminal violation occurs when the individual knowingly discloses protected health information (PHI) for a purpose not permitted under HIPAA and with the intent to use the PHI for personal gain. These often egregious cases of abuse of patient information can have devastating effects not just on the individual who may end up in the "Cross Bars Hotel" but on the EMS agency where the individual serves. Here are just a few recent examples:
- In the first HIPAA prosecution, a Seattle area phlebotomist stole a dying cancer patient's credit card and rang up $9,000 in purchases. The offender was sentenced to jail for 16 months in this case for violating patient privacy and identity theft.
- A woman who worked in a physician's office that provided physical examinations to government employees (like FBI agents) was sentenced to six months in jail, four months of home confinement and two years of supervised released after she pleaded guilty to selling an FBI agent's medical records to a person she believed worked for a drug dealer. The man she sold the records to was really a government informant.
- A former scheduler at a Florida medical clinic owned by the Cleveland Clinic was recently indicted for stealing PHI and other confidential information on 1,100 patients. She also allegedly gave Medicare beneficiary numbers to others who used them to file fraudulent Medicare claims. The scheme led to the alleged submission of $2.8 million in false Medicare claims.
The bottom line is that no individual or organization can afford the consequences of a criminal prosecution for breaching patient privacy. Can this happen in EMS? Absolutely. The temptation to steal patient information and to misuse it becomes much easier when patient records are stored electronically and can easily be downloaded onto a thumb drive or e-mailed to an offsite location. The use of field data collection devices, digital photography and video in the field pose risk where there are no procedures in place to control their use. PHI can be in virtually any form, including not only text and numbers on paper or electronic files, but also photos, videos and even verbal transfer of patient information. For example, selling a digital photo of an accident or crime scene victim you treated while on duty to the news media could be a potential criminal violation of HIPAA.
So what can be done to avoid this potential problem? Here are some suggestions:
- Accept only good people (not "bad apples") into the organization! It is getting tougher to find good people these days, but the key to avoiding liability is to stay focused on this goal. You must have a group of EMS personnel who are ethical in all patient interactions and who respect the dignity and privacy of the individual. You should only allow good, honest and ethical personnel deal with patient information. Otherwise, the improper behavior of the "bad apples" can lead to liability and extend to others in the organization when nothing is done to stop it.
Recruit carefully and put new personnel through background checks, criminal history checks and challenging and in-depth application interviews. During an interview, why not ask applicants to describe how they would handle a particular ethical dilemma? Or perhaps, ask them what they would do if they observed unethical behavior of a colleague. The answers to these questions can often provide insight into how an individual will deal with the tough ethical issues when no one is around to observe the behavior. Inadvertently hiring a "bad apple" without detecting it means it will only be a matter of time before the damage occurs.
- Establish clear policies on protecting patient information. This includes the development of solid security measures to avoid inadvertent or improper disclosures of PHI. The policies should encourage everyone in the organization to be vigilant about patient privacy and security, so that everyone is "on the watch" for behavior that could compromise the law and ethical principles. Everyone should be alert to coworkers who talk about unethical practices they've engaged in outside of work such as cheating on income tax returns, theft of goods and services, taking home company supplies, etc. These behaviors could be "red flags" that would indicate that the person may be predisposed to engage in unethical or dishonest behavior in the EMS workplace.
- Have a solid compliance plan in place and train on it! People need to know the ground rules and what the organization expects of them. Every covered EMS agency must have in place policies that deal with the use and disclosure of PHI, as well as the security and integrity of PHI. The policies should be widely distributed and made a key part of staff orientation and ongoing training. The policies should be updated annually to ensure compliance with changes in the law and to address problem areas that have come up. For example, many EMS agencies are now updating their policies on the use of personal cell phones and digital imaging devices in light of the recent increase in the personal use of these devices.
- Encourage internal "whistleblowing." It is far better to have people in the organization be "on the alert" for potential violations and to report them to the compliance officer or other responsible manager than to take their concerns "outside" to the government enforcement agencies. Everyone benefits when there is a "culture of compliance" that spots problems early and deals with them before they evolve into criminal conduct.
The consequences of criminal sanctions for violating a patient's privacy are great. It could ruin an individual's EMS career and seriously damage the reputation of the organization.