HIPAA Compliance Strategies

Remote Access Project Reveals Serious Flaws in Physician Privacy Compliance

Reprinted from the February 2006 issue of REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

With all the talk about electronic connectivity, and a push coming straight from the White House, it is easy to understand why officials at Hu Hu Kam Memorial Hospital wanted to help their doctors get wired. But they got an unexpected reaction to their offer of free laptops to connect to the hospital's information system: virtually no takers.

Why the lack of enthusiasm? Apparently the addition of a laptop would have meant physicians had to start thinking about the security rule — it seems many were still struggling with how to meet the requirements of the privacy rule and "had turned a deaf ear to security," says Frank Ruelas, compliance officer for the Gila River Health Care Corp., the hospital's parent company.

Most hospitals would agree they want their physicians to have access to appropriate patient records, but many are grappling with how to control their reach within the electronic bowels of the hospital.

There are differences in interpretation of the privacy rule and whether it requires facilities to limit physician access. While the rule allows for the complete and unfettered sharing of information for "treatment, payment or health care operations," it could be argued that systems should be in place that block access except to specific patients.

In contrast, some hospital officials are comfortable with an honor system of sorts, and take measures to monitor and admonish physicians who tap into records of patients with whom they do not have a treatment relationship. This can become an issue, for example, when a celebrity or well-known person is hospitalized.

At Gila River, the referring physicians would have been given full access that was determined to meet their needs, but they had to use the hospital's equipment. But by delving into the idea of access for referring physicians, Ruelas got an unexpected glimpse into the world of physician HIPAA compliance — and the sense that all is not well.

Physicians Seemed Interested...at First

Gila River had not allowed any of the health system's referring physicians to access the hospital's medical records from their own offices or from other remote locations. The hospital feared letting physicians use their own computers, laptop or otherwise, to access the hospitals' databases because, while the hospital could require certain types of technology and other measures be in place to comply with the privacy and security rule, there was no way it could guarantee compliance.

"We wanted to ensure that information is safeguarded at that point of receipt," Ruelas says.

The laptops the hospital provided seemed an ideal solution: They are equipped with state-of-the-art security software, including encryption and biometrics. They have a timed log-out and a thumb-print identification system. The laptops could lead to improvements in quality of care, reduction of errors and greater efficiencies, making them well worth the investment, Gila River officials believed. "Even I could do the cost-benefit analysis, with my fingers," Ruelas says.

Gila River officials hold quarterly meeting with representatives of all referring physicians "to see if there is anything we can do to help them," Ruelas says. About 18 months ago, he asked the group if they would be interested in a laptop.

"About half the people raised their hands. So we said let's get several. I told my bosses, `Don't be surprised if I come back to you next year asking for more laptops.' We wrestled with this idea for a long time. [The laptops] relieved us of some of our anxieties," he adds.

The hospital system consulted with attorneys on the precautions necessary to avoid running afoul of anti-kickback laws. These included offering the laptops to all physicians who referred to the hospital, regardless of the patient volume. And the laptops had to be used only for this purpose, and not reused for some other project. "We really did our homework," Ruelas says. "We spent a significant amount in hardware and software" plus staff time.

Mini-databases Controlled Access

In addition, measures were developed to control access for these referring physicians. Hospital IT personnel developed mini-databases based on physician specialty, Zip codes of likely patients and patient gender. It was assumed, for example, that obstetrician-gynecologists would not need access to the records of male patients.

Physicians who wanted to use the system would each have a unique user ID and password, and their navigation through the system would be tracked. These physicians are not able to access billing, demographic or other non-clinical information, Ruelas explains.

"We were toying with the idea of also basing [restrictions] on patient age because we have so many patients who have similar names," Ruelas says. However, Arizona law requires notification when certain data, including date of birth, are accessed by an unauthorized person. Officials chose not to include birth data to avoid triggering this law for every inadvertent access that might have occurred.

Gila River patients are not identified by their Social Security numbers but are assigned a random number generated by a computer.

Developing the mini-databases was seen as a way to allow appropriate access while not overloading the whole hospital IT system with multiple users or requests.

Staff physicians who provide primary care at the hospital and outpatient clinic are given more broad access to clinical patient data.

After the laptops were outfitted to the specifications of the system's security gurus, Ruelas invited representatives of the offices to a demonstration.

"We fired up the laptop, looked for a hot spot and we had one of the physicians who had an Internet account log in. We did a walk-through," Ruelas says. "We showed them that the e-mail system uses encryption, we showed them how secure the information was." The laptops were even insured, so if they were damaged, the physicians would not be responsible in most situations.

But only one office, out of several dozen, took the laptop. "They said, 'Before we [accept the laptop], we need to get our house in order,'" Ruelas recalled. One physician admitted that his office "hadn't done jack" to comply with the security rule, Ruelas says.

"One of the reasons they told me [for not taking a laptop] was they didn't realize the responsibility they would be sharing, if the information was accessed without authorization, that someone could file a complaint" with federal enforcement agencies, Ruelas says. "They said they would rather just keep faxing," he says.

Dumpster Story Sparks Fear

The lone physician who took the laptop, an orthopedist, found that the computer "worked beautifully." But after about eight months, the physician called Ruelas and asked him to come to his office.

The physician had read about an incident in which a doctor closed his office and just dumped his paper charts, unshredded, into a dumpster. For some reason, the orthopedist began to worry that having the laptop made him more vulnerable to a similar violation.

"When he heard about this incident, he said, `Oh, my God, I have a laptop.... I can't put my entity at risk like this.' Finally I said, `I can't argue with you,' and I took the laptop out."

The hospital might try again in the future. For now the laptops remain in storage in the IT department.

"Physicians have this hesitancy in dealing with technology," Ruelas adds. "Some of them don't have electronic health records. They are not really diving in yet. It's too bad that we had this pushback, given that we were doing so much to help them," he says.

Ruelas is philosophical about the experience and thinks eventually the physicians will come around. "It is going to have to happen sometime," he says. "The first step is probably the most painful."

Advertise With AIS

Privacy

Site Map