By Matt Fisher, Esq
Twitter: @matt_r_fisher
Stories appear almost everyday about medical records being improperly accessed, hacked or otherwise being stolen. The number of stories about such thefts is almost matched by the number of stories about the high value placed upon medical records by identity thieves and others. This confluence of events highlights the pressure being faced by the healthcare industry to protect the privacy and security of medical records in all forms.
While stories about hacking and other outside attacks garner the most attention, the biggest threat to a healthcare organization’s records is most likely an insider. The threat from an insider can take the form of snooping (accessing and viewing records out of curiosity) to more criminal motives such as wanting to sell medical information. Examples of criminally motivated insiders, unfortunately, are increasing.
One recent example occurred at Montefiore Medical Center in New York where an assistant clerk allegedly stole patient names, Social Security numbers, and birth dates from thousands of patients. The hospital employee then sold the information for as little as $3 per record. The individuals who acquired the information used it to allegedly go on a shopping spree across New York for over $50,000.
Another recent example comes out of Providence Alaska Medical Center in Anchorage, AK. In Anchorage, a financial worker at a hospital provided information about a patient to a friend. Unfortunately, that friend he had injured for which he was under criminal investigation. The friend wanted to know if either of the patients had reported him to the police. Clearly, the access by the financial worker was improper.
While it could previously be said that instances of criminal convictions or indictments were rare, the examples do appear to be coming with increasing frequency. What should organizations do? Is this conduct actually preventable? As is true with HIPAA compliance generally, the key is to educate and train members of an organization’s workforce. If someone is unaware of HIPAA requirements, it is hard to comply.
However, it can also be extremely difficult to prevent criminal conduct altogether. If an individual has an improper motive, that individual will likely find a way to do what they want to do. From this perspective, organizations cannot prevent the conduct, but should consider what measures can be taken to mitigate the impact of improper access or taking of information. It would be a good idea to monitor and audit access or use of information to be able to catch when information could be going out or otherwise accessed when not appropriate. Overall, the issue becomes one of how well does an organization monitor its systems and take action when a suspected issue presents itself.
About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.