Getting staff to maintain patient confidentiality goes much further than getting them to protect electronic data.
A significant risk for offices is just plain talk. A staffer tells a friend about a patient’s condition. Or there could be actual malice where a staffer looks up information on an ex-spouse. Or there could be innocent talk where a staffer in one office tells a staffer in another office about a patient’s condition.
“Health care is confidential,” says Rodney K. Adams, a health care attorney with LeClairRyan in Richmond, VA. If it’s protected information, it has to be protected.
The problem is a human one
Breaches happen because of lapses in data security, but they also happen because people are human, Adams says.
Offices follow HIPAA’s requirements on setting policies and procedures, but over time, the attitude becomes one of “well, we all know what we’re supposed to do,” and the continued education and ongoing reminders fall by the wayside.
“That’s where it breaks down,” he says. Staff forget about the seriousness of giving out patient information and the strictness of HIPAA’s requirements, and they start talking about patients with each other or with friends.
It doesn’t matter that what’s said was not intended to cause harm or maybe even was conveyed with good intentions. It’s a breach of privacy.
More than just HIPAA
And with patient privacy breaches, there’s danger from more than just HIPAA, Adams says. There’s the risk of getting sued.
The patient can sue the office for negligence on the grounds that it didn’t enforce its policies and procedures or didn’t educate staff sufficiently or didn’t have ongoing education or maybe didn’t have policies and procedures to begin with.
And if the breach is a matter of idle gossip, not only can the office get sued, but the staffer who talked too much can get sued personally.
The claim might be that the patient’s reputation was harmed or that there was emotional distress or that the information caused the patient to lose a job or damaged the patient’s business. And the outcome can be anything. “The jury might say the damages are $100 or $5 million.”
All that is on top of the HIPAA penalties the office will have to pay.
|
In a nutshell … HIPAA covers protected health information, which is “individually identifiable health information” that the office has or sends to another entity. That includes demographic information
When any of that information is released improperly and could harm a patient in any way, there is a breach of HIPAA privacy. |
Does breach notification apply?
A question that arises when a staffer violates confidentiality is whether the office should notify the patient.
Adams points out that HIPAA’s breach notification rules clearly require notification when the breach involves electronic data. But the rules aren’t so clear when it comes to a single verbal breach of confidentiality.
The safest route, therefore, is to err on the side of caution and notify the patient. “That’s a hard thing to face,” he says. “But in the long term, it can reduce the fallout.”
The notification might be phrased as that the office respects and protects its patients’ privacy, that a breach has occurred, and that the office has taken steps to correct it.
Along with telling the patient, include the incident in the annual breach notification report to HIPAA.
That’s just “safer practice,” he says.
The purpose of HIPAA is to maintain privacy, and the office’s confidentiality policy needs to include every possible privacy violation, including verbal release of information. Thus, for true compliance, the office should report a verbal breach.
Disciplining the staffer
What sort of discipline is appropriate for the talkative staffer?
If the information was released intentionally or if the staffer knew the release was improper, the discipline should be firing, Adams says.
But let the discipline fit the offense. If the release was unintentional and the damage minimal, counseling and follow-up might be appropriate.
Two protective measures to take
For breach prevention and protection, the manager needs to do two things.
One is to review the privacy basics with staff throughout the year. Remind them that they cannot discuss patients amongst themselves or with friends or family and that violations can result in firing.
Along with that, have them sign the office’s confidentially policy every year.
The second protective measure is to check the office’s professional liability policy to make sure it covers breach of confidentiality. Many policies exclude confidentiality breaches. If that’s the case, the office needs to get a rider for that coverage
The problem of loose lips
Privacy is nothing new, Adams notes.
He gives the example of a court case that occurred several years before HIPAA where a hospital employee was a patient in a nearby office.
An office staffer discussed the patient’s condition with an employee at the hospital. And the patient sued and won. The court said the duty to maintain privacy extends throughout the health care setting.
That case, he says, “demonstrates the problem of loose lips among health care providers.”
| Editor’s picks: | ||
 5 essential steps to ensure an effective HIPAA program
|
 HIPAA in 2017: Hot Topics You Can’t Ignore |
 Beware of HIPAA-related text messaging risks |
