Despite Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, incidental exposure of protected patient health information can occur in a myriad of ways that are easily overlooked. Common incidental disclosures might include sign-in sheets at the reception area that ask for too much information, receptionists asking patients about the reason for their visits, records getting sent to the wrong destination, healthcare providers discussing patient information in public spaces, and phone messages leaving excess information. But the use of information technology, electronic health records (EHRs), and electronic devices creates unique privacy challenges.
Russell Kohl, MD, a family physician practicing in Oklahoma and vice speaker of the American Academy of Family Physicians Congress of Delegates, says that safeguarding patient information goes far beyond adhering to HIPAA rules and regulations. “What I found to be most important is to instill in office and clinical staff a culture of commitment to the patient’s privacy,” he says.
Chris Apgar, an information security expert and CEO of Apgar and Associates LLC, says lack of care given to paper records is still a big issue, despite the move to EHRs. They are often inadvertently left on workspaces where unauthorized persons can easily see them—at the checkout counter, printer, or copying machine, for example.
Paper discharge summaries given to patients at the end of visits can be surprisingly problematic. “That has always bothered me because of the number of clinical visit summaries I’ve seen blowing around parking lots,” Kohl comments. One answer is to offer those summaries on a secured web-based patient portal. If patients do request paper copies, staff should point out they cannot protect patient information after it leaves the office.
Kohl also emphasizes appropriate archiving of paper medical records. “You have to protect archived paper records like you would active medical records,” he says. “They can’t just be in file boxes sitting in the basement somewhere, that anybody can walk past and open.” Instead, archive documents and files in secured locations, such as in locked rooms or storage bins, or at a records storage facility.
Unprotected patient information is often inadvertently visible to others on computer screens. “Screens may not be angled away or don’t have a privacy [cover],” Apgar says. Another major faux pas among staff, especially physicians, is failing to log off the computer when leaving their desks. “They set their auto log-off to 30 minutes, leave the room, and then bad actors—usually other employees—will come in and snoop. I would say for 95% of the clinics and hospitals I walk through, that’s an issue,” Apgar says.
Lost or stolen cellphones and tablets can end up in the wrong hands and compromise patient information. All laptops, cellphones, and email accounts used in clinical practice should be encrypted, says Apgar, because the Office of Civil Rights now considers this a reasonable safeguard and enforces it under the HIPAA security rule. “Lots of entities have been fined because of lost, unencrypted laptops,” Apgar says. Tools are now available to encrypt text messages. “At the very least, educate staff to send the least amount of information necessary via text,” Apgar suggests.
Apgar also recommends audit log monitoring to determine whether employees within an organization are inappropriately accessing patient records—such as another family members’ or ex-spouse’s or partner’s records. Apgar admits log analysis can be expensive (upwards of $12,000 per year), putting it out of reach for many smaller practices.
However, log monitoring can be done less expensively and doesn’t need to be complicated, he says. One simple technique, for example, is to work with EHR vendors to review logs and identify employees who look at records of patients with their same last name—probably belonging to relatives.
What about social media? Clearly, staff and clinicians should never post patient information or photos without written consent, but some situations fall outside of regulations. When Kohl was in solo community practice, he hosted a Facebook page primarily for patient education. A patient publicly posted some personal health information and asked for advice. Fortunately, Kohl’s practice actively monitored the site, deleted the post, and contacted the patient directly to explain why. “The job of everyone in my office is to create the most therapeutic relationship with patients and protect their privacy,” he concludes—beyond HIPAA rules and regulations.
- Instill a culture of commitment to patient privacy among staff
- Use a secured, web-based patient portal for patient–provider communication
- Perform periodic office/clinic walk-throughs to look for potential privacy violations
- Keep patient privacy on your staff’s radar at all times—through newsletters, emails, posters, and ongoing education
- Safeguard electronic devices and passwords; use encryption tools where possible
- Store records appropriately