I was recently completing an annual privacy/security physical inspection for our department and reflected on the Health Insurance Portability and Accountability Act (HIPAA) and some lessons that we have learned over the past couple of years. Compliance has been expensive, especially from the information technology perspective, but who can complain given the explosion of identity theft by greedy hackers? Providers complained that we already were sensitive to patient privacy and these new regulations would adversely impact practice. At University of North Carolina Hospitals, policies and procedures were written, initial educational sessions conducted, and annual on-line remedial refresher courses mandated. Regrettably, I am aware of several breaches of patient confidentiality here and at nearby institutions, despite efforts to sensitize staff to the issue of patient privacy and HIPAA. I thought I would share 3 "case studies" for your reflection and selfassessment of your practices and those of your colleagues.
At a nearby institution, a VIP was being seen in a clinic to evaluate an unknown medical condition. Interest by the press and the visibility of this nationally prominent celebrity triggered an IT review of the electronic medical record, and scores of inappropriate "hits" were documented. One provider was approached regarding a hit using his password, and he suggested that someone had stolen his ID and password (we considered him still responsible). Further investigation revealed all the screens that were viewed, as well as the computer IP address of the terminal from which access was gained, which turned out to be his home personal computer using an external Internet provider. Big Brother is alive and well!
In a second case, a student entered a room to talk with a patient regarding changes in her therapy. The patient introduced her guests as family members to the visiting student. The student then announced that he was going to review the patient's new HIV drug regimen, only to be told that the family had not been made aware of her medical condition. It was an honest mistake based on an inaccurate assumption, but the damage had been done.
Finally, a disgruntled patient was insisting to a pharmacist that she had requested refills using an automated telephone system days before and was unhappy that the filled prescriptions were not ready. After a brief investigation, the pharmacist returned to the counseling booth with a computer log that records all automated refill requests. When the pharmacist showed the log to the patient to verify that the refill request had not been placed on the date the patient claimed, the patient asked, "Should I be seeing information about other patients? Has anyone seen my printout?"
We have begun to discuss patient confidentiality at every staff meeting to keep the sensitivity heightened. Are your colleagues aware of the potential consequences of a HIPAA violation? Are they covered for fines and civil lawsuits by hospital or private insurance? Are documents appropriately stored or destroyed? Are we cautious about forwarding private health information to inquiries regardless of the source? Is it time we all reflected again on HIPAA and confidentiality?
Mr. McAllister is director of pharmacy at University of North Carolina (UNC) Hospitals and Clinics and associate dean for clinical affairs at UNC School of Pharmacy, Chapel Hill.