Employers who are subject to HIPAA must ensure they have the proper monitoring protocols and policies in place to quickly and aptly tackle any violations. (Photo: Shutterstock)

A recent case highlights how one medical provider appropriately managed its HIPAA compliance by consistently enforcing its policies and keeping tabs on who accessed protected health information. While the case involves a provider, employers with health plans subject to HIPAA can also learn some valuable lessons from this case.

Background

Lankenau Medical Center (Lankenau) is an acute care hospital that is part of Main Line Health (MLH), a not-for-profit health system. Gloria Terrell (Terrell) worked as an operating room (OR) secretary for Lankenau for more than 35 years. As an OR secretary, Terrell was responsible for the OR schedule, calling for patients, sending for blood and medications, patient billing and charts, office supplies, ordering uniforms and other related duties.

In her capacity as OR secretary, Terrell had access to the hospital system used to store various forms of protected health information such as patient names, dates of birth, social security numbers, phone numbers, and insurance information. However, she did not have access to patient medical charts. As in many health care organizations, employees were often also patients of Lankenau.

On August 15, 2016, Terrell accessed a coworker's home phone number in the MLH system. Seven days later Terrell accessed it again. Generally, employee phone numbers are kept in a list on a clipboard in the OR. However, the clipboard had been missing on both occasions.

MLH Policies

As a medical provider, MLH is subject to the privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA). In particular, MLH has a number of policies and processes designed to ensure the privacy of patient information and compliance with HIPAA:

  • Confidentiality Policy – requires employees to safeguard various types of private and/or protected information. Employees have to sign a confidentiality statement that the employee will only access patient/employee information “about whom I have business need to know.”
  • Code of Conduct and Behaviors that Undermine a Culture of Safety (“Code of Conduct”) – prohibits unauthorized disclosure, access, and/or release of confidential, Protected Health Information (PHI) and prohibits unauthorized use of the MLH systems.
  • Annual HIPAA training and testing – employees are required to complete annual HIPAA training and testing which includes explanations and examples of the HIPAA compliance rules such as:
  • PHI under the MLH policy includes “any information identifiable to a patient” such as name, address, email, etc.
  • The patient must authorize disclosure unless it is needed for treating the patient, patient payment, or health care operations.
  • Employees are instructed, and acknowledge, that they must “access only information you need to do your job” and “use the information to perform your job only”

To monitor for compliance, MLH implemented privacy monitoring technology. The technology monitored employee system usage for access to Personally Identifiable Information (“PII”) and/or PHI to identify usage that is not based on legitimate business purposes.

Continue Reading for Free

Register and gain access to:

  • Breaking benefits news and analysis, on-site and via our newsletters and custom alerts
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical converage of the property casualty insurance and financial advisory markets on our other ALM sites, PropertyCasualty360 and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Broker Regulation
Compliance
HR Regulation