HIPAA Compliance Strategies

Nosy Employees Are a Major Privacy Risk, Require a Wide Range of Remedies

Reprinted from the August 2005 issue of REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

To protect the privacy of patients who are particularly vulnerable to nosy employees, such as celebrities and employees treated at their employer-hospital, University of California — Davis Health System has added a warning screen to its electronic medical records (EMR). It requires employees to stop and consider their motives before entering the inner PHI sanctum.

How does this curiosity neutralizer work? When employees start to access EMRs, they are forced to review the content of the additional warning screen, which reminds them that the files inside contain confidential PHI, and requires employees to state their reason for looking at the EMR and enter their password, says Rory Jaffe, compliance and privacy officer. Employees must also sign the following statement: "I have a legal obligation to keep confidential all information concerning patients and will not intentionally attempt to gain access to patient records that are not needed for the performance of my duties. By accessing this record, I am acknowledging that I understand and agree to the above statement. Any violation of this agreement is grounds for immediate disciplinary action, which may include suspension or termination."

This is called a "break the glass" functionality. "This warning screen seems to be enough to stop many improper accesses," says Jaffe, who is able to see each page viewed, and can tell when people stop at the "break the glass." However, warning screens are limited to EMRs of celebrities and employee-patients because it slows work down, he adds.

The warning screen helps reduce the risks that arise from the convergence of human curiosity and the large number of people who have the ability to access PHI. Curiosity appears to be one of the main causes of privacy breaches, and privacy officers say they specifically address these risks in training and other communication tools — intranet, newsletters, posters, e-mail messages, in-services, speeches, meetings, etc.

Privacy officers also audit to check for unauthorized accesses, with an emphasis on nosy employees who look up medical records for no reason other than satisfying their curiosity.

"We specifically target employees when it comes to [nosiness]," Jaffe says. "You want to develop a culture where people believe you can't do this sort of thing and reinforce that." This requires a constant feedback loop — where employees repeatedly hear the same message (e.g., there are consequences of nosiness) and then they see colleagues suffer the consequences. "You're continuously working on this sort of thing. It's not a quick, one-time solution."

UC-Davis also does "rolling" audits in real time, or close to real time on the back end, after accesses have occurred, to catch anything that's slipped through its break-the-glass functionality. Jaffe calls them rolling audits because, with 7,000 employees, the only way to hit everyone at some point is to bite off one chunk at a time. "There are a zillion accesses a day," he says.

So Jaffe and staff work their way through the work force by job title (e.g., all front-office staff, all doctors, all nurses). Separate audits are done with different filters. One example: Employees who access the EMRs of patients with the same last name. "If the patient is a relative, we interview the relative to find out what happened," says Jaffe, who moves fast before memories fade.

Since the privacy rule took effect in April 2003, UC-Davis has fired six employees, demoted one, suspended one for a month without pay and retrained 80 — and virtually all of these cases were related to this type of inappropriate access.

The 'Three Cs' Motivate Nosy People

Why do nosy employees break the rules to look at PHI they shouldn't? Living vicariously through other people? Worrying about a loved one's medical condition? However you describe it, it boils down to the simple truism: "It's just human nature." But when he conducts training, Frank Ruelas, compliance officer at Gila River Health Care Corp. in Arizona, breaks down the motives for nosy unauthorized accesses to these three "Cs" that employees can remember:

• Curiosity: This is perhaps the simplest motive for employees nosing into medical records. Employees want to satisfy innate curiosity — "to be able to say 'I know something you don't know,'" Ruelas says.

• Concern: Employees may know a patient and be worried about him or her. Or if they or a family member is having the same procedure soon, they may want to peek at the medical records and see how a similar case went. Sometimes, they may be anxious about whether a friend or relative received inappropriate care and want to check out the chart.

• Compassion: This is a tricky one because employees generally have good motives at heart (e.g., it can be difficult to refuse to reveal PHI to a clinician who has saved someone's life and simply wants to know what happened to the patient). For example, there are situations in which ER nurses attach portable, battery-powered ventilators to injured babies to help them breathe while they are transported to another facility that's equipped to handle their emergencies. These nurses "have a compassionate need to know that a child is okay," Ruelas says. "We are finding it very tough to tell them they cannot [have] that information out of confidentiality. [We tell them] we understand you have a sense of compassion for that patient — you wouldn't be a good nurse or doctor or technician if you didn't care, but you must respect patient privacy,'" he says.

Even when employees understand HIPAA rules, bad habits die hard. "People have done these things for so long," Ruelas says, referring to practices like looking up a sick colleague's medical condition, or a husband's lab results, or any of the other nosy things people should never have done anyway but are now clearly forbidden under HIPAA. "HIPAA's only been around since 2003, and old habits are hard to break," he says.

One factor that may change behavior is the prospect of getting caught, and electronic medical records with audit trails allow privacy officers to gather irrefutable evidence of privacy breaches. "We have audit trails of employees who access EMRs so we can find out who attempts to access them," and which employees have no need to access them, Ruelas says. If a secretary peeks at some celebrity's EMRs, there's no deniability — and there's no plausible reason why a person in that job would need access.

But EMR trails can't trap employees who are gossiping orally, and that's the juiciest kind, Ruelas says. "They are unlikely to be caught," he says. So "when they do the initial inappropriate access, we drop the hammer."

Discipline Is Critical for Confidence in Facility

All privacy officers interviewed agreed that it's critical to discipline these abuses aggressively. The offending employee — and everyone else — must know the covered entity (CE) has zero tolerance for nosiness. If employees think they can get away with snooping into other patients' medical affairs — family, friends, ex-spouses, adult children, celebrities, neighbors, other employees — what happens when those very employees become patients? They know how well their own employer deals with the pervasive problem of nosiness. "Our employees are our patients. You need confidence that when you're a patient, [your privacy is protected.] We are very decisive. We discipline firmly," Ruelas says. "If we fail, it doesn't allow us to enforce. We take training so seriously."

Ruelas finds that, with nosiness, the most effective concept is always to ask employees to put themselves in the other person's shoes. How would you feel if someone were looking through your medical records for non-professional reasons? How would you feel if someone were gossiping about the most sensitive medical secrets of your mother, father or daughter?

Here are some of the other techniques Ruelas uses to ensure privacy issues are addressed properly at Gila River Health Care:

• Auditing the minutes of department meetings (e.g., registration, outpatient departments) can ensure that department heads communicate privacy messages, as instructed at department head meetings. For example, Ruelas may tell managers at a department head meeting to educate employees not to write down passwords and post them on their computers. Then he will randomly choose three departments and review the minutes from their subsequent department meetings to verify whether a manager discussed the passwords with employees. He checks three sets of minutes a month. When a topic has greater importance to certain departments — for example, badging is more critical to medical records — he makes sure to pull their meeting minutes.

• Vivid posters in the patient lobby remind everyone of the dangers of indiscretions with PHI. One poster depicts a man with huge ears, sitting and eating his lunch while people nearby discuss a patient in loud voices. The man becomes an unwilling recipient of sensitive patient information, when he is merely trying to enjoy a peaceful lunch. The poster is a metaphor — reminding employees to speak softly and protect the sanctity of patient PHI, and that when they hear things they don't want to hear, they should try to get away from the undesired information or even intervene to stop the loud-mouths from compromising a patient's PHI.

• CE newsletters contain privacy reminders. Gila River Health System's newsletter has a section called "Compliance Corner," so every issue includes privacy reminders.

• Take advantage of special opportunities. As part of its JCAHO self-rating process, Gila River has a little mini-mall set up in a large conference room with booths on all kinds of JCAHO topics, such as infection control, quality management and privacy/confidentiality. Ruelas uses this opportunity to set up a HIPAA game with questions and answers.

Training Scenarios Focus on Nosiness

Kelley Meeusen, privacy officer at Harrison Hospital in Bremerton, Wash., says the total number of privacy complaints at his facility is low, but a high percentage of them concern nosiness. To fight back this primal human impulse, he focuses training on some fundamental concepts, and tries to make them as concrete as possible. "We put a lot of emphasis on respect for the individual and respect for ourselves as keepers of this highly sensitive information," Meeusen says.

At the organization level, employees are trained on privacy and security as concepts, and at the department level, they tackle specific policies and procedures. "We boil it down to the simplest principles: The individual has a right to privacy. You want your rights respected, and so do they," he says. "And we make a huge connection between privacy and patient safety." To accurately diagnose and treat patients, they must be completely forthcoming about their medical histories and conditions — even when it's embarrassing (e.g., sexually transmitted diseases, drug use), Meeusen says. If patients lack confidence in a provider's ability to protect the privacy of their PHI, they may not disclose critical health information to the doctor, and that affects patient safety, he says. "By protecting privacy, you improve the likelihood that patients will reveal their deepest [secrets] about their health status."

Employees are pushed to make connections between their actions and consequences. Stop and think, he urges them; turn off your computer screen so people can't see patients' secrets.

Meeusen developed a series of scenarios for training, and because nosiness is the prime cause of privacy breaches, his scenarios heavily target the evils of nosiness.

Electronic medical records are the mother lode of evidence against nosy employees, but also create new risks. For example, LRGHealthcare in Laconia, N.H., now shares EMR with area physicians, which "is great" but carries new risks privacy-wise, because there's a wealth of PHI at so many peoples' fingertips, says Sarah Schoonman, director of health information management and privacy officer. "We have an audit trail so we can check [for unauthorized access], but it remains a challenge" because you have to audit the audit trails, she says. There's no way to tell which accesses were appropriate without an audit. "Maybe if on the surface it's not appropriate, you wonder. But there could be a good reason," Schoonman says.

Training is critical because there is so much information available to people who work in hospitals and practices. They can't help seeing or hearing personal information, Schoonman says. "We try to discourage people from hearing things. They should stop it from happening if they can," she says. "Physicians will often forget that discussions with colleagues are taking place in areas where they can be overheard, such as hallways or dining rooms. We try to make people aware about not innocently discussing patients."

Employees are urged to contact her by phone or e-mail if they see any inappropriate behavior. The organization's Notice of Privacy Practices also tells patients where to call to report problems.

Advertise With AIS

Privacy

Site Map