HIPAA Compliance Strategies

Featured Health Business Daily Story June 17, 2008

Loss of Patient Information at University Hospital Reveals Risk of Acquiring Physician Practices

Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

A picture is worth a thousand words, the saying goes. So it was no surprise that a University of Florida-Jacksonville plastic surgeon saved digital images of his patients. The problem was that the photographs were unsecured and stored on a computer, in violation of UF's privacy and security policies.

If that wasn't bad enough, the surgeon, who treated patients at Shands Jacksonville Medical Center, admitted that he gave the computer away. Although he was able to get it back, most of the data were lost when the operating system was nuked — not the correct way to dispose of protected health information (PHI), according to UF.

Lesson learned for compliance officials: The fact that UF had purchased the plastic surgeon's practice, including all his computer equipment that he personally acquired prior to joining UF, may have led to a mindset that the personal computer (PC) in question was still technically "his." Such physicians may also be more resistant to following your rules because they were formerly in private practice and are used to doing things their own ways.

UF made no attempt to hide the incident, which led to the plastic surgeon's resignation. On May 19, UF notified nearly 2,000 of his patients, issued a press release and posted a statement on its Web site describing what happened. It also made its privacy officer, David Behinfar, available to reporters to answer questions.

"Dr. Francis D. Ong, a UF assistant professor of plastic surgery at the College of Medicine-Jacksonville, stored unsecured digital photographs of his patients on the computer as well as identifying information that may have included names, dates of birth, Social Security or Medicare numbers, and other private data, including some individual patient medical information," UF says in the announcement. "The patients involved were treated by Ong between approximately July 2005, when he joined UF, and December 2007."

In an interview with RPP, Ong's attorney, Michael Maddox, says the computer was non-functioning when he donated it, but he would not address whether Ong violated any policies in PHI storage or in giving the computer away.

Computer Held Photos, Billing Data

According to UF, the computer loss first came to light when the clinic administrator told Behinfar that when she asked Ong for photographs to provide to insurers to back up patient claims, he told her he had them on his computer, but that he no longer had the PC itself.

This would appear to be a violation of several UF policies. First, UF does not allow the storage of any PHI, including photos, on PCs. It must be kept on UF's secure servers, which have a variety of access controls and other protection not available on PCs. Also, there is no technology to encrypt photos, so that is why it was especially important that photos be kept on UF's servers, Behinfar says.

Secondly, if Ong disposed of the computer with the PHI by just giving it away, that was a violation of policies to ensure that PHI is disposed of through secure methods. And thirdly, the PC was not technically his to donate. UF acquired his practice, including all his equipment, in 2005. "We basically just changed the name on the door," is how Behinfar described the arrangement.

Behinfar says he personally met with Ong, who, according to Behinfar, confirmed what the administrator had told him and promised that he would try to recover the computer from a family he said he had given it to.

Ong returned the PC days later, and it was sent to the university's Gainesville campus, where forensic experts examined it to determine if it was Ong's and whether it contained any PHI.

They discovered that the operating system had been replaced, with much of the data gone, although there were "remnants" of some photographs remaining. Behinfar says Ong told him the family he donated the computer to did not view the data.

Photos Included Other PHI

It had been the doctor's practice, UF says, to take photographs of his patients, sometimes eight or 10 daily, as well as a photo of some part of their billing sheet or other document so that the photograph could be linked to the correct patients. This process itself is OK, as long as all the information is then moved to UF servers, which is what the other two physicians in the practice do, according to Behinfar.

This process of photographing parts of the record "really opened up the door to pretty much anything being on there," Behinfar says. "That's why we elected to notify all his patients."

After the letter was sent, Behinfar received about 60 calls. "People were pretty upset," he says. Behinfar noted that some of the patients were UF employees who had been treated by the surgeon.

Behinfar says it was not atypical for Ong to have given away the PC, as he is a leader in the Filipino community in Jacksonville and has regularly organized large donations, including many items donated by UF-Jacksonville itself, for annual shipments to the Philippines. He is listed as the chairman of the board of the Philippine Medical Society of Florida (East Coast chapter) on the organization's Web site. "He was entirely cooperative. He never tried to hide anything," Behinfar says of Ong. "He brought the computer in as soon as he could."

"We kind of felt bad about the whole thing, but this was a pretty big violation, to have PHI on your hard drive," Behinfar says. "These were sensitive procedures that some patients had…[such as] breast reconstructions.…This wasn't your typical [exposure] of names and addresses. These were photos."

It was clear, however, that "there was no malicious intent" on Ong's part, Behinfar says. UF never took any formal disciplinary actions against Ong, although violations of this sort are severe enough to warrant termination, because Ong offered to resign from the physician group and from his teaching position at UF's College of Medicine in Jacksonville. The resignation was effective May 31.

However, Maddox says Ong had already decided not to renew his contract, which was valid until the end of June, but agreed to resign prior to that date. He says he did not know whether Ong had already notified UF of his decision not to renew the contract prior to this incident.

When questioned about this, Behinfar says there is no record of Ong ever having given UF notice that he did not plan to renew his contract or resign prior to this incident.

Often, first-time offenders or minor HIPAA violators are retrained and allowed to continue working, but in Ong's case training would have been inadequate, Behinfar says.

"The storage of the patient information on his hard drive and disposal of the computer was in violation of UF policy," Behinfar tells RPP. "HIPAA retraining would not suffice for a violation for this type of incident."

Behinfar says he was surprised, after all this time since the privacy and security rules went into effect, and after all the training and education he has done, that an incident of this magnitude could have occurred. UF has had several breaches before, but none this large, he says.

He speculates that part of the reason might be because Ong started with UF after being in private practice.

But Behinfar took steps to ensure compliance, he says. "When they first opened [under UF's ownership], I went there; I gave them my business card, I pointed out where all our [HIPAA] resources were," Behinfar says. Ong attended a day-long HIPAA training session along with other UF personnel, as well as completed online training, he says.

Behinfar warns that this mindset of the formerly independent physician is something that other compliance officers should be aware of, as so many hospitals have acquired physician practices over the years.

UF Reviewed Procedures After Incident

In the statement, Robert Nuss, dean of UF's Jacksonville campus, says the university "deeply regret[s] this event and apologize[s] to our patients who it may have affected. We have taken steps to prevent incidents of this type from occurring in the future and are continuing to educate our physicians and staff on our electronic data storage policies."

The steps included retraining Ong's colleagues as well as staff, Behinfar says.

"We have reviewed all of the electronic data collection, storage and access issues at the plastic surgery clinic where Dr. Ong practiced…. The staff at that location has also been formally retrained and advised on all of the university's electronic data policies to ensure compliance," he says.

"We have been taking additional steps to reinforce these policies with staff and physicians through communication of these policies in meetings, committees and through individual consultations with departments and individuals," Behinfar adds.

He added that UF is not making any changes in its policies after this incident. "UF has sufficient policies, education and training on the storage of electronic data," he says. "No policy changes will be made. We are taking this opportunity to reinforce these policies and this event with faculty, staff and residents."

Although Ong's actions had to do with UF policies on desktop computers, nationally many PHI breaches have occurred due to a theft or other loss of laptops. Portable devices are often seen as the most vulnerable to data loss. UF also has policies for laptops that seek to protect the data, including mandatory encryption.

Behinfar says there are no restrictions on "which doc gets laptops or how many." Asked if they are allowed to take them home, he says, "As laptops are intended to be portable — docs may take them with them to locations off campus."

Some physicians are also permitted to access UF's main servers through a virtual private network while at various UF locations, as approved by UF information security folks. But he adds that "they typically do not have access through laptops."

"We have an inventory of laptops and have detailed records on the encryption of laptops for the campus," he says. The university has audited compliance with UF policies with respect to laptops. The Jacksonville campus participated in this audit.

Advertise With AIS

Privacy

Site Map