HIPAA Privacy Rule’s Minimal Necessary Access RequirementsSharing patient information with others in your office can violate HIPAA Privacy Rule

The Minimal Necessary requirement of the HIPAA Privacy Rule is a good example of how Administrative, Physical, and Technical Safeguards must all be employed towards a common goal.

HIPAA data breaches can occur between employees of a medical facility. You don’t have to lose a laptop containing patient records. You don’t have to have your system hacked. You don’t have to sell medical records of accident victims to personal injury attorneys. You just have to share information about a patient with someone not involved in their care– even one of your co-workers– to violate the HIPAA Privacy Rule.

HIPAA Privacy Rule

The HIPAA Privacy Rule requires that “protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function.”  While this seems simple enough, it can take a lot of effort to examine workflows to determine which staff members require the appropriate level of access to perform a function. Too much access can result in protected information being shared without good reason, essentially breaching the information to workforce members not taking part in the patient’s care or business functions. Too little access could affect patient care to a point where it becomes dangerous.

It is easy to want to throw technology at a problem, but sometimes it just isn’t practical. The roles within an organization, and even the size of the organization, may determine the appropriate level of access for a member of the workforce. The HIPAA Privacy Rule gives practices the latitude to define internal processes as long as patient information is not breached.

When setting up an Electronic Health Records system there are multiple levels of access. In a large hospital, a receptionist may be so totally dedicated to specific tasks that she does not need access to orders or lab tests. In another facility the receptionist may be required to verify that tests occurred and results have been received before scheduling a patient or confirming an appointment.

Hospital nurses are assigned to a limited number of patients, but it is not practical—or even safe—to restrict a nurse’s access only to ‘their’ patients. What if someone calls in sick and a nurse has to float to another floor? What if there is an emergency and resources are shifted? There is no time for the IT department or a manager to go into the system and reassign access.  Not being able to access a patient’s record could be a matter of life or death. On the other hand, it could be a data breach if a nurse not involved in a patient’s care accesses their record. Violations of the HIPAA Privacy Rule will depend on how a nurse behaves, not what the system controls.

Snooping

When I worked as the CIO for a hospital, we used our auditing controls to catch a nurse snooping in her ex-mother-in-law’s record. She had been warned when the patient arrived in the hospital, but curiosity overwhelmed her and she was very surprised to find out how effective our monitoring tools really were. She was disciplined and the word spread throughout the hospital. While our IT department did its best to be helpful and support our workforce, everyone quickly understood that we had regulatory responsibilities similar to the nurses and doctors who reviewed patient care.

Is snooping worth your career? In 2008, Britney Spears was admitted to UCLA Medical Center. Employees were caught snooping in her records, and 13 were fired. Others were disciplined, and six physicians were suspended. The hospital was fined over $ 900,000. A subsequent investigation found that employees had snooped in other celebrities’ records, and one employee was indicted for selling information to the National Enquirer.

This is where Administrative Safeguards—policies and procedures—have to take over because technology cannot achieve the desired results.  Sanction policies must have clear warnings against ‘snooping’ in patient records, with serious consequences for violations.

HIPAA Privacy Rule Test

The HIPAA Privacy Rule went into effect in 2003, and it seems that since 10 years have gone by many organizations need to review their offices and remind their workers that protected health information in any form must be secured. Physical Safeguards such as your office layout can be used to secure protected information.

Hospital and medical practice employees seem totally unaware that their phone conversations can be overheard. While in patient areas I hear referral requests being made including patient names and diagnoses or treatments. I hear receptionists calling in orders and requests for lab reports.  While doing compliance audits and Security Risk Analyses, I ask workforce members what HIPAA training they have received. The answers range from “None” to “I received some at my last job” to “We go through a quick PowerPoint once a year on the HIPAA Privacy Rule and OSHA safety training.”  Is anyone paying attention, or is this just a check-off on a requirement?

I even hear complaints from health care workers that their own health information is known throughout their offices, and how everyone shares patient information through idle chatter.

Visit your office as if you were a patient. Sit in the waiting room. Walk to an examining room, then sit there and listen to what comes from the hall and other rooms.  The HIPAA Privacy Rule does not require that offices be remodeled, but you should make sure everyone is aware of what conversations are protected. Do you need to move staff around so those who must arrange for referrals, labs, and tests are out of earshot of patients AND others in the office without a need to hear the confidential information?

How do you handle your copier and fax machines?  Are extra copies left out in plain view for someone to pick up? Are extra copies and discards taken to the locked wastebasket for the shredder?

HIPAA Privacy Rule Checklist

  1. Are users set up in your computer systems to only access the minimally necessary information they need for their jobs?
  2. Do you have a Sanction Policy in effect that defines the consequences for snooping, sharing patient data with other workforce members without a need to know, sharing patient data with friends and family outside the workplace, and sharing patient data for harm or personal gain (a criminal offense)?
  3. Are the auditing features in your computer systems turned on and periodically reviewed? You should ensure that these systems are working properly because you may have to access them long after an event if there is an audit or data breach investigation.
  4. Remind your staff to use discretion when talking on the phone, chatting with their friends, handling paper records, and handling the health care needs of their co-workers.
  5. Make sure your Business Associates also know that these rules apply to them, and that what they see and hear in your office is protected and unauthorized sharing of patient information carries severe consequences.

"originally written for 4MedApproved"