How would Your Practice Protect Kim’s Information?
By Ron Sterling
Recently, several employees of Cedars Sinai Medical Center were fired for improperly accessing the Protected Health Information (PHI) of Kim Kardashian (a reality TV personality) who went through her entire pregnancy with cameras in tow. You can be pretty confident that Kim will lament this invasion of her privacy for several episodes.
Regardless of the cameras and dissemination of information by the patient, the covered entity has no choice but to protect Kim’s PHI under the HIPAA Security and Privacy standards. This incident is a teachable moment for your practice and your staff and a warning for both.
By September 23, 2013, your organization is required to have implemented the HIPAA Omnibus rules. If you are like many practices, you will also need to implement overdue changes for the HITECH rules. The HIPAA Omnibus rules dramatically affect the concept of a breach.
Kim’s situation illustrates the dilemma facing your organization under the Omnibus rules.
Under the pre-Omnibus rules, a breach required harm to the patient’s financial situation or reputation. In Kim’s case, you could have at least had a discussion on whether there was harm. The employees would have still been sanctioned for violations of your HIPAA Privacy Policies and Procedures, but the covered entity may have avoided a breach and the potential penalties, etc. Your practice may have “reasonably” taken the position that the public disclosure of the information did not do harm since Kim had the whole thing broadcast on Cable TV, etc. Before HIPAA Omnibus, there was no documentation requirement for such an analysis and many covered entities do/did not keep documentation on their breach analysis. Kim could file her own complaint (makes great reality television), but the covered entity may have “reasonably” avoided admitting to a breach in the pre-Omnibus era unless Kim claims otherwise. This is not a legal opinion, but it does illustrate the wide latitude in the pre-Omnibus environment.
Under the HIPAA Omnibus rules, Kim’s situation is clearly a breach since the Omnibus Rules only require that there not be a low probability of compromise of Kim’s PHI. Kim’s PHI was clearly compromised by the covered entity staff and the information went out to unauthorized parties. But wait, there is more.
Under HIPAA Omnibus, you have to analyze any impermissible disclosure and use of PHI and keep the documentation. Indeed, Kim’s breach could open up your covered entity to an examination of previous impermissible disclosures and/or uses that could affect the actual penalty or even expose your organization to additional penalties for previous events that were analyzed in a less than good faith manner.
This illustrates the importance of avoiding impermissible uses and disclosures of PHI by vigorous compliance efforts, effective training and building a practice culture that protects PHI from events and behavior that could lead to a breach. For more on this, click here.
Under HIPAA Omnibus, impermissible uses and disclosures leave a documentation trail that could substantially impact on your future breach risk and even your penalties.