I was recently completing an annual privacy/securityphysical inspection for our department and reflectedon the Health Insurance Portability and AccountabilityAct (HIPAA) and some lessons that we have learnedover the past couple of years. Compliance has beenexpensive, especially from the information technology perspective,but who can complain given the explosion of identitytheft by greedy hackers? Providers complained that wealready were sensitive to patient privacy and these new regulationswould adversely impact practice. At University of NorthCarolina Hospitals, policiesand procedures werewritten, initial educationalsessions conducted, andannual on-line remedialrefresher courses mandated.Regrettably, I am awareof several breaches ofpatient confidentialityhere and at nearby institutions,despite efforts tosensitize staff to the issueof patient privacy andHIPAA. I thought I wouldshare 3 "case studies" foryour reflection and selfassessmentof your practicesand those of your colleagues.
At a nearby institution, a VIP was being seen in a clinic toevaluate an unknown medical condition. Interest by thepress and the visibility of this nationally prominent celebritytriggered an IT review of the electronic medical record,and scores of inappropriate "hits" were documented. Oneprovider was approached regarding a hit using his password,and he suggested that someone had stolen his ID and password(we considered him still responsible). Further investigationrevealed all the screens that were viewed, as well asthe computer IP address of the terminal from which accesswas gained, which turned out to be his home personal computerusing an external Internet provider. Big Brother is aliveand well!
In a second case, a student entered a room to talk with apatient regarding changes in her therapy. The patient introducedher guests as family members to the visiting student.The student then announced that he was going to reviewthe patient's new HIV drug regimen, only to be told that thefamily had not been made aware of her medical condition.It was an honest mistake based on an inaccurate assumption,but the damage had been done.
Finally, a disgruntled patient was insisting to a pharmacistthat she had requested refills using an automated telephonesystem days before and was unhappy that the filled prescriptionswere not ready. Aftera brief investigation, thepharmacist returned tothe counseling booth witha computer log that recordsall automated refillrequests. When the pharmacistshowed the log tothe patient to verify thatthe refill request had notbeen placed on the datethe patient claimed, thepatient asked, "Should Ibe seeing informationabout other patients? Hasanyone seen my printout?"
We have begun to discusspatient confidentialityat every staff meeting to keep the sensitivity heightened.Are your colleagues aware of the potential consequences ofa HIPAA violation? Are they covered for fines and civil lawsuitsby hospital or private insurance? Are documentsappropriately stored or destroyed? Are we cautious aboutforwarding private health information to inquiries regardlessof the source? Is it time we all reflected again on HIPAAand confidentiality?
Mr. McAllister is director of pharmacy at University of NorthCarolina (UNC) Hospitals and Clinics and associate dean for clinicalaffairs at UNC School of Pharmacy, Chapel Hill.